Recommendation for encryption software solution without these issues

Hello,

I have found the following major security issues with all the encryption software I have tried thus far:

1.

The original encrypted file is decrypted when using the software by entering the encryption password, and when shutting down the app the file is re-encrypted. However,  in the event of an unexpected termination of the software (power loss, battery failure, app crash, etc.) the app does not re-encrypt the decrypted file (and cannot re-encrypt it, as it has terminated unexpectedly), and it thus sits there on your hard drive in unencrypted form until you hopefully notice that it didn't get re-encrypted.

2.

Upon entering the decryption password, the software creates a temporary file copy of the decrypted file and stores it in AppData or Temp or some other place, leaving the original file safely encrypted.  However, in the event of an unexpected termination of the software (power loss, battery failure, app crash, etc.) the app does not delete this temporary file (and cannot delete it, since it has terminated unexpectedly), and it thus the temp file sits there on your hard drive in unencrypted form until you hopefully notice that it didn't get deleted.

Additionally, almost all apps seem to require an online sign-in, which I don't want either.

In summary, I'm looking for encryption software which meets the following requirements:

1. Can encrypt selected files//folders, and does not require entire partitions/drives to be encrypted.

2. Does not suffer the above problems from unexpected shutdowns. Veracrypt solves this for example by only opening files in RAM in unencrypted form. No temp files etc. The problem with Veracypt, as I understand it, is that you can't encrypt selected files and folders around your hard drive. You have to encrypt a whole drive.

3. Encrypts and decrypts locally. No internet connection or sign-in to company servers required.

4. Open source.

5. Available on Windows.

Preferably the following if possible:

5. Automatically re-encrypts open files if lockscreen is shown, or is PC goes to sleep or hibernates.

6. Re-encrypts automatically after optional time period eg. 5 hours.

7. Portable version available.

Thanks for any suggestions.

Hello @califauna

Except for validating the GPG/PGP signed files of others, I have not looked into GnuPG in a long time.

https://gnupg.org/

HTH

Bump.

Any suggestions appreciated.

Hi,

Xecrets File Ez is *almost* there... It does indeed decrypt to a temporary location, but, in the event of an unexpected crash or termination it will still remember the fact that it's in need of re-encryption/wipe if unchanged. So you don't have situation you describe of it sitting there "there on your hard drive in unencrypted form until you hopefully notice that it didn't get deleted". As soon as you re-open Ez, it'll inform you that you have an open file, and it'll wipe/re-encrypt it when you exit or close it with a single click.

 

1. Can encrypt selected files//folders, and does not require entire partitions/drives to be encrypted.

2. Does not suffer the above problems from unexpected shutdowns. Veracrypt solves this for example by only opening files in RAM in unencrypted form. No temp files etc. The problem with Veracypt, as I understand it, is that you can't encrypt selected files and folders around your hard drive. You have to encrypt a whole drive.

3. Encrypts and decrypts locally. No internet connection or sign-in to company servers required.

4. Open source.

5. Available on Windows.

 1 - Yes.

 2 - Partially, as described above. We could probably add features with auto-start and auto-check of this case if there's enough demand. But it's really hard to 100% handle the case of someone pulling the power for example. Something will likely be left somewhere. You can improve the situation by EFS-encrypting the temporary location, and/or assign %TEMP% to a RAM-drive.

 3 - Yes. Absolutely no Internet is needed or used. No server sign in. 100% local. No Internet connection used under any circumstance.

 4 - All the actual encryption is done with an open source CLI, that you're welcome to inspect, recompile or modify. Then there's a GUI frontend, that's the "Ez" part.

 5 - Available on Windows, Linux and macOS. It's entirely portable, no installation, just unzip and run from wherever.

Check it out at https://www.axantum.com/ and https://github.com/xecrets/xecrets-file-cli .

Full disclosure - I am the author of said software .

Sounds good, except the files leftover on the drive bit after an unexpected shutdown.  The automatic check feature is good, but this assumes one runs the software again, which might not happen for a while (or potential ever).  It means one has to remember to open the app instead of remembering to delete files. Better perhaps, but still very insecure (in my opinion) when you're talking about very sensitive/private/important information.

I'll bear your software in mind, and good luck with the development. However, I've read that Veracrypt gets around this somehow (opening files in RAM I believe) and if that turns out to be correct I would have to go with veracrypt.

Hi! Yes, indeed, there's always the case of the left overs after a crash and no restart. Regardless of the software you use, I do believe you'll get very close to your goal if you either use EFS encryption on the temporary folder (i.e. %TEMP% or a subdirectory thereof), and/or if you create a RAM-drive and set %TEMP% to use it. If you're interested, we could perhaps find a way to facilitate this with Xecrets File. If so, sign up for the current beta at https://www.axantum.com/ and we can continue from there. As for RAM-drive, although I've not personally tried it, https://sourceforge.net/projects/imdisk-toolkit/ seems like a good candidate.

Veracrypt violates your requirement #1, it does not allow encrypting file-by-file, but since it's a virtual encrypted drive it will not by itself place data in temporary locations.

Then again, your data may still end up on the hard drive in various ways - for example by the OS paging memory to disk, or by the application itself writing temporary files to the temporary location. You would need to disable paging and map %TEMP% and %TMP% to a RAM drive to ensure no plain text gets written to disk. EFS-encrypting %TEMP% does not prevent the data from being written to disk, but does keep it encrypted, albeit by a different mechanism, and in the end it will depend on the strength of your Windows login password. You could also consider encrypting the entire hard disk with BitLocker to add another layer of protection locally.