How to Encrypt EVERYTHING

October 26, 2020

Hello, friends! In the spirit of the EARN IT act seemingly gathering steam in the USA, I've written a detailed guide on how to encypt, well... everything. Welcome to a lengthy blog post overstuffed with hot, sticky, sweet and sour cryptography. Bon appétit.

I will be attempting to update this post somewhat regularly, so check back from time to time! I'll be sure to make it known when I've updated.

As always, I welcome your input—if you agree, disagree, have additions, have questions—please speak up! Feel free to reach out to me on Social Media or by Email (details at bottom of post). Let's talk and learn from each other. I'll try my best to respond as much as I can, even if it takes me a little bit of time to do so. :)

UPDATED 11/01/2020 (See Changes)

Encrypting Web Traffic
- VPN
- Tor
  - VPN + Tor?
- DNS Requests
Encrypting Communications
- SMS/MMS and Voice Calls
- Email
- Private Messaging, VoIP, and/or Video Chat
Encrypting Synced Data
- All-in-One Solution
- Passwords
- 2FA/MFA/OTP
- Contacts & Calendar Sync
- Personal Notes / Journals
- Documents
- Cloud Storage
Encrypting Collaborative Projects & File Sharing
- Communication for Teams
- Shared Documents
- File Sharing
Encrypting Your Files
- Encrypting System Drives
  - Android
  - iOS
  - Linux
  - Mac
  - Windows 10
- Encrypting Flash Drives / External Drives
- Encrypted Folders / Partitions
Hiding Files and Secret Messages in Plain Sight with Steganography (Coming soon!)
Contact Me

Encrypting Web Traffic

There are currently two excellent, reliable ways to encrypt your web traffic that are widely used: a VPN and TOR. Let's talk about both. I will also touch on DNS encryption at the end of the section.

VPN

VPN stands for Virtual Private Network, and a good, trustworthy VPN is an indespensible tool in the fight for privacy. A VPN will generally allow you access a collection of servers across multiple countries and continents. You may have seen people using VPNs to access Netflix or YouTube content from different regions, which is definitely a nice perk, but not why I'm bringing them up.

When you connect to a website, your IP address is logged. We could dive deeper into why this might be problematic, but if you're reading this, I'm assuming you've already got some semblance of an idea. In very short terms, that IP can be used to track you around the web, from site to site, mostly for marketing purposes (and potentially reasons more sinister). A VPN worth its salt will encrypt your request to connect to a site and any other data you may be uploading, then ferry it safely to a remote server before decrypting it and directing it where it's meant to go. The beauty of this is twofold:

Your true IP address will not be revealed to the sites you visit, as it will only see the remote server's IP, from which hundreds or thousands of varying connections are made daily, effectively obscuring your identity and habits online.
Your ISP (Comcast, TWC, Century Link, AT&T, Verizon, etc.) will only see your encrypted traffic headed to a single remote server, and not where it goes after. Essentially, they have no idea what you're doing on the web, either.

This is not a foolproof method of achieving anonymity, however. Why? Because your VPN can see your true IP and exactly what you're doing with it. This is where things get tricky, and why it's so crucial to use a reputable VPN service.

I can make a few recommendations on VPNs I've found worthy of my own trust, but first I want to detail a couple of the important facors that I look for in a VPN:

Loglessness. There's nothing from stopping a VPN service from claiming to be logless and collecting logs anyway, so there is absolutely an element of trust needed here. My personal view is that for any privacy strategy to work, you are going to have to need to be able to place trust in certain organizations and tools—it's inevitable. We just have to do our homework and practice with failsafes/redundancy when we can.
Jurisdiction. In general, I am skeptical of VPNs based in the USA or China, as their privacy laws are less than stellar. A VPN based somewhere like Switzerland, however, would be subject to their remarkably forward-thinking privacy laws. Depending on your own unique use-case, you may want to consider where your VPN provider is headquartered. In researching this, you may see terms like “Five Eyes,” “Nine Eyes,” or “Fourteen Eyes” come up. This is a detailed subject, so I recommend skimming this article to get a better idea of what this means for you.
Leak Protection. Ideally, the VPN service will have a mitigation in place for DNS Leaks.
Security. Arguably the most important aspect, the VPN provider needs to offer strong encryption protocols (ideally AES-128 or AES-256, avoid blowfish or anything below 128-bit encryption).
Monetization. VPN services are expensive operations to run, and as such, any VPN that is provided at no charge should draw immense skepticism. You must consider how they monetize their service to properly evaluate if it will be an asset to your privacy.

Luckily, comparing all of these traits and more has been made extricably easy by That One Privacy Guy through the detailed VPN comparison chart on his site, aptly named That One Privacy Site. Use this resource, please.

My Recommendations: I personally feel comfortable using and recommending Mullvad, Proton VPN, Nord VPN, or Mozilla VPN (which piggybacks on Mullvad's servers).

A Note on PIA: I was a Private Internet Access user for a long time, but many are unaware that they were recently purchased by Kape Technologies, a less-than-reputable PLC that, at one time, created adware and has since rebranded as a “cybersecurity” company. I am not aware of any major changes to their policies since the acquisition, so they may still be a fine service, but the purchase was a major red flag for me and I can no longer comfortably recommend the service.

You can host your own VPN at no cost, but this is only recommended if you have the knowledge and means to do so properly, for your own security.

Tor

Tor differs from a VPN in a few key ways. Tor is The Onion Routing network, and it is a free global network of nodes that can only be accessed via the Tor Browser that runs on donations. When you connect, your web activity is encrypted and routed through a series of 3 random nodes BEFORE it makes a connection. While you can use the Tor browser to access “Clearnet” (or “normal”) websites, it also offers the ability to visit Onion sites. These are sites accessible only via the Tor network and provide an additional layer of protection.

Both Tor and VPNs are exceptional tools for privacy, and while there's a bit of overlap, they both have unique strenths that will make them each better suited for different use-cases. Here is a more technical breakdown to help decide if a VPN or Tor is better for you.

For more information on using Tor, see my recent post on How to Get The Most Out of Tor in 2020.

VPN + Tor?

So if VPNs are good, and Tor is also good, wouldn't they be better together? This is where things get a little messy, because it depends on who you ask. Many very knowledgable folks make the argument that using a VPN with Tor can compromise your anonymity. I personally subscribe to the idea that using Tor over a VPN (not the other way around) can significantly improve your anonymity, and here is my reasoning:

Your ISP can see you're using Tor, so going VPN > Tor means that your ISP won't know you're using the Tor network.
As far as data transfer, your packets will go VPN server > Tor Node #1 > Tor Node #2 > Tor Node #3 > Target Site, so whether or not you use a VPN, the site you're connecting to is only gonna see the IP of the Tor exit node, not the VPN server's IP.
The entry node will see your IP, but it sees your real IP, anyway. Using a VPN can hide your IP from the entry node, but this requres that you have a trustworthy VPN provider that is truly logless, and that you pay for the service by reasonably anonymous means.

As far as I can tell, if done right, the only downside would be a terribly slow connection (VPNs and Tor will both take a hit on your connection speeds). Since there are some valid arguments for both sides of this old, rusty coin, I will not give you a definitive answer on whether it's right for you. Luckily, a community-managed wiki for The Tor Project has created an excellent post on this subject, so I highly recommend giving it a read.

If you have any thoughts on this, please let me know. Let's discuss! I'm here to learn, too.

DNS Requests

A Domain Name System (or DNS) server works much like an old school phone operator. When you type reddit.com into your browser, you are calling in to say, “Hello, I would like to be connected to my old pal, Reddit.” The operator will then find the phone number (or IP Address) of Reddit and help direct the connection. If you had no idea what a DNS server was, you are most likely using the DNS provided by your ISP. Many may also be using Google's DNS option, as it's quick and reliable. In both cases, your DNS requests (or the sites you are trying to visit) are unencrypted and logged by a third-party. Much like a VPN, it is possible to host your own private DNS server. This is a great option if you have the know-how and the resources to set it up properly, but it won't hardly be the most accessible option for many.

For those that use a VPN, many VPN providers include their own secure DNS. This is great! This means you don't have to do anything special while the VPN is running. If your provider offers DNS leak protection, please note that it is not recommended that you try to use DNS over TLS or DNS over HTTPS, as it can invalidate the protection.

If you are not using a VPN with an included DNS or are still in need of a quick and easy solution, there are lots of DNS choices out there, so I've narrowed them down to a few that I have found to be reputable enough. You'll want to make sure that the provider you choose is equipped with DNSSEC and supports some kind of encrypted tunneling protocol, such as DoT (DNS over TLS) or even better, DNSCrypt (see below chart for more info).

Provider	Location	Logging	DNSSEC
Quad9	USA	Minimal	Yes
DNS.WATCH	Germany	None	Yes
Snopyta	Finland	None	Yes
Cloudflare*	USA	Minimal	Yes

*Please note: Cloudflare claims that their logging is extremely minimal. Regardless, many users around the internet do not trust them as an organization. I have been unable to find enough evidence to make a truly informed recommendation regarding Cloudflare's reputability, but I am including them because, at this time, they at least appear to be committed to offering a private, secure alternative DNS. They are also the fastest DNS out there by a notable margin. I personally would opt for another choice—such as Quad9—in the interest of privacy, but I did want to include this one as a more private alternative to Google DNS for the performance freaks.

You can find a much more comprehensive comparison chart with more options where I borrowed some of this information from, on PrivacyTools.io. As mentioned above, DNSCrypt is highly recommended. To use it, you need only download a client from their website and run it. In the client, you can typically select from numerous supported DNS options, but while they are all secure options, not all of them are necessarily the most private options. This is why it's important to look over the supported choices on sites like PrivacyTools and go in knowing what you're using.

If you choose not to—or are unable to—use the DNSCrypt client on your chosen device, here is a quick and dirty guide to change your DNS server on any device courtesy of HowToGeek.

Encrypting Communications

For some, like journalists and whistleblowers, encrypted communications are vital to their work—and in some areas, their survival. For others, we simply don't want our private messages parsed for marketing data. Both cases are completely valid. I firmly believe that everyone has a use for legitimately private communication and that it should be easily obtainable. As of today, fortunately, it is for many of us.

Here are some recommendations for a mix of paid services and FOSS (free and open source software) for communication that provide E2EE (end-to-end encryption*). What this means is that all communications are fully encrypted on your device (“clientside”) and decrypted only upon arriving at the receiver's device. E2EE exists to promise the user a zero-knowledge service, meaning that even the company themselves cannot read your messages, nor could any government-based or malicious actors that compromise their servers. They can only be deciphered on your physical device.

**Please note that for all of the following, the other user must use the same tool in order to get the most protection from them.*

SMS/MMS and Voice Calls

Signal (Android/iOS/Linux/Mac/Windows) [FOSS] – An SMS application by Open Whisper Systems that can handle both plain, unencrypted text messages with anyone AND E2EE text messages with other Signal users (for mobile users—on PC, it will only allow private messaging between other Signal users). It is endorsed by Edward Snowden himself and widely used in both private and public sector by cybersecurity professionals and government officials alike. There are alternatives and forks out there, but they are not cross-compatible with Signal. Some prefer alternatives, as Signal does require a phone number on sign up, but since Signal dominates this particular niche, you're going to find way more people are already using this one, so it's easily my preferred recommendation. Signal is also capable of E2EE voice and video calls. I'm often surprised at how many of my friends and contacts are already using Signal once we swap numbers.
MySudo (Android/iOS) [PAID] – MySudo is a closed-source service by Anonyome Labs that allows users to create multiple “Sudos” or alternate identities, each with their own phone number and email address. All texts, calls, and emails between other MySudo users are free and E2EE, but you need to pay for a subscription service to take advantage of the full suite of tools. Theoretically, one could have a Sudo for personal matters, a Sudo for work, and a Sudo for finance. Let's say they leave a job or their work phone number becomes otherwise compromised—they could simply kill that number and get a new Sudo. Some users will even go so far as to never give out their actual cell number, and instead rely only on Sudo numbers. This can be a very practical way to compartmentalize your life and conceal one of your most sought-after digital assets. In my experience with it, the numbers are often rejected by businesses and online retailers that demand a phone number, but it's excellent for Craigslist dealing and many other situations.

Email

Protonmail (Android/iOS/Linux/Mac/Windows/Web) [FOSS/PAID] – ProtonMail is a Swiss-based, open source email service with an incredible dedication to privacy, security, and zero-knowledge. They take security so seriously, in fact, that their datacenter is located in a underground in a guarded bunker beneath 1,000 meters of solid stone. I shit you not, they are Bond-villain-level committed. You can read more about their security features here, including offerings such as self-destructing messages. They also have an onion address and can therefore be accessed securely via the Tor network. ProtonMail is handily the service that I feel most comfortable recommending out of anything else in this guide.
Tutanota (Android/iOS/Linux/Mac/Windows/Web) [FOSS/PAID] – ProtonMail is a tough act to follow, but Tutanota manages to be a serious contender as another open source, privacy-conscious email provider. If for any reason you opt not to go with ProtonMail, Tutanota is a swell alternative. > Bonus Tip:

If you are communicating with another individual that is not also using your same secure email provider, you can still use PGP encryption to secure your communications. Here's a great guide to getting started with PGP in Mozilla Thunderbird, which should work with almost any email provider. If you opt to use ProtonMail, they also allow you to send PGP encrypted emails very easily, right in the web browser! Here is their guide for PGP with non-ProtonMail users.

Private Messaging, VoIP, and/or Video Chat

Wire (Android/iOS/Linux/Mac/Windows/Web) [FOSS] – Wire is an open source, Swiss-based tool for private messaging, video chat, and voice chat. You can easily create group chats, perform screen sharing, send GIFs, and more. Of course, all communication in the app is E2EE. It's my preferred alternative to Skype, Teams, and other similar tools. In my personal experience, it has also performed better and provided more stability across all platforms than some of the more commercial offerings. It's a brilliant piece of software and I highly recommend it.
Briar (Android) [FOSS] – Briar is a unique messenger for two reasons: it offers more than just messaging with blogs, forums, and groups; it also has the ability to connect to nearby users without an internet connection. It is the only messenger I know of that will allow you to send messages locally over Bluetooth, which could be handy in a number of scenarios. For the Tor users, it also give you the option to connect over the Tor network, which is a huge perk. At the time of writing, it is only available for Android.
Mumble (Linux/Mac/Windows/Web) [FOSS] – Mumble is an open source alternative to Discord. It's a low-latency messenger and audio chat program built for gamers. I haven't used this one much, but my experiences have been good, if only brief.
Pidgin + OTR (XMPP) (Tails) [FOSS] – If you are using the Tails live operating system, Pidgin is a great Tor-friendly messenger option, pre-installed and configured out of the box for you. Here is a video with a detailed guide on getting this set up. Snopyta offers a solid private XMPP server that you can use over Tor, but you can also always look to Calyx Institute or RiseUp, among others.
Rocket.Chat (Android/iOS/Linux/Mac/Windows/Web) [FOSS] – Simply put, this is a free, open source, self-hostable replacement for Slack and other team-based collaborative chat platforms. All communication is E2EE. This platform comes highly recommended for companies, online communities, collaborations, or even just a friendly group chat.
Jitsi Meet (Android/iOS/Linux/Mac/Windows/Web) [FOSS] – Jitsi Meet is an open source tool for video conferencing. It works similarly to Zoom, but performs better and offers a significantly more private and secure experience. If you use Zoom for work, I do recommend looking into whether you could get others on board with switching.

Encrypting Synced Data

We sync a lot of data with the cloud. Like, a lot a lot. Contacts, calendars, notes, photos, etc. These details could be particularly sensitive, as they are quite personal. This information is regularly collected by many of the apps you have on your phone—and by your phone's own operating system—to generate a targeted-marketing profile on you. They're also generally stored unencrypted, making them vulnerable to malicious actors who manage to compromise your device or a network to which you're connected. Luckily, we can fix this.

All-in-One Solution

NextCloud (Android/iOS/Linux/Mac/Windows/Web) [FOSS] – You can think of Nextcloud like having your own personal Dropbox or OneDrive. It can sync files, calendar, contacts, notes, and more between a myriad of devices. It even has plug-ins available that expand functionality, and you can even use it for secure video calling. This is a reasonably elegant solution, and it pairs well with Cryptomator for an additional layer of security. There is a cost to this option, however: this is a service that must be hosted. This means you will either need a private server of your own to host it on, or you will need to pay a web-hosting provider to borrow space on their servers. If this is not teneble for you, please check out the individual services below. If you're looking to rent a server, there are many, many reputable VPS solutions out there—but I like to recommend wölkli.
Syncthing (Android/Linux/Mac/Windows/More) [Foss] – This is a tool that will allow for seamless, continuous background syncing of files, folders, and directories between multiple devices. There is no central “cloud” server here, so your data is transfered securely between only your own devices.

Passwords

Bitwarden (Android/iOS/Linux/Mac/Windows/Firefox/Chromium/Web) [FOSS/Paid] – Bitwarden is among the very few “online” password managers that I feel comfortable recommending. One major reason is that it can be self-hosted, if you have the means. If not, I still feel Bitwarden is the best password manager with syncing capability. It's convenient, it has all the bells and whistles you might want (such as auto-fill), and it's a zero-knowledge, open source solution from a reputable company. It's every bit as secure as those syncing their KeePassXC databases with Cryptomator, but significantly easier to manage.

2FA/MFA/OTP

Authy (Android/iOS/Chromium) [Free] – 2FA is one of the best things you can do for your own security, and Authy makes it pretty simple. Some will be concerned that Authy is not open source, and some will take issue with the fact that your 2FA codes sync with their servers. These are absolutely valid concerns, and for you, there are great options like AndOTP (Android) or KeePassXC (Multi-platform) out there; however, these apps won't sync your access tokens and you are responsible for manually creating your own backups. In my own personal research, I feel comfortable recommending Authy, particularly to those that are apt not to use 2FA due to the inconvenience, as Authy is about as convenient as 2FA gets and it is nearly always better to use 2FA than not. Authy is zero-knowledge and will sync your keys in an encrypted state. By default, Authy can only be used on a single device for your security, but you can opt to sync between multiple devices with a simple toggle in the app settings. If anything ever happens to your device, your access tokens will be backed up securely and automatically, so you don't have to worry about being locked out of an account—just don't forget your backup password.

Contacts & Calendar Sync

Etesync (Android/iOS/Linux/Mac/Web) [FOSS/PAID] – Etesync is an open source, zero knowledge tool for transparently syncing your contacts and calendars in the background. It's based on DAVDroid, but with some much-needed security enhancements. The syncing itself is encrypted, and then the data is stored in an encrypted state locally. The best part is that you can use any Calendar or Contact apps you like—even the stock ones—and while your data will be displayed in those clients, they cannot actually parse the data. See the FAQ for more information. It's also worth noting that they have recently added note syncing capability, and it is possible to host your own Etesync instance.

Personal Notes / Journal

Joplin (Android/iOS/Linux/Mac/Windows) [FOSS] – Joplin is a multi-platform note taking solution with markdown support and multiple ways to organize notes. It can be synced securely with your Nextcloud server, via WebDAV, or other cloud storage services. It's the most feature-rich option in this list, as well, and it's completely free and open source.
Etesync Notes (Android/iOS) [FOSS/Paid] – Still in beta, this is a newly-released alternative to Joplin that syncs directly to your Etesync account. I have not tested it thoroughly, but I can say with certainty that it's a project worth keeping an eye on, at least.
Standard Notes (Android/iOS/Linux/Mac/Windows) [FOSS/Paid] – This app is open source, but some of the more premium features are locked behind a paywall. For this reason, it's not my app of choice while robust options like Joplin are freely available, but it does offer a slightly different approach and a more elegant interface that many are sure to appreciate.
Turtl (Android/Linux/Mac/Windows) [FOSS] – I know people who swear by this app. I really wanted to love it, but I have always found this one a bit of a struggle to use, in my personal experience. That said, it is an excellent, highly secure option if it works for you!

Documents

CryptPad (Web) [FOSS] – The web editors are based on OnlyOffice, my preferred Office suite. I find that it's really easy to edit in the web browser, but it's also quite simple to move local files to the cloud and vice versa.

Cloud Storage

Cryptomator (Android/iOS/Linux/Mac/Windows) [FOSS] – Cryptomator allows you to quickly and easily create an encrypted folder on your local machine. This folder can be synced with any cloud service (NextCloud, OneDrive, Dropbox, etc.) to secure your files and prevent even “big data” cloud providers like Google or Microsoft from knowing what it is that you're storing. This is my own recommendation, but there are alternatives that appear solid, like CryFS.
Cryptee (Android/iOS/Linux/Mac/Windows/Chrome OS) [FOSS/Paid] – Cryptee is a cloud service for storing photos, documents, and other personal data. A meager 100 MB of storage space is offered at no cost, but there are paid plans available up to nearly 2 TB. This is an excellent alternative to Google Photos/Drive and similar such cloud storager offerings.

Communication for Teams

Rocket.Chat (Android/iOS/Linux/Mac/Windows/Web) [FOSS] – Simply put, this is a free, open source, self-hostable replacement for Slack and other team-based collaborative chat platforms. All communication is E2EE. This platform comes highly recommended for companies, online communities, collaborations, or even just a friendly group chat.
Jitsi Meet (Android/iOS/Linux/Mac/Windows/Web) [FOSS] – Jitsi Meet is an open source tool for video conferencing. It works similarly to Zoom, but performs better and offers a significantly more private and secure experience. If you use Zoom for work, I do recommend looking into whether you could get others on board with switching.
Wire Pro/Enterprise (Android/iOS/Linux/Mac/Windows/Web) [FOSS] – Wire is an open source, Swiss-based tool for private messaging, video chat, and voice chat. You can easily create group chats, perform screen sharing, send GIFs, and more. Of course, all communication in the app is E2EE. It's my preferred alternative to Skype, Teams, and other similar tools. In my personal experience, it has also performed better and provided more stability across all platforms than some of the more commercial offerings. It's a brilliant piece of software and I highly recommend it.

Shared Documents

CryptPad (Web) [FOSS] – The web editors are based on OnlyOffice, my preferred Office suite. I find that it's really easy to edit in the web browser, but it's also quite simple to move local files to the cloud and vice versa. This suite of tools includes the ability to share documents between teams, with real-time updating and editing capability.

Onion Share (Linux/Mac/Windows) [FOSS] – Onion Share uses the Tor network to securely and anonymously share files of any size. The other party does not even need to have Onion Share, as long as they have the Tor browser.
SwissTransfer (Web) [Free] – Temporary file transfer solution for files up to 50 GB. Free and does not require registration. The service is based in Switzerland, so it is protected by Swiss privacy laws.
Blackhole (Mac/Windows) [FOSS] – BlackHole is a blockchain-based file sharing protocol.

Encrypting Your Files

System Drives

Note that you can also opt to encrypt your system during the installation of basically any Linux OS.

Mac

See here.

Windows 10

See here.

You might also consider using VeraCrypt.

Flash Drives / External Drives

For this, you will use a cross-platform, open source piece of software called VeraCrypt. Just fire it up and let the program guide you. For more detailed information, see the official Veracrypt documentation.

Folders / Partitions

VeraCrypt can handle this, as well.

Hiding Files and Secret Messages in Plain Sight with Steganography

(Coming Soon!)

For my last trick, I'm gonna introduce you to some serious spy movie biz. We're going to learn how to use a form of encryption to hide files and messages inside of other more inconspicuous files. This portion of the guide is not yet finished, and will become available in the near future; however, Android users can get started easily with an app called PixelKnot that will allow you to embed hidden messages in image files. More to come!

Changes

11/01/2020:

Updated link for instructions on encrypting emails in Thunderbird, as previous link had outdated information. It is no longer required to use Enigmail, as Thunderbird supports PGP encryption by default in recent versions.
Added link to cloud storage service Cryptee.
Added link to self-hosted sync service Syncthing.
Added link to CryFS as possible alternative to Cryptomator.

ORIGINALLY POSTED 10/26/2020.

Contact Me

failsafeprivacy (at) protonmail (dot) ch (PGP) Keyoxide | Mastadon | Reddit

Failsafe