File Encryption — What to encrypt & how

Practical guidance for everyday users: what to encrypt, cloud-provider risks, and friendly tool recommendations.

Quick rule of thumb

If exposing a file would cause *harm, identity theft, financial loss, legal risk,* or *embarrassment*, encrypt it before storing or sharing.

Files you should encrypt

  • Passports, driving licence, national ID scans.
  • Bank statements, tax returns, payslips, investment records.
  • Passwords, API keys, SSH private keys, configuration files.
  • Client/customer data or confidential work documents.
  • Medical records and private health notes.
  • Personal journals, intimate photos, or anything private.

Files you usually don’t need to encrypt

  • Public media (music, videos) and software installers.
  • General study notes with no personal data.
  • Files you plan to share publicly anyway.

Cloud providers & how to think about them

Most mainstream cloud services encrypt data in transit and at rest — but that doesn’t always mean only you can read the files. Understand the difference between provider-managed keys and client-side (zero‑knowledge) encryption.

Apple iCloud

iCloud encrypts most data on Apple’s servers, but Apple manages the encryption keys for many items by default which means they can assist with recovery and — in certain circumstances — access the data. Apple has offered an optional Advanced Data Protection (end-to-end) feature in some regions that makes iCloud data readable only by the account owner, but availability and legal/regulatory changes may affect how that works in your country.

Dropbox

Dropbox encrypts data at rest and in transit but can manage the keys (so Dropbox can assist with recovery or respond to legal requests). Dropbox offers more advanced key management for business customers and there are client-side tools that add zero‑knowledge encryption on top.

Google Drive

Files on Google Drive are encrypted in transit and at rest using strong encryption. Google Workspace offers client-side encryption options for organisations, but for typical personal accounts Google controls the storage keys by default.

Bottom line: if you want cloud storage where the provider can’t read your files, use client-side (zero-knowledge) encryption before upload.

Recommended tools — friendly & practical

  • Cryptomator — easy client-side, file-level encryption designed for cloud storage; works well with Dropbox, Google Drive and many others.
  • VeraCrypt — create encrypted containers or full-disk encryption for advanced local protection.
  • 7‑Zip — quick encrypted archives using AES-256 for one-off uploads.
  • Built-in disk encryption — BitLocker (Windows) or FileVault (macOS) for lost/stolen device protection.
Show setup steps

Practical tips

  • Encrypt before you upload. Client-side encryption keeps the provider from reading content.
  • Use a strong, unique passphrase or use a password manager (separate from cloud storage).
  • Keep a secure backup of your recovery key — losing it often means losing access forever.
  • Prefer per-file encryption (like Cryptomator) if you want selective sharing without decrypting large containers.

Simple setup guide (Cryptomator + cloud)

  1. Install Cryptomator on your device (Windows/macOS/Linux/iOS/Android).
  2. Create a new vault and choose a password you won’t forget; write the recovery phrase down and keep it safe.
  3. Point the vault location to a folder synced by your cloud client (Dropbox/Google Drive/OneDrive).
  4. Lock the vault when finished; the cloud client will only see encrypted files and cannot read the contents.
// Example: Quick 7-Zip command to create an encrypted archive
7z a -t7z -p -mhe=on secure-files.7z /path/to/folder
// -p prompts for password, -mhe=on encrypts file names too

For whole-disk protection on a laptop, enable BitLocker (Windows) or FileVault (macOS) — these protect the device if lost or stolen, but do not stop cloud providers from seeing files uploaded without client-side encryption.

Checklist before you upload