How to encrypt data before storing it in the cloud (and why you should)

By Cale Hunt
published

Are my files encrypted when I save them to the cloud?

After another round of high-profile celebrity hacks, it's clear that cloud storage isn't exactly as safe as it's made out to be. It's easy to sync your files with a service such as OneDrive or Dropbox, but it's also easy to forget about those files down the road. You may have deleted some sensitive photos from your phone, but they still ended up synced in the cloud, and now they're in the hands of a hacker.

Let's take a look at how your cloud data can be potentially compromised and how you can add another layer of protection by encrypting them before they reach the cloud.

Cloud-storage encryption

There are two forms of encryption when you're dealing with cloud storage services: transit and resting. When your files travel between your PC and a cloud service, the files and folders you upload are generally encrypted with at least 128-bit secure sockets layer (SSL) technology.

When your data is resting in storage, however, there is less of a chance that it will have encryption, and if it does, the cloud service will likely hold the key. In the case of OneDrive, only those with a business subscription can take advantage of resting encryption. Dropbox, on the other hand, provides resting 256-bit encryption, but it holds the encryption keys.

Encryption of your data, while it's in transit and comfy in the cloud, works great against brute-force attacks. It would take a supercomputer years to crack the 256-bit encryption. It's much more likely that failure on the user side will involve a phishing attack or a weak password that can be guessed by an interested party. If your account can be accessed through the front door, decryption isn't necessary.

Keeper of the encryption keys

To otherwise unscramble the encrypted data, a key is needed. Each time data is encrypted, one of these keys is created and is saved somewhere. Many online backup services — which are separate from cloud-sync services — let you create the encryption key and take responsibility for keeping it safe. If you lose the key, say goodbye to your backed up data.

Cloud storage services used for syncing and sharing, such as Dropbox, do not provide users with the option to create their own encryption keys. It's up to the user to trust the service with creating and safeguarding the key. There's less of a chance that you'll end up locked out forever because you forgot that key, but there's also a chance that the service itself will be compromised, in which case the entire thing is out of your hands. Bottom line: No matter how careful you are, things can go wrong when someone else holds the keys.

Encrypt your data before it reaches the cloud

Some people refuse to use cloud storage because of security concerns. Others claim they have nothing to hide and wouldn't care if their files were released to the general public. Regardless of your opinion, it's not a bad idea to use protection on the internet. It's not getting any safer out there, and people can take advantage of the smallest bits of information.

Yes, it's just another thing you have to worry about, but encrypting your data yourself before sending it to the cloud will help protect you. You don't have be a whiz to perform this extra step. Encryption software is generally easy to use, you can create a unique encryption key that only you hold, and most options work well with popular cloud-storage services. Even if you don't want to pay, there are plenty of free encryption tools out there.

Services such as AxCrypt and Folder Lock, both of which are PCMag editors' choices, have free, basic versions of their software, and they also offer paid subscriptions that come with plenty more features, including local disk encryption to help keep things safe on your end.

There are a ton of free alternatives that can encrypt one file at a time before sending them to the cloud. 7Zip and Boxcryptor are standouts in this arena.

More resources

For more information on creating strong passwords and avoiding phishing, check out our full guide on how to ensure your cloud data remains safe. And if you're interested in full cloud backups of your PC, have a look at our choice for the best online backup service.

Cale Hunt
Cale Hunt
Senior Editor, Laptop Reviews

Cale Hunt is a Senior Editor at Windows Central. He focuses mainly on laptop reviews, news, and accessory coverage. He's been reviewing laptops and accessories full time since 2016, with hundreds of reviews published for Windows Central. He is an avid PC gamer and multi-platform user, and spends most of his time either tinkering with or writing about tech.

39 Comments
  • .
  • MS could do with adding this to onedrive, they have bitlocker, so why not allow a bitlocker generated key to encrypt online.
  • I'm not a programmer, just an observer. In current day software programming practices (is it called "fail fast"?) I would worry that the software encryption wouldn't be rock sold and we would lose data.
  • encryption is a fairly mature technology though. as long as the data itself doesn't get corrupted, i would think its fine, particularly if the user is the keymaster. it has just as much possibility of getting corrupted at rest now as it would if it were encrypted and backups would mitigate that risk, which i'm fairly certain Microsoft has.
  • who the hell trust MS Bitblocker?   
  • Oh I don't know, the hundreds of thousands of government and private organizations that use it. Example: A health care provider has a laptop stolen that contains medical information. No BitLocker =Data Breach. BitLocker installed=No breach, just an incident. Big difference...
  • Problem is that a lot of their - and other cloud services - relies on the fact that they can search and reuse the data. Onedrive without the possibility to search, look in photo streams / albums, share it with other people or even retrieve the data on someone elses computer that has no decrypt software installed renders much of the features useless. You get a simple backup drive, but you could do this and better with services like crashplan...
  • Great but nobody's hacked iCloud, Dropbox or OneDrive. They've phished the passwords out of stupid celebs or their PAs/entourage which as you say when you leave the front door open encryption's a bit moot. Not knocking encryption but linking it to celebs being scammed and moaning that sync services don't let customers set their own keys (which would be counterproductive in their support of supporting law enforcement) is a bit weak. 
  • Alec, there is no way to actually know if the cloud service providers have been compromised, of course, passwords get compromised all the time.   As far as cloud data service providers, based on the leaked documents from Snowden and other its is very apparent the big multi-national corporations are providing government access, so no hacking is really necessary.   Nothing really stopping 100+ countries from ordering the big data companies to provide all data from their systems on a global basis with an attached gag order.   Unless the end user/corporation controls the separate means of encryption... you have to assume going forward there is a real possibility your personal andor corporate data is available to a wide audience... from which you have no ability to control time when the data can be deleted.   Generally speaking, what is to stop China from ordering MS to provide a backdoor to all their cloud data service with a gag order?  Generally, I can't think of anything... you must assume your data is being provide numerous countries and from there those governments can distribute however they feel like.   That is true danger of these multi-national data companies.
  • Tin foil hat?
  • Well icloud not having any bruteforce protection was something nobody would have ever imagined, there must be some serious monkeys working at apple
  • Boxcryptor is good, plus its in Germany.
  • if the front door's open, encryption is actually the only thing that would save you. if you get in the front door and there's a gigantic maze between you and my valuables, it makes the front door security *less* important (but obviously still important).
    Edit: And if they don't want customers to have their own keys so that they're able to help law enforcement, that makes me trust them less and therefore making encryption even more important. And no one is saying that this would have stopped the celebrity hacking, but to say that it wouldn't is a bit naive. if i get your password but all your data is encrypted at rest, it doesn't matter that i got your password. i need to get a second password that you theoretically use even less or not at all and generally tools generate it for you, so its probably even more secure. so all in all, i pretty much disagree with your entire post. Second Edit: Oops. this was supposed to be in response to Alec Glen.
  • This is great for static archived data, but a lot of the benefit of the cloud is to have that data available to multiple applications across multiple devices. Unless every application has the keys, you lose that. I just generally go with the rule to not put anything sensitive in the cloud.
  • If you use two factor authentication, is it really necessary to also encrypt the data rested? I mean when you can't get logged in, does it have added value?
  • If the cloud service itself were hacked such that access to any file was granted to a hacker, then yes, you would still need to have the data encrypted to prevent that hacker from reading your data.  Two factor authentication helps prevent unauthorized access via normal channels (i.e., login).
  • Also it wouldn't help if the service itself was giving away or selling your data
  • Never have, and never will trust any public cloud storage. Any app that forces such shi*t on users is useless as garbage to me. Local SSD + NAS ftw.
  •   I chose CrashPlan for cloud backup because of the value and because their software on my side encrypts the data before it leaves my house. CrashPlan does not have the key; I do and it is complex. So if one of their employees goes rougue, he or she cannot steal their customers' password database (Did that happened with DropBox a while ago??). Of couse if I lose the password, I cannot get to my own archive. Frank
  • Someone needs to make a simple solution for this. The reason that people don't use it is that it takes a little technical know how and there are certain situations that can be painful.
  • The reason that people don't use it That's a very sweeping assumption.
  • Don't trust the cloud with your data .. PERIOD ..
  • Cloud services are convenient. The local sync agents take care of the uploading so you don't have to. Now if I have to encrypt every file before it goes to the cloud your are making these agents redundant and also forcing users to encrypt and send. This will mean less stuff going to the cloud because it's no longer convenient... Convenience comes on many forms: Sharing/editing documents across devices, sharing documents between colleagues, photo backup, music backup/streaming (eg Groove). If you take that extra step to encrypt before uploading, all these convenient features suddenly stop working. That's why those cloud providers that do encrypt retain the keys, so the service remains convenient. If I own the key, sure it will be far more secure. Until I have to share that key with multiple devices which will usually mean either me emailing it to myself or storing it somewhere convenient so I can find it easily... There's a pattern here. We all want security, but we also want convenience. Sadly compromising one with the other leads us back to where we started!
  • If you just want to archive your stuff Amazon Glacier is the best. It encrypts your data during transfer and at rest. All my Windows PCs backup to a NAS. My NAS then backs up to Amazon Glacier, everything gets fully encrypted automatically. Basically if my NAS blows up or house burns down all my data is still recoverable.
  • Who has the key?
  • Thank you for this article. This is exactly something I, as a technical security consultant, have to always preach. Encryption is great, but if you don't have the key, someone else has the ability to access your data.
  • Oh hey security guy, I work on the privacy side of things for a state agency. People are only going to encrypt and secure files if they have to. Even then it's a crap shoot, you don't want to know how many medical providers don't even have secure email, smh...
  • I hear you. I have no doubt this isn't being done, especially in the world under HIPAA. Hey getting people to do it keeps me employed, though. If the world were a secure place, I wouldn't be needed.
  • Please stop recycling articles.
  • But doesn't 2-step authentication make encryption unneccesary to some degree? If the concern is a weak password, if you enable 2-step verifcation on both your Microsoft and Google accounts, the hacker would need your password and either your phone or another trusted device to receive the texted password (or use the verification APP).   Should that not eliminate to a large degree the concern of getting your password hacked?  I'm curious to know what others think-- I'm not a security or IT expert by any means.  Still, I think everyone should enable 2-step verification to give that extra layer of protection.  
  • If a hacker or system administrator (e.g employee of Google or Microsoft) has direct access to the cloud server (which they will) they can freely copy your data, your two factor protection is useless in this scenario :) They dont need your account credentials as they have access to the cloud server file system. However if your files are encrypted on there they wont be unable to read it :)
  • ok that make sense. I was speaking on the "weak password" front. is there a way to auto encrypt files before they are uploaded? It seems tedious to have to do it each file.
  • I just don't upload any sensitive information to the cloud.
  • You don't even know how much sensitive is the data you upload and don't consider sensitive
  • One of my favorite options, is to use a Synology NAS with your own encryption key's and sync to your prefered cloud storage. Can never have enough backups.
  • How do you create your own encryption keys on a Synoplogy NAS?
  • It has a built-in app for managing key-pairs, and is pretty solid in this department.  I use this method as well. What you do with the keys (which backup app, etc) is a different exercise.
  • Yet another useless clickbait article. So where's the "How to encrypt data before storing it in the cloud" information? This is a basic, general info article that tells me nothing on how to actually do it. But hey -- make sure you throw in dozens of ads, Windows Central. Apparently that's the only purpose of these "help" articles lately.
  • Amazon probably has the key but I am not concerned as my data is photos and videos. My more sensitive stuff like passwords and banking details are synced to OneDrive automatically using Enpass which uses 256bit AES encryption, only I hold the master key for that.