Editor’s Note: Yeah, this is a long article. But if you ever need to send files securely – files that contain financial, medical, or otherwise personal/private stuff – you need to know the techniques and concepts in this article. So read it carefully.
Last updated: Feb 12, 2021
If you need to send someone private or sensitive information over the internet (like, say, sending your financial info to your tax preparer or sending medically sensitive information), then this guide is for you. You should never, EVER send this sort of info in an email – as an attachment or in the email body itself. Email is just not secure (unless you go to great pains to make it so) and your file(s) may last forever on some server somewhere, even if both the sender and receiver “delete” the email.
Quick Background on Encryption
Encryption is a proven, rock-solid mathematical technique for transforming normal, readable digital files (documents, pictures, emails, whatever) into complete gibberish, and then (crucially) converting them back. Encryption uses a key (sometimes called a passphrase or password) and some well-known algorithm to do the conversion and reversal (that is, encryption and decryption, respectively). Whoever has the right the key can decrypt the files. If you don’t know the key, even if you know the algorithm, you cannot recover the original file. Okay, you can – but if done properly, it would take all the computers on the planet working together for centuries to finally guess the key (despite what you see in spy movies). That’s cool stuff. (If you find this stuff the least bit interesting, check out The Code Book by Simon Singh.)
Let me just say right now that dealing with any sort of encryption today is not convenient, to be polite. End-to-end encryption (E2EE) should just be the default for all communications today and you shouldn’t even notice that it’s happening. While we’re slowly getting there, we have a long way to go. (Don’t believe all the hype from law enforcement agencies about “going dark” – this is the golden age of surveillance.) The techniques I’m going to cover here are going to feel like a pain in the butt. But these are skills most of us will need at some point.
NOTE: I’m not talking Snowden-level security here. The techniques in this article are very good, but if your life depends on this, you need to looking at sites like privacytools.io and securedrop.org.
Sending Files Securely
We’re going to be talking about two distinct modes of encryption here:
encrypting the files themselves (‘data at rest’)
encrypting the files as they are traversing the interwebs (‘data in motion’)
Ideally, you will want to do both – that is, encrypt the files you’re sending and then send those files using an encrypted transfer mechanism. But at a bare minimum, you need to encrypt the files themselves.
STEP 1: Encrypting Your Files
Whether you have one or many files to send, you should compress and zip them up into a single bundle. Fortunately, the same tools we’re going to use to encrypt the files will also take care of compressing and bundling them all into a single output file called a ‘zip file’. When your recipient decrypts this zip file, they will get all the original files back.
The trick here is finding a zip tool and format that your recipient can handle. There are many, many ‘zip’ file formats – but for pure simplicity, we’re going to use the 7zip format. (While you can make the arguably more-standard .zip file format work, getting the current free tools to actually use the better encryption formats is needlessly difficult.)
For some unknown reason, there is no single tool that works both on Windows and Mac to create an AES-256 encrypted 7z file. There are many for-pay tools out there, but I’ll stick to two free tools that work quite well: 7-Zip on Windows and Keka on Mac. (Shout-out to this How-To-Geek article for inspiration.)
a) Choosing Your Zip File Password
Before we can encrypt the file, we need to choose a password. This is a crucial step in the process – don’t wimp out here and go with your name, “password”, or “12345678”. Just make it easy: go to this online password generator and have it create a killer password for you. You can tweak the settings on this page if you want to make it a little easier for the recipient to enter, but make sure it’s at least 12 characters long. I would go with 15-20.
Keka is handy but a little odd to work with. Launch Keka and from the Keka menu, open Preferences and select the “Compression” tab. Select the “Use AES-256…” option.
Now, in the main Keka window, select “7Z” option at the upper right, if not already selected. Fill in your chosen password. I usually also select “Exclude Mac resource forks” (harmless and invisible to Mac users but confusing for Windows users).
Put all of your files into a single folder, say “my secret stuff.” Drag that folder on top of the Keka window and it will magically change like the figure below.
When you drop the folder on Keka, you will be presented with a save dialog. Choose where you want your 7zip file to be saved. You can change the name of the file, if you wish.
c) Decrypting the 7z File
The process at the receiving end is much simpler – the receiver usually just needs to double-click the .7z file. They will need a zip/compression application installed to handle this, of course. 7-Zip and Keka are obvious choices, but there are others that will decrypt these files (even if they can’t create them in the first place) like Unarchiver for Mac or PeaZip for Windows. Obviously, the recipient will also need the password (Step 2).
STEP 2: Sharing Your Zip File Password
As always, the devil is in the details… you have your strong password and you’ve used it to encrypt your zip file. Now… how do you get this crazy password to the other guy? Believe it or not, this one step is where so many people fail miserably. Don’t send the password along with the file! (Don’t laugh… people do this.) In general, you need to share the password using a different mechanism than whatever you used to share the file.
Here are some options. Note that in all cases, I wouldn’t say anything like “here’s the password”. Just send it with no other information, if possible.
Old school method: The simplest and most secure way to share a password is to just call the recipient and read it to them. No “paper trail” and very unlikely to be recorded.
Most secure method: If you both happen to have a secure messaging app like Signal or Wire or Keybase, you can send the password that way. (WhatsApp isn’t trustworthy now that Facebook owns it.)
Fairly secure method: If both you and the recipient use Apple’s Messages (ie, you both have Apple devices), you can feel fairly secure sending the password this way (a “blue bubble” text message).
Okay method: A regular text message isn’t great, but it’s not horrible, especially if you don’t say what it is.
Now that you’ve encrypted and zipped up your files into a single .7z file, and you’ve securely communicated the password to the recipient, now you need to actually send the zip file. While you could just email the zip file (because, after all, it is encrypted), I would still recommend that you choose an encrypted transfer mechanism.
Why? Well, whenever you send something via email, copies of that message and the attachments can be made along the path between you and the receiver. Those copies may survive for a very long time and are subject to being stolen or copied. If you didn’t choose a good password or if in the future someone finds a glitch in the encryption algorithm (less likely), then those copies could be compromised. But you’ve done the most important part: you’ve encrypted the files and, as long as you have a good password, they’re very safe. If you want to email them and be done with it, that’s your call.
There are various ways to transfer a file to someone securely over the internet. Here are a few you could use:
Use a temporary share link with a cloud storage service
Use an encrypted email service
Use an encrypted web file transfer tool
Use an end-to-end encrypted messaging app
Option #1: Share Link
Using a share link with a cloud storage service is the least secure method, but it may be the easiest. There are three main problems with this technique. First, while most popular cloud storage services have some level of built-in encryption, they really aren’t super secure – in particular, the provider usually holds the master key. If compelled (or perhaps hacked), your files could be copied. Second, as a convenience to you, most of these services retain copies of files even after you delete them (see if they offer ‘undelete’ or ‘file recovery’). Finally, if you create a share link, anyone with that link can get to the linked file – at least until you cancel the link or delete the file.
Again, you’ve already encrypted the file once, so this is less of an issue, but it’s still not ideal. However, if you want quick and easy, check how your cloud service creates share links and send it to the intended party. (You can often right-click the file to get this.) When your recipient has the file, cancel the share link and/or delete the file.
Option #2: Encrypted Email
If you and your recipient happen to both have an account on an encrypted email service, then you can use that to send your file. Unfortunately, these services are not terribly common and they aren’t cross-compatible. However, most offer a free service option, so you could set up an account just for this purpose. This web site has good info and comparisons, but I personally prefer ProtonMail.
Option #3: Encrypted Web File Transfer
This one is dead simple. All you need is a web browser – no special tools to install or services to sign up for. There are several free and secure services for sharing files online. Here are the ones I recommend:
They each work a little differently, but basically you drag your zip file onto the page and it gives you a link that you share with your intended recipient. With Swiss Transfer, you can limit the number or downloads, add an expiration date for the link, or both. You can even add a password for the download (separate from the one you’ve already used to encrypt the file itself). Filemail has an option for sending an email, though personally I prefer to use the download link (“Send as link”).
Option #4: Encrypted Messaging App
If you and your recipient already use a secure messaging app with true end-to-end encryption like Signal or Wire or Keybase, I believe they all support sending files. (And if you aren’t already using one of these apps, now would be a great time to start!)
See what I mean? Sending a file securely today is not simple – and it really should be. Once you get used to using these tools, it’s not so bad, but it should still be simpler.
If you want to look into the gold standard for securing stuff, check out Pretty Good Privacy. PGP uses what’s called asymmetric encryption (as opposed to the techniques we describe above which use symmetric encryption). With asymmetric crypto, you have two keys that are paired: a public key and a private key. You give the public key away freely to anyone that might want to send you an encrypted file – it’s not secret. The magic is that any file encrypted with the public key can only be decrypted with the private key (which only you have, hence ‘private’). No need to try to figure out how to securely communicate a single, shared key! This is truly the best way to share stuff securely, but using PGP it not for the faint of heart. (You can also check out my interview with the creator of PGP, Phil Zimmerman.)