How to Encrypt EVERYTHING

Hello, friends! In the spirit of the EARN IT act seemingly gathering steam in the USA, I've written a detailed guide on how to encypt, well... everything. Welcome to a lengthy blog post overstuffed with hot, sticky, sweet and sour cryptography. Bon appétit.

I will be attempting to update this post somewhat regularly, so check back from time to time! I'll be sure to make it known when I've updated.

As always, I welcome your input—if you agree, disagree, have additions, have questions—please speak up! Feel free to reach out to me on Social Media or by Email (details at bottom of post). Let's talk and learn from each other. I'll try my best to respond as much as I can, even if it takes me a little bit of time to do so. :)


UPDATED 11/01/2020 (See Changes)


Contents


Encrypting Web Traffic

There are currently two excellent, reliable ways to encrypt your web traffic that are widely used: a VPN and TOR. Let's talk about both. I will also touch on DNS encryption at the end of the section.

VPN

VPN stands for Virtual Private Network, and a good, trustworthy VPN is an indespensible tool in the fight for privacy. A VPN will generally allow you access a collection of servers across multiple countries and continents. You may have seen people using VPNs to access Netflix or YouTube content from different regions, which is definitely a nice perk, but not why I'm bringing them up.

When you connect to a website, your IP address is logged. We could dive deeper into why this might be problematic, but if you're reading this, I'm assuming you've already got some semblance of an idea. In very short terms, that IP can be used to track you around the web, from site to site, mostly for marketing purposes (and potentially reasons more sinister). A VPN worth its salt will encrypt your request to connect to a site and any other data you may be uploading, then ferry it safely to a remote server before decrypting it and directing it where it's meant to go. The beauty of this is twofold:

  1. Your true IP address will not be revealed to the sites you visit, as it will only see the remote server's IP, from which hundreds or thousands of varying connections are made daily, effectively obscuring your identity and habits online.
  2. Your ISP (Comcast, TWC, Century Link, AT&T, Verizon, etc.) will only see your encrypted traffic headed to a single remote server, and not where it goes after. Essentially, they have no idea what you're doing on the web, either.

This is not a foolproof method of achieving anonymity, however. Why? Because your VPN can see your true IP and exactly what you're doing with it. This is where things get tricky, and why it's so crucial to use a reputable VPN service.

I can make a few recommendations on VPNs I've found worthy of my own trust, but first I want to detail a couple of the important facors that I look for in a VPN:

Luckily, comparing all of these traits and more has been made extricably easy by That One Privacy Guy through the detailed VPN comparison chart on his site, aptly named That One Privacy Site. Use this resource, please.

My Recommendations: I personally feel comfortable using and recommending Mullvad, Proton VPN, Nord VPN, or Mozilla VPN (which piggybacks on Mullvad's servers).

A Note on PIA: I was a Private Internet Access user for a long time, but many are unaware that they were recently purchased by Kape Technologies, a less-than-reputable PLC that, at one time, created adware and has since rebranded as a “cybersecurity” company. I am not aware of any major changes to their policies since the acquisition, so they may still be a fine service, but the purchase was a major red flag for me and I can no longer comfortably recommend the service.

You can host your own VPN at no cost, but this is only recommended if you have the knowledge and means to do so properly, for your own security.

Tor

Tor differs from a VPN in a few key ways. Tor is The Onion Routing network, and it is a free global network of nodes that can only be accessed via the Tor Browser that runs on donations. When you connect, your web activity is encrypted and routed through a series of 3 random nodes BEFORE it makes a connection. While you can use the Tor browser to access “Clearnet” (or “normal”) websites, it also offers the ability to visit Onion sites. These are sites accessible only via the Tor network and provide an additional layer of protection.

Both Tor and VPNs are exceptional tools for privacy, and while there's a bit of overlap, they both have unique strenths that will make them each better suited for different use-cases. Here is a more technical breakdown to help decide if a VPN or Tor is better for you.

For more information on using Tor, see my recent post on How to Get The Most Out of Tor in 2020.

VPN + Tor?

So if VPNs are good, and Tor is also good, wouldn't they be better together? This is where things get a little messy, because it depends on who you ask. Many very knowledgable folks make the argument that using a VPN with Tor can compromise your anonymity. I personally subscribe to the idea that using Tor over a VPN (not the other way around) can significantly improve your anonymity, and here is my reasoning:

  1. Your ISP can see you're using Tor, so going VPN > Tor means that your ISP won't know you're using the Tor network.
  2. As far as data transfer, your packets will go VPN server > Tor Node #1 > Tor Node #2 > Tor Node #3 > Target Site, so whether or not you use a VPN, the site you're connecting to is only gonna see the IP of the Tor exit node, not the VPN server's IP.
  3. The entry node will see your IP, but it sees your real IP, anyway. Using a VPN can hide your IP from the entry node, but this requres that you have a trustworthy VPN provider that is truly logless, and that you pay for the service by reasonably anonymous means.

As far as I can tell, if done right, the only downside would be a terribly slow connection (VPNs and Tor will both take a hit on your connection speeds). Since there are some valid arguments for both sides of this old, rusty coin, I will not give you a definitive answer on whether it's right for you. Luckily, a community-managed wiki for The Tor Project has created an excellent post on this subject, so I highly recommend giving it a read.

If you have any thoughts on this, please let me know. Let's discuss! I'm here to learn, too.

DNS Requests

A Domain Name System (or DNS) server works much like an old school phone operator. When you type reddit.com into your browser, you are calling in to say, “Hello, I would like to be connected to my old pal, Reddit.” The operator will then find the phone number (or IP Address) of Reddit and help direct the connection. If you had no idea what a DNS server was, you are most likely using the DNS provided by your ISP. Many may also be using Google's DNS option, as it's quick and reliable. In both cases, your DNS requests (or the sites you are trying to visit) are unencrypted and logged by a third-party. Much like a VPN, it is possible to host your own private DNS server. This is a great option if you have the know-how and the resources to set it up properly, but it won't hardly be the most accessible option for many.

For those that use a VPN, many VPN providers include their own secure DNS. This is great! This means you don't have to do anything special while the VPN is running. If your provider offers DNS leak protection, please note that it is not recommended that you try to use DNS over TLS or DNS over HTTPS, as it can invalidate the protection.

If you are not using a VPN with an included DNS or are still in need of a quick and easy solution, there are lots of DNS choices out there, so I've narrowed them down to a few that I have found to be reputable enough. You'll want to make sure that the provider you choose is equipped with DNSSEC and supports some kind of encrypted tunneling protocol, such as DoT (DNS over TLS) or even better, DNSCrypt (see below chart for more info).

Provider Location Logging DNSSEC
Quad9 USA Minimal Yes
DNS.WATCH Germany None Yes
Snopyta Finland None Yes
Cloudflare* USA Minimal Yes

*Please note: Cloudflare claims that their logging is extremely minimal. Regardless, many users around the internet do not trust them as an organization. I have been unable to find enough evidence to make a truly informed recommendation regarding Cloudflare's reputability, but I am including them because, at this time, they at least appear to be committed to offering a private, secure alternative DNS. They are also the fastest DNS out there by a notable margin. I personally would opt for another choice—such as Quad9—in the interest of privacy, but I did want to include this one as a more private alternative to Google DNS for the performance freaks.

You can find a much more comprehensive comparison chart with more options where I borrowed some of this information from, on PrivacyTools.io. As mentioned above, DNSCrypt is highly recommended. To use it, you need only download a client from their website and run it. In the client, you can typically select from numerous supported DNS options, but while they are all secure options, not all of them are necessarily the most private options. This is why it's important to look over the supported choices on sites like PrivacyTools and go in knowing what you're using.

If you choose not to—or are unable to—use the DNSCrypt client on your chosen device, here is a quick and dirty guide to change your DNS server on any device courtesy of HowToGeek.


Encrypting Communications

For some, like journalists and whistleblowers, encrypted communications are vital to their work—and in some areas, their survival. For others, we simply don't want our private messages parsed for marketing data. Both cases are completely valid. I firmly believe that everyone has a use for legitimately private communication and that it should be easily obtainable. As of today, fortunately, it is for many of us.

Here are some recommendations for a mix of paid services and FOSS (free and open source software) for communication that provide E2EE (end-to-end encryption*). What this means is that all communications are fully encrypted on your device (“clientside”) and decrypted only upon arriving at the receiver's device. E2EE exists to promise the user a zero-knowledge service, meaning that even the company themselves cannot read your messages, nor could any government-based or malicious actors that compromise their servers. They can only be deciphered on your physical device.

**Please note that for all of the following, the other user must use the same tool in order to get the most protection from them.*

SMS/MMS and Voice Calls

Email

If you are communicating with another individual that is not also using your same secure email provider, you can still use PGP encryption to secure your communications. Here's a great guide to getting started with PGP in Mozilla Thunderbird, which should work with almost any email provider. If you opt to use ProtonMail, they also allow you to send PGP encrypted emails very easily, right in the web browser! Here is their guide for PGP with non-ProtonMail users.

Private Messaging, VoIP, and/or Video Chat


Encrypting Synced Data

We sync a lot of data with the cloud. Like, a lot a lot. Contacts, calendars, notes, photos, etc. These details could be particularly sensitive, as they are quite personal. This information is regularly collected by many of the apps you have on your phone—and by your phone's own operating system—to generate a targeted-marketing profile on you. They're also generally stored unencrypted, making them vulnerable to malicious actors who manage to compromise your device or a network to which you're connected. Luckily, we can fix this.

All-in-One Solution

Passwords

2FA/MFA/OTP

Contacts & Calendar Sync

Personal Notes / Journal

Documents

Cloud Storage


Encrypting Collaborative Projects & File Sharing

Communication for Teams

Shared Documents

File Sharing


Encrypting Your Files

System Drives

Android

See here.

iOS

See here.

Linux

See here.

Note that you can also opt to encrypt your system during the installation of basically any Linux OS.

Mac

See here.

Windows 10

See here.

You might also consider using VeraCrypt.

Flash Drives / External Drives

For this, you will use a cross-platform, open source piece of software called VeraCrypt. Just fire it up and let the program guide you. For more detailed information, see the official Veracrypt documentation.

Folders / Partitions

VeraCrypt can handle this, as well.


Hiding Files and Secret Messages in Plain Sight with Steganography

(Coming Soon!)

For my last trick, I'm gonna introduce you to some serious spy movie biz. We're going to learn how to use a form of encryption to hide files and messages inside of other more inconspicuous files. This portion of the guide is not yet finished, and will become available in the near future; however, Android users can get started easily with an app called PixelKnot that will allow you to embed hidden messages in image files. More to come!


Changes

11/01/2020:

ORIGINALLY POSTED 10/26/2020.


Contact Me

failsafeprivacy (at) protonmail (dot) ch (PGP) Keyoxide | Mastadon | Reddit


Tags

#guide #tutorial #privacy #security #encryption #software #apps #vpn #tor #stego #opensource