File Encryption Tools That Actually Protect Your Data
A friend called me in a panic last month. His laptop -- the one with client contracts, financial records, and personal documents all sitting in unencrypted folders -- had been stolen from his car. He had been meaning to deal with encryption. He just never got around to it. The data on that laptop is now in the hands of a stranger, and there's nothing he can do about it.
This is the article I wish I had sent him before that phone call. Not a deep technical exposition on AES key schedules, but a practical rundown of which tools to actually use, for what purposes, and common pitfalls to avoid.
VeraCrypt -- The One Security Experts Actually Trust
If you ask a security professional "what should I use to encrypt my files," the answer is almost always VeraCrypt. It's the successor to TrueCrypt (which was discontinued under murky circumstances but had its code audited and largely cleared by independent security researchers), and it's open-source, well-maintained, and uses the same encryption standards that governments and corporations rely on.
What VeraCrypt does is create an encrypted container -- think of it as a locked safe that sits on your hard drive as a single file. You open it with your password, it mounts as a virtual drive, and you can drag files in and out normally. When you're done, you dismount it, and everything inside is locked behind AES-256 encryption. If someone steals your laptop, they see one unreadable file. That's it.
I use VeraCrypt for my most sensitive documents: financial records, legal papers, anything that would cause real problems in the wrong hands. I keep a relatively small container -- maybe 5 gigabytes -- and I only mount it when I actually need something.
The security features go deep enough to be almost paranoid. Hidden volumes within volumes let you have a "decoy" password that opens a harmless container if you're ever forced to reveal your password. The real data is in the hidden one. This sounds like spy movie stuff, but for people in certain professions or certain countries, it's genuinely relevant.
VeraCrypt also supports multiple encryption algorithms beyond AES-256, including Serpent, Twofish, and cascaded combinations (e.g., AES-Twofish-Serpent). While AES-256 is already considered quantum-resistant enough for most purposes, the cascaded options provide additional peace of mind for those who want maximum security.
The downsides: the interface is not friendly. It's not difficult -- the wizard walks you through creating a volume -- but it feels technical. And the single most important rule of VeraCrypt is this: forget your password and your data is gone. Not "call customer support" gone. There is no customer support. The encryption is too strong to break, which is exactly the point. Back up your password somewhere safe.
7-Zip -- The Simplest Encryption That Actually Works
Here's a trick most people don't know: you probably already have access to solid encryption through 7-Zip, the free file archiver. When you create a .7z archive, you can set a password and choose AES-256 encryption. The result is a compressed, encrypted file that anyone can open with 7-Zip or similar tools -- they just need the password.
I use this constantly for sending files. Instead of emailing a sensitive document as an attachment, I 7-Zip it with a password, send the archive, and share the password through a different channel (text message, Signal, whatever). It's not perfect security, but it's dramatically better than an unencrypted email attachment.
The limitation is that 7-Zip encryption is for archives, not for everyday use. You can't just open an encrypted 7-Zip file, edit a document inside, and save it back. You have to extract, edit, and re-archive. For files in transit or long-term storage, it's great. For daily work, look at VeraCrypt.
One tip: always use the .7z format, not .zip, when encrypting. The .zip format supports weaker encryption methods, and some tools default to them. .7z with AES-256 is consistent and reliable. You should also use a strong password -- at least 16 characters with a mix of upper/lower case, numbers, and symbols. The encryption is only as strong as the password protecting it.
BitLocker -- The Built-In Option for Windows Users
If you're running Windows Pro or Enterprise (not Home), BitLocker is already on your computer. It's Microsoft's full-disk encryption, and it's genuinely good. Turn it on, set a password, and your entire drive is encrypted. When you boot your computer, you enter the password and everything works normally. If someone pulls the drive out and connects it to another machine, they get nothing -- the drive is completely unreadable without the decryption key.
I enable BitLocker on every Windows laptop I use. The setup takes about ten minutes and runs in the background. The performance impact on modern hardware is negligible -- you won't notice it. Microsoft claims less than 10% performance impact, and in practice it's often even less.
The catch: BitLocker is only available on Pro and Enterprise editions of Windows. If you have Windows Home, you get "Device Encryption" on supported hardware, which is similar but less configurable. And there's a philosophical concern: BitLocker is closed-source, and by default it can send recovery keys to Microsoft's servers. You can disable this through Group Policy (Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption), but it requires some tinkering.
For most people who just want to protect a laptop from theft, BitLocker is the easiest path to full-disk encryption. It's already there, it works, and you don't need to install anything.
Cryptomator -- For People Who Store Files in the Cloud
This one fills a specific niche. If you use Google Drive, Dropbox, or OneDrive and want your files encrypted before they leave your computer, Cryptomator is the answer. It creates an encrypted vault inside your cloud-synced folder. Files are encrypted locally before they're uploaded. The cloud provider only ever sees encrypted data.
I started using Cryptomator when I realized that "cloud storage" really means "someone else's computer." I don't trust Google or Dropbox to not look at my files, whether through automated scanning (for advertising, malware detection, etc.) or human access. With Cryptomator, it doesn't matter -- they can't read what they have.
The free version covers desktop use (Windows, Mac, Linux). There's a small fee for the mobile apps (iOS and Android), which is fair. Setup is straightforward: create a vault inside your cloud folder, set a password, and drag files in. The vault appears as a virtual drive, similar to VeraCrypt, but it's designed to work seamlessly with cloud sync folders -- it encrypts individual files rather than a single container, which is better for sync efficiency.
Cryptomator uses AES-256 encryption and is open-source, so the code can be (and has been) audited. It also supports multiple vaults with different passwords, which is useful for separating work and personal files in the same cloud folder.
A Few Things I Learned the Hard Way
Back up your passwords. I cannot stress this enough. I once forgot a VeraCrypt password for a container with non-critical files. It took me two days of trying variations before I got it back. For anything important, write your password down and store it somewhere physically safe -- a locked drawer, a safety deposit box, wherever. An encrypted file with a forgotten password is the same as a deleted file.
Encryption is not a backup. Encrypting your files protects them from unauthorized access. It does not protect them from hard drive failure, accidental deletion, or ransomware. Keep backups separately, and consider encrypting those too. The 3-2-1 backup rule (3 copies, 2 media types, 1 offsite) is just as important as encryption.
Don't use the same password for everything. If your encrypted archive password is the same as your email password, and your email gets breached, your encryption is useless. Use a password manager. Bitwarden is free and open-source and does everything most people need.
Test your recovery process. Before you rely on any encryption tool for important data, test the full cycle: encrypt, dismount, remount, decrypt. Make sure you can actually get your files back. Do this before you need to, not after.
What About Those All-in-One Security Suites?
You'll find tools like Folder Lock and similar products that promise encryption, secure deletion, stealth modes, and more. Some of them are decent products. But they're usually closed-source, which means you're trusting the vendor's claims about security without being able to verify them. For anything truly sensitive, I stick with open-source tools where the code can be (and has been) audited by independent security researchers.
The exception is if you need a specific feature that open-source tools don't provide well -- like Folder Lock's ability to encrypt individual folders on the fly without creating a container. For casual use, it's fine. For serious security, I'd still point you at VeraCrypt.
The Bottom Line
For most people, the right setup is simpler than you think:
- Laptop protection: BitLocker (Windows Pro) or FileVault (Mac) for full-disk encryption
- Sensitive documents: VeraCrypt container, backed up password
- Sending files: 7-Zip with AES-256
- Cloud storage: Cryptomator vault inside your sync folder
That covers about 95% of real-world encryption needs. The tools are free, they're well-tested, and they use encryption standards that are effectively unbreakable with current technology.
The hardest part of encryption was never the technology. It was building the habit. Once you set it up, it becomes automatic -- like locking your front door. And the peace of mind when your laptop gets left in an airport terminal? Worth every minute of setup.