Safer Internet: Offline: Encryption

Quotes | Summary | Intro | Device | Cloud | Notes | Indiv. Files |
References: General | Android | FBI (vs. Apple) | Government; Backdoor |
iOS | macOS | Quantum | Windows


Quotes

Summary

Encryption: Intro

  • We'll cover various kinds of encrypted internet connections later under Internet Connection: Wi-Fi, VPN and Web Browsing: HTTPS, shopping, Email, Talk and Chat
  • With today's faster processors, there's no perceptible delay for encryption/decryption.
  • For strong encryption, look for "AES-128" or "AES-256" (Advanced Encryption Standard) -- and create a strong password!
  • Avoid weak encryption, i.e., weak password (even with AES-128,-256), or older .zip format; standard .pdf or Office file
  • Backup any encryption or recovery key somewhere secure, e.g., password manager, SD box
  • If you also save recovery key in cloud (iCloud, Microsoft), you could conveniently access it, but so could government (legally or illegally) or hackers
  • Encryption becomes more vulnerable over time with faster processing, better algorithms, uncovered backdoors, more invasive laws / exceptions, quantum computers.
  • As a last resort, if you must share sensitive info, e.g., key, credit card, password, and end-to-end encryption is not available (email is typically decrypted at server, or your recipient may not be as careful as you are), communicate the information in fragments, e.g., separate emails, or use an alternate channel, e.g., text or phone

[1] Encrypt Entire Device / Disk -- and Backups

  • It's simpler to just encrypt entire drive rather than selected files.
  • iOS9+: automatic -- assuming strong (> 6 digit) passcode; also for recent Android
  • macOS: System Preferences > Security & Privacy > FileVault;
    i.e., FileVault 2; not recommended: "Legacy" FileVault (version 1) -- see Mac: FileVault references
  • You'll have to re-enter password after Logout / Shutdown, or sleep timeout; if you have a very strong macOS account password, you could encrypt using that same password and have it saved in KeyChain for convenience
  • Encrypt backup (incremental & clone) partitions/drives, e.g.,
  • macOS: Time Machine > Open Time Machine Preferences > (partition/disk) > Encrypt backups -- note much faster to encrypt during original partition/erase, rather than later
  • macOS: Carbon Copy Cloner: boot backup system, enable File Vault -- see Mac: Carbon Copy Cloner, FileVault references

[1] Encrypt Cloud Files & Backups

  • See Backups for earlier discussion of cloud storage
  • Files are normally encrypted in transit -- from your device to the cloud server
  • Many cloud services then encrypt the files based on their key and/or your account password;
    the files are accessible not only to you, but also to the provider, and by subpoena, to the government;
    also, if file/folder URL is shared or discovered, anyone could access file
  • More secure cloud services, e.g., BackBlaze, support use of a private key known only to you (different from your password).
  • The cloud service cannot decrypt files without this key, even under government demand -- more secure and preferable.

[2] Encrypt Notes

  • If you have a strong device password and full device encryption, this may be unnecessary
  • iOS: Notes > (share icon) > Lock Note
  • macOS: Keychain Access > Secure Notes

[3] Encrypt Individual Files / Folders

  • For individual files / folders, use "zip" utility w/ strong encryption, e.g., 7-Zip (Win, Linux) or Keka (macOS ), or recent WinZip -- not older original zip format
  • 'Password protection' provided by some apps, e.g., Word, .pdf, may be weak
  • If you want to encrypt more than a few files, and don't want to encrypt entire disk (or have an older Mac system), you can create a 'Disk Image' (embedded, compressed volume)
  • macOS: Disk Utility > File > New > Blank Image > encryption, image format: sparse bundle

References

Android

FBI (vs. Apple)

Government; Backdoor

iOS

macOS

[2] Quantum; Future

Windows