Passwordly

How to Encrypt Your Files: A Step-by-Step Guide

🔐 Encryption & Cryptography

How to Encrypt Your Files: A Step-by-Step Guide

Learn how to encrypt files on Windows, macOS, and Linux using built-in tools and trusted third-party software. Protect sensitive documents, photos, and backups from unauthorized access.

Passwordly Team
11 min read

Why Encrypt Your Files

Your device contains an enormous amount of sensitive information — tax documents, financial records, personal photos, medical records, work files, saved passwords, and private communications. If your laptop is stolen, your hard drive fails and is sent for repair, or someone gains unauthorized access to your computer, all of that data is exposed.

File encryption transforms readable files into unreadable ciphertext that can only be restored to its original form with the correct key or password. Without encryption, anyone with physical access to your storage device can read your files — regardless of your login password. A login password only prevents booting into your operating system; it doesn't protect the underlying data. An attacker can simply remove the hard drive, connect it to another computer, and browse everything.

Consider these scenarios where file encryption provides critical protection:

  • Laptop theft. Over 2 million laptops are stolen annually in the US alone. Without encryption, the thief has access to everything.
  • Device repair. When you send a device for repair, technicians have full access to your storage.
  • Border crossings. Customs agents in many countries can demand access to devices. Encrypted files protect sensitive business or personal data.
  • Shared computers. In households, offices, or shared spaces, encryption ensures private files stay private.
  • Regulatory compliance. GDPR, HIPAA, PCI DSS, and other regulations require encryption of sensitive data. Failure to encrypt can result in significant fines.
  • Cloud storage breaches. If your cloud provider is breached, pre-encrypted files remain protected.

Types of File Encryption

There are three main approaches to encrypting files, each suited to different needs:

Full-disk encryption (FDE):

  • Encrypts the entire storage drive — operating system, applications, and all data
  • Transparent to the user: you enter a password at boot, then everything works normally
  • Protects against physical theft of the device
  • Examples: BitLocker (Windows), FileVault (macOS), LUKS (Linux)
  • Best for: Protecting entire devices against theft or loss

Volume/container encryption:

  • Creates an encrypted virtual disk (container file) that mounts as a regular drive
  • Only files placed inside the container are encrypted
  • Container can be moved, backed up, or stored in the cloud
  • Examples: VeraCrypt, Cryptomator
  • Best for: Encrypting specific collections of sensitive files, portable encryption

Individual file encryption:

  • Encrypts specific files one at a time
  • Each file requires its own encryption/decryption step
  • Useful for encrypting individual sensitive documents before sharing
  • Examples: 7-Zip (AES-256 encrypted archives), GPG, age
  • Best for: Encrypting files for sharing or email, one-off encryption needs

Most security experts recommend full-disk encryption as a baseline with additional volume or file encryption for sensitive files that need extra protection or that are stored in the cloud.

Encrypting Files on Windows

Windows offers several built-in encryption options:

BitLocker (Windows Pro, Enterprise, Education):

BitLocker provides full-disk encryption using AES-256 (or AES-128). It's the most comprehensive option:

  1. Open Settings → Privacy & Security → Device Encryption (or search for "BitLocker" in the Start menu)
  2. Select the drive you want to encrypt
  3. Choose how to unlock: TPM + PIN is the recommended option (TPM alone is vulnerable to certain attacks)
  4. Choose where to save your recovery key — print it or save to a USB drive, not to your Microsoft account if you want to avoid cloud storage of the key
  5. Choose whether to encrypt the entire drive or only used space (entire drive is more secure for used devices)
  6. Select XTS-AES 256-bit encryption mode for internal drives
  7. Begin encryption — this may take several hours for large drives

Important notes about BitLocker:

  • BitLocker with TPM-only (no PIN) can be bypassed by sophisticated attackers who can sniff the TPM-to-CPU communication. Always use TPM + PIN.
  • Store your recovery key securely — without it, you cannot access your data if you forget the PIN or if the TPM fails.
  • BitLocker is not available on Windows Home. For Home users, consider VeraCrypt or Device Encryption (which is more limited).

Windows Device Encryption: Available on Windows Home and Pro, but requires specific hardware (TPM 2.0, Secure Boot, Modern Standby). Less configurable than BitLocker but provides basic full-disk encryption. Found in Settings → Privacy & Security → Device Encryption.

EFS (Encrypting File System): Encrypts individual files and folders. Available in Windows Pro and above. Right-click a file → Properties → Advanced → Encrypt contents. EFS is tied to your Windows user account — if you reinstall Windows without backing up your EFS certificate, your encrypted files are permanently lost. EFS is generally not recommended compared to BitLocker or VeraCrypt.

Encrypting Files on macOS

macOS provides strong built-in encryption through FileVault:

FileVault (Full-Disk Encryption):

  1. Open System Settings → Privacy & Security → FileVault
  2. Click Turn On FileVault
  3. Choose how to store your recovery key: Create a recovery key and do not use my iCloud account if you want maximum security. Write down the recovery key on paper and store it securely.
  4. Your Mac begins encrypting the drive in the background. The process is transparent — you can continue using your Mac normally.
  5. Encryption typically completes within a few hours.

FileVault notes:

  • Uses XTS-AES-128 encryption, which is more than sufficient for all practical purposes.
  • On Macs with Apple silicon (M1 and later), the storage is always hardware-encrypted. FileVault adds an additional layer of protection by tying encryption to your login password.
  • Performance impact is negligible, especially on Apple silicon Macs with hardware encryption engines.
  • FileVault protects against physical theft — without your login password or recovery key, the data is inaccessible.

Encrypted Disk Images:

For encrypting specific folders or file collections, macOS offers encrypted disk images:

  1. Open Disk Utility (Applications → Utilities → Disk Utility)
  2. File → New Image → Image from Folder (to encrypt an existing folder) or Blank Image (to create an empty encrypted container)
  3. Select 256-bit AES encryption
  4. Choose a strong password
  5. The resulting .dmg file is encrypted — double-click to mount (requires password), then use it like a normal folder

This approach works well for encrypting sensitive project files or documents you want to store securely without encrypting the entire drive.

Encrypting Files on Linux

Linux offers powerful encryption tools, primarily through LUKS and GPG:

LUKS (Linux Unified Key Setup):

LUKS is the standard for full-disk encryption on Linux. Most Linux distributions offer LUKS encryption during installation:

  1. Boot the Linux installer
  2. During the partitioning step, select Encrypt the installation
  3. Enter a strong passphrase — this is what you'll type every time you boot
  4. Complete the installation normally

LUKS uses AES-256 in XTS mode by default. The passphrase protects a master key through a key derivation function (Argon2 or PBKDF2), which makes brute-force attacks extremely slow.

Encrypting individual files with GPG:

GPG (GNU Privacy Guard) is available on virtually all Linux distributions:

To encrypt a file symmetrically (with a password):

  • Use gpg with symmetric cipher option and specify the file
  • You'll be prompted for a passphrase
  • An encrypted .gpg file is created; securely delete the original

To encrypt a file for a specific recipient (using their public key):

  • Use gpg with the recipient's email or key ID and specify the file
  • The recipient decrypts with their private key

age — a modern alternative to GPG:

The age tool is a newer, simpler file encryption tool designed to replace GPG for file encryption:

  • Simple interface — generates keys with one command, encrypts with another
  • No configuration or key servers needed
  • Supports both passphrase-based and public-key encryption
  • Available on Linux, macOS, and Windows

Using VeraCrypt for Cross-Platform Encryption

VeraCrypt is the most trusted open-source encryption tool for creating encrypted containers and volumes. It works on Windows, macOS, and Linux, making it ideal for portable encrypted storage.

Creating an encrypted container:

  1. Download VeraCrypt from the official website (veracrypt.fr)
  2. Launch VeraCrypt and click Create Volume
  3. Select Create an encrypted file container
  4. Choose Standard VeraCrypt volume (or Hidden volume for plausible deniability)
  5. Select a location and filename for the container (e.g., "vault.hc")
  6. Choose encryption algorithm: AES is the recommended default. AES-Twofish-Serpent cascaded encryption provides defense-in-depth if you want maximum security.
  7. Specify the container size
  8. Choose a strong password — use Passwordly's password generator to create one with at least 20 characters
  9. Select the filesystem format (NTFS for large files, exFAT for cross-platform compatibility)
  10. Move your mouse randomly within the window to generate entropy, then click Format

Mounting the container:

  1. Open VeraCrypt and select an available drive letter
  2. Click Select File and choose your container
  3. Click Mount and enter your password
  4. The container appears as a regular drive — save files normally
  5. When finished, click Dismount to lock the container

VeraCrypt's strengths:

  • Open-source and independently audited
  • Supports cascaded encryption (AES + Twofish + Serpent)
  • Hidden volumes — a second encrypted volume hidden inside the first, providing plausible deniability under duress
  • Portable mode — can run from a USB drive without installation
  • Cross-platform — the same container works on Windows, macOS, and Linux

Encrypting Files in Cloud Storage

Cloud storage providers like Google Drive, Dropbox, and OneDrive encrypt your files in transit and at rest — but they hold the encryption keys. This means the provider (and anyone who compromises the provider) can access your files.

To truly protect files in the cloud, you need client-side encryption — encrypting before upload:

Cryptomator (recommended for cloud storage):

  • Open-source, audited encryption tool specifically designed for cloud storage
  • Creates an encrypted vault inside your cloud sync folder
  • Files are individually encrypted — only changed files are re-synced (efficient)
  • Transparent integration — vault appears as a virtual drive
  • Available on Windows, macOS, Linux, iOS, and Android

Boxcryptor alternative — Tresorit:

  • End-to-end encrypted cloud storage service
  • Built-in client-side encryption — no separate tool needed
  • Swiss-based (strong privacy jurisdiction)
  • More expensive than standard cloud storage but includes encryption

Manual approach:

  • Create an encrypted archive (7-Zip with AES-256, or a VeraCrypt container)
  • Upload the archive to your cloud storage
  • Less convenient but works with any cloud provider

Zero-knowledge cloud providers:

  • Proton Drive — E2EE cloud storage from the makers of Proton Mail
  • Tresorit — Swiss-based, E2EE, independently audited
  • Sync.com — Canadian, zero-knowledge encryption

These services handle encryption transparently while ensuring the provider cannot access your data.

File Encryption Best Practices

Encryption is only effective if you follow sound practices:

Use strong passwords or passphrases. Your encryption is only as strong as the password protecting it. Use a generated password of at least 20 characters, or a passphrase of 5+ random words. Check your password strength with our strength checker.

Enable full-disk encryption on all devices. BitLocker on Windows, FileVault on macOS, LUKS on Linux. This should be the baseline for every device.

Encrypt cloud data separately. Don't trust cloud providers with your most sensitive files. Use Cryptomator or similar tools for client-side encryption before uploading.

Securely store recovery keys. Print recovery keys on paper and store them in a physically secure location (safe, safety deposit box). Don't store recovery keys on the same device they protect.

Keep encrypted backups. Your backup copies need the same level of protection as the originals. An unencrypted backup defeats the purpose of encrypting the original.

Don't forget about the originals. After encrypting a file, securely delete the unencrypted original. Standard deletion (even emptying the Recycle Bin) doesn't remove the data — it only marks the space as available. Use a secure deletion tool or, better yet, encrypt entire drives so unencrypted copies never exist.

Test your recovery process. Periodically verify that you can successfully decrypt your files with your stored passwords or recovery keys. Discovering a problem during a crisis is too late.

Update encryption software. Keep BitLocker, FileVault, VeraCrypt, and other tools updated. Security vulnerabilities in encryption software are rare but critical when they occur.

File encryption transforms your most sensitive data from an open book into an impenetrable vault. The tools are free, built into your operating system, and add minimal friction to your workflow. There is no valid reason, in 2026, to leave your files unencrypted — the only question is which approach best fits your needs.

Share:

Tags

file encryptionBitLockerFileVaultVeraCryptdata protection

Related Articles

Continue exploring related topics