Some files deserve enhanced protection: scanned identity documents, contracts, medical records, wills, tax information. Individual file encryption adds a security layer independent of the storage service used. Here are the best methods to achieve this.
When to Encrypt Individual Files?
Full disk encryption (FileVault on Mac, BitLocker on Windows) protects all your files when your computer is off or locked. It's essential protection but insufficient for:
- Files you send by email
- Files you store in the cloud
- Files you share with third parties
- Particularly sensitive files you want to protect even from access to your unlocked machine
In these cases, individual file encryption is the solution.
Recommended Tools
GnuPG (GPG): Asymmetric Encryption
GnuPG is the open source reference for file encryption. It implements the OpenPGP standard.
How it works: you generate a key pair (public and private). To encrypt a file, you use your public key. To decrypt it, you need your private key and your passphrase.
Advantages: very robust, open standard, wide support. Disadvantages: technical interface, learning curve.
Recommended GUI: Kleopatra (Windows/Linux) or GPG Suite (Mac) for use without command line.
7-Zip with AES-256 Encryption
7-Zip is a free, open source archiver that lets you create encrypted archives with AES-256.
How to use it: in 7-Zip, right-click your file > "Add to archive..." > Choose 7z format > Enter a password > Enable "Encrypt file names."
Advantages: simple, free, cross-platform. Disadvantages: protection depends entirely on your password strength.
Cryptomator: For the Cloud
Already mentioned in our article on cloud security, Cryptomator is particularly suited for encrypting files before sending them to the cloud (Google Drive, Dropbox, OneDrive).
It creates an encrypted vault in your sync folder. All files you place there are automatically encrypted before syncing.
age: Modern and Simple Encryption
age (rhymes with "rage") is a modern encryption tool designed to be simple. Its format is minimalist and free of unnecessary options.
age -r pubkey -o file.age file.txt # encrypt
age -d -i private-key -o file.txt file.age # decrypt
It uses modern algorithms (X25519 for key exchange, ChaCha20-Poly1305 for encryption) and is recommended by security experts as a simpler alternative to GPG.
Choosing a Strong Password for Encrypted Files
The security of a password-encrypted file depends entirely on the password's strength. A weak password can be brute-forced.
Recommendations:
- Use a passphrase rather than a word (e.g., "MyCatDrinks14Liters!") rather than "P@ssw0rd"
- Minimum 16 characters for very sensitive files
- Combine uppercase, lowercase, numbers, and special characters
- Never use the same password for multiple important files
Managing Decryption Keys for Your Digital Legacy
The critical question of individual file encryption in the digital legacy context: if you die and your files are encrypted, your loved ones won't be able to access them without the key or password.
To solve this problem:
Solution 1: store the decryption passwords for your important files in EchoPass. In case of prolonged absence, these passwords will be transmitted to your heirs along with your other information.
Solution 2: for files encrypted with GPG, transmit your private GPG key (and its passphrase) via EchoPass. Your heirs can then decrypt all the files you leave them.
Solution 3: use Shamir's Secret Sharing to split your key among multiple heirs, with none able to access the data alone.
What You Should Encrypt
Absolutely:
- Cryptocurrency recovery phrases
- Scanned identity documents
- Banking and financial information
- Confidential medical information
Recommended:
- Scanned wills and advance directives
- Important email archives
- Password manager backups
Optional:
- Personal photos (depending on sensitivity)
- Confidential professional documents
EchoPass encrypts your messages with XChaCha20-Poly1305 and a zero-knowledge architecture, ensuring your decryption information remains confidential until delivered.