Editor’s Note: Yeah, this is a long article. But if you ever need to transfer a file that contains financial, medical, or otherwise personal/private stuff, you need to know the techniques and concepts in this article. So read it carefully.
Tax time is upon us once again here in the US of A… ah, that magical time of year when you take hours and hours to collect the info that the IRS already has and calculate what they already know.
According to this article, 56% of American filers pay someone else to do their taxes for them. If you’re one of those people, then you will inevitably have to send some sensitive financial statements and info to your tax preparer. But it’s also highly likely that there are other situations where you will want to be able to send private data to someone else over the internet – medical, financial, or just personal. You should never, EVER send this sort of info in an email – as an attachment or in the email body itself. Email is just not secure (unless you go to great pains to make it so).
Encryption is a proven, rock-solid mathematical technique for transforming normal, readable digital files (documents, pictures, emails, whatever) into complete gibberish, and then (crucially) converting them back. Encryption uses a key (sometimes called a passphrase or password) and some well-known algorithm to do the conversion and reversal (that is, encryption and decryption, respectively). Whoever had the right the key can decrypt the files. If you don’t know the key, even if you know the algorithm, you cannot recover the original file. Okay, you can – but if done properly, it would take all the computers on the planet working together for centuries to finally guess the key (despite what you see in spy movies). That’s cool stuff. (If you find this stuff the least bit interesting, check out The Code Book by Simon Singh.)
Let me just say right now that dealing with any sort of encryption today is just not convenient, to be polite. Encryption should just be the default for all communications today and you shouldn’t even notice that it’s happening. While we’re slowly getting there, we have a long way to go. (Don’t believe all the hype from law enforcement agencies about “going dark” – this is the golden age of surveillance.) The techniques I’m going to cover here are going to feel like a pain in the butt. But these are skills most of us will need at some point.
NOTE: I’m not talking Snowden-level security here. The techniques in this article are very good, but if your life depends on this, you need to looking at sites like privacytools.io and securedrop.org.
We’re going to be talking about two distinct flavors of encryption here: encrypting the files themselves (we call this ‘data at rest’) and encrypting the files as they are traversing the interwebs (‘data in motion’). Ideally, you will want to do both – that is, encrypt the files you’re sending and then send those files using an encrypted transfer mechanism. But at a bare minimum, you need to encrypt the files themselves.
STEP 1: Encrypting Your File(s)
Whether you have one or many files to send, you should compress and zip them up into a single bundle. Fortunately, the same tools we’re going to use to encrypt the files will also take care of compressing and bundling them all into a single output file called a ‘zip file’. When your recipient decrypts this zip file, they will get all the original files back.
The trick here is finding a zip tool and format that your recipient can handle. There are many, many ‘zip’ file formats – but for pure simplicity, we’re going to use the 7zip format. (While you can make the arguably more-standard .zip file format work, getting the current free tools to actually use the better encryption formats is needlessly difficult.)
For some unknown reason, there is no single tool that works both on Windows and Mac to create an AES-256 7z file. There are many for-pay tools out there, but I’ll stick to two free tools that work quite well: 7-Zip on Windows and Keka on Mac. (Shout-out to this How-To-Geek article for inspiration.)
a) Choosing Your Zip File Password
Before we can encrypt the file, we need to choose a password. This is a crucial step in the process – don’t wimp out here and go with your name, “password”, or “12345678”. Just make it easy: go to this online password generator and have it create a killer password for you. You can tweak the settings on this page if you want to make it a little easier for the recipient to enter, but make sure it’s at least 12 characters long.
b-Win) Creating Your Zip File on Windows (7-Zip)
Start by putting all of your files into a single folder, say “My Private Files”. Then right-click this folder and select “7-zip -> Add to archive”. Don’t let all the options scare you. In the window that pops up, you only have to change three things:
- set the “Archive format” to “7z” (upper left)
- set the “Encryption method” to “AES-256” (lower right)
- enter your chosen password.
b-Mac) Creating Your Zip File on Mac (Keka)
Keka is handy, but a little odd to work with. Launch Keka. If not already selected by default, choose the tab for “7z”. Fill in your chosen password. I usually also select “exclude Mac resource forks” (harmless and invisible to Mac users, but confusing for Windows users).
Put all of your files into a single folder, say “private files”. Drag that folder on top of the Keka window and it will change (like below). Just let go and your encrypted 7z file will be created (by default, it will be in the same location as the original folder). That’s it!
The process at the receiving end is much simpler – the receiver usually just has to double-click the .7z file. They will need some sort of application installed to handle this, of course. 7-Zip and Keka are obvious choices, but there are others that will decrypt these files (even if they can’t create them in the first place) like Unarchiver for Mac or PeaZip for Windows. Obviously, the recipient will also need the password (Step 2).
STEP 2: Sharing Your Zip File Password
As always, the devil is in the details… you have your strong password and you’ve used it to encrypt your zip file. Now… how do you get this crazy password to the other guy? Believe it or not, this one step is where so many people fail miserably. Don’t send the password along with the file! (Don’t laugh… people do this.) In general, you need to share the password using a different mechanism than whatever you used to share the file.
Here are some options. Note that in all cases, I wouldn’t say anything like “here’s the password”. Just send it with no other information, if possible.
- The simplest and most secure way to share a password is to just call the recipient and read it to them.
- If time is not an issue, you could mail it to them (like, a real letter).
- If both you and the recipient use iMessage (ie, you both have Apple devices), you can feel fairly secure sending the password this way.
- A regular text message isn’t great, but it’s not horrible, especially if you don’t say what it is.
- Gold star: Send half the password one way and the other half some other way!
STEP 3: Sending Your Encrypted Files
Now that you’ve encrypted and zipped up your files into a single .7z file, and you’ve securely communicated the password to the recipient, now you need to actually send the zip file. While you could just email the zip file (because, after all, it is encrypted), I would still recommend that you choose an encrypted transfer mechanism. Why? Well, whenever you send something via email, copies of that message and the attachments can be made along the path between you and the receiver. Those copies may survive for a very long time and are subject to being stolen or copied. If you didn’t choose a good password or if in the future someone finds a glitch in the encryption algorithm (less likely), then those copies could be compromised. But you’ve done the most important part: you’ve encrypted the files and, as long as you have a good password, they’re very safe. If you want to email them and be done with it, that’s your call.
There are various ways to transfer a file to someone securely over the internet. Here are a few you could use:
- Use a share link with a cloud storage service
- Use an encrypted email service
- Use a real-time, encrypted file transfer tool
Using a share link with a cloud storage service is the least secure method, but it may be the easiest. There are three main problems with this technique. First, while most popular cloud storage services have some level of built-in encryption, they really aren’t super secure – in particular, the provider usually holds the master key. If compelled (or perhaps hacked), your files could be copied. Second, as a convenience to you, most of these services retain copies of files even after you delete them (see if they offer ‘undelete’ or ‘file recovery’). Finally, if you create a share link, anyone with that link can get to the linked file – at least until you cancel the link or delete the file. Again, you’ve already encrypted the file once, so this is less of an issue, but it’s still not ideal. However, if you want quick and easy, check how your cloud service creates share links and send it to the intended party. (You can often right-click the file to get this.) When your recipient has the file, cancel the share link and/or delete the file.
If you and your recipient happen to both have an account on an encrypted email service, then you can use that to send your file. Unfortunately, these services are not terribly common and they aren’t cross-compatible. However, most offer a free service option, so you could set up an account just for this purpose. This web site has good info and comparisons.
This last technique is dead simple. All you need is a web browser – no special tools to download or services to sign up for. The only trick is that you both have to be online at the same exact time – that is, they have to be there to ‘catch’ the file when you ‘throw’ it. There are several of these services and new ones keep popping up. I’ve personally used reep.io, but you might also check out sharefest.me and file.pizza. In all cases, you drag the file you want to transfer (your zip file in this case) onto the web page. The web page then gives you a special, unique link, which you need to send to your recipient (email, text, etc). When they click it, the file downloads to their computer. Ta da! This technique has one of the same problems as cloud storage share links: anyone with the link can download the file. However, they would have to somehow intercept that link and click it before your intended recipient. Once you close the web page, the link won’t work anymore. Also, some of these transfer services have the added option of setting a password on the transfer, which I highly recommend. (Use a different password from the one you used to encrypt the zip file!)
UPDATE (9-13-2017): There’s an even easier tool out there now called Firefox Send. The nice thing about this tool is that it will save the file in the cloud for your recipient: unlike reep.io and file.pizza, they don’t need to be online at the same time. You drag the file onto the page and it will upload. It then gives you a download link which you send to your recipient. They have 24 hours to download it. The file will be deleted as soon as it’s downloaded (one time only) or after 24 hours.
See what I mean? Sending a file securely today is not simple – and it really should be. Once you get used to using these tools, it’s not so bad, but it should still be simpler.
That said, I would be remiss if I didn’t at least mention a cool new tool called miniLock. If you’ve ever heard of PGP, miniLock is a hipper, modern version that is much, much easier to use. PGP and miniLock use what’s called ‘public key’ encryption (as opposed to the techniques we describe above which use ‘private key’ encryption). With public key crypto, you have two keys that are paired: a public key and a private key. You give the public key away freely to anyone that might want to send you an encrypted file – it’s not secret. The magic is that any file encrypted with the public key can only be decrypted with the private key (which only you have, hence the ‘private’). No need to try to figure out how to securely share a single, shared key! This is truly the best way to share stuff securely, but using PGP really sucks. miniLock has the potential to be a usable public-key crypto tool for the masses because it’s so much easier to use. This tool is currently only supported (well) in the Chrome browser, but hopefully will expand to Firefox and other browsers soon. If you want to give it a try, check out this how-to article.