How to Encrypt Sensitive Files Before Uploading to the Cloud

The vast majority of users think their files are safe once they’re uploaded into Google Drive, Dropbox, or OneDrive. While, to some degree, they are, as these services leverage HTTPS for encryption in transit and AES-256 in transit. There’s a big secret these services do not put on their flashy advertising posters: they hold the encryption keys. That’s right! They can access and read every single file you upload, whether it’s due to a data breach, government subpoena, careless employee, or simply their own system bug. It all resides there to be read by an outside force that’s not you. Sounds scary?

Client-side encryption solves this. You'll encrypt the file before it is uploaded. In short, any file sent into the cloud becomes cipher text, i.e., unintelligible and useless to anyone who does not have your key.

In this tutorial, we’ll take a look at all the popular tools and methods for encrypting important files and documents. It’s a must-have skill if you upload sensitive files to the cloud regularly. Let’s get started!

Why Cloud Storage is Not As Private As You Think

Before I get into how, it’s helpful to understand exactly what the problem is.

The Misconception of "Encryption at Rest"

Cloud providers like Amazon, Microsoft, and Google all offer what’s called encryption at rest, and while they certainly provide it technically, all they’re protecting you from is someone going to their data center, ripping a hard drive off a server, and making off with it in the back of their car.

They offer zero protection against access to your data through perfectly normal means like a legal request, a lost administrative credential, or an insider at the cloud provider trying to get their greedy hands on your sensitive files.

In those cases, the key sits on the provider's servers, and it's their employees who do the decrypting. Effectively, you’re outsourcing trust, not just in technology, but in the people and the laws surrounding the technology.

Real-World Incidents That Should Concern You

In 2012, Dropbox suffered an embarrassing breach that led to hashed user passwords leaking, followed several months later by 68 million user email addresses being posted online.
You likely know about the Prism and similar government data-gathering operations in which cloud providers have a less-than-enthusiastic participation.
Insider threats at cloud providers remain the primary cause of corporate data breaches.

I'm not saying cloud storage is bad, but you can’t blindly trust platform-only encryption for your valuable files.

Zero-Knowledge Encryption: The Best Available Technique

What you want is called zero-knowledge encryption, whereby no third-party, not even the cloud provider, holds any part of the key, or any key, and no third-party can read your files. The data is encrypted and stored remotely, but encrypted using keys only available to you locally.

And that’s what we’re going to learn to set up in this tutorial.

Which Encryption Algorithm Should You Use?

One doesn't need to be a mathematician or a cryptography expert to encrypt files. Let's quickly understand the basics at the macro-level, before learning about all the encryption methods and tools.

Algorithm	Key Size	Security Level	Use Case
AES-256	256-bit	Excellent	Files/volume; also the industrial standard
AES-128	128-bit	Very good	Works faster on the older hardware.
ChaCha20	256-bit	Excellent	Mobile, where AES hardware is missing
RSA-4096	4096-bit	Excellent	Asymmetric encryption/key exchange; NOT for huge batches of files.
Twofish	128–256-bit	Very good	Used in VeraCrypt software.

In short, AES-256 is the gold standard for data encryption. We'll be using it in the examples given below. Unless you have a specific use case, I'll recommend sticking with the AES-256 algorithm.

Method 1: Cryptomator — Encrypt and Upload Files Directly to the Cloud

One of the best, easy-to-use, and open-source solutions you can use to encrypt and upload your files to the cloud is Cryptomator. You can connect it to cloud services like Dropbox, Google Drive, and OneDrive.

How Cryptomator Works

This application creates an encrypted vault in your cloud storage account. On your desktop/system, this vault appears as a normal folder. But whenever you drop a file in this folder, under the hood, it uses AES-256 to first encrypt it before storing it in the folder.

So, when the cloud service syncs to that folder, it receives an encrypted blob. The vault's master key is protected by a password that is set by the user (you) locally on your system. Even the filenames are encrypted by this application.

Installing Cryptomator

For Windows, download it from the official site. It's available for macOS, Linux, iOS, and Android as well.

# On Linux (Ubuntu/Debian) via PPA
sudo add-apt-repository ppa:sebastian-stenzel/cryptomator
sudo apt update
sudo apt install cryptomator

To install on macOS via Homebrew:

brew install --cask cryptomator

Creating a Vault

Open the Cryptomator app and click the plus symbol on the bottom-left. Click the Create New Vault... option from the dropdown menu.
Select the folder you are already syncing with your preferred cloud service (e.g., D:\Vault on Windows or ~/Dropbox/SecureVault on Linux/macOS).

📷 Set a strong password for the vault
Apply a strong password to the vault.
Although it is optional, I strongly recommend creating a recovery key for the vault.
Finally, click the Create Vault button.

Using the Vault

First, use your password to unlock the vault.
After successful authentication, Cryptomator will open it as a virtual drive.
Now, you can copy-paste or drag-n-drop the files into this drive to encrypt them.
After your work is complete, lock the vault.

Any file copied into this vault is encrypted automatically, even before it is committed to the disk. This way, your cloud service's sync service always fetches the encrypted data and not the original content of the file.

Note: Cryptomator uses AES-256-SIV for encrypting file names, and AES-256-CTR coupled with HMAC-SHA256 for encrypting file contents.

Method 2: GPG (GNU Privacy Guard) — The Command-Line Powerhouse

When you want to encrypt files and then transmit them, GPG, the battle-tested, free, standard, no-brainer tool of the command line, and a tool available on almost all platforms, should be at the top of your list.

It is both a tool for symmetric encryption (that would be password encryption, similar to how we might have encrypted things a few decades ago) as well as a system that supports the modern concept of asymmetric encryption using public/private key pairs.

To install GPG

# On Ubuntu/Debian
sudo apt install gnupg

# On macOS
brew install gnupg

# On Windows — download GPG4Win from gpg4win.org

Symmetric Encryption (Password-Based)

You are probably most familiar with password-based encryption. To encrypt a file:

gpg --symmetric --cipher-algo AES256 --output secret.pdf.gpg secret.pdf

And, when prompting you for a passphrase, it asks you to enter it twice to make sure you do not miss any typos. It will encrypt "secret.pdf" to a new "secret.pdf.gpg" file. After encryption, you can upload secret.pdf.gpg to your cloud service account.

To decrypt the file:

gpg --output secret.pdf --decrypt secret.pdf.gpg

To encrypt a directory, first compress it, and then encrypt it:

tar -czf documents.tar.gz ~/Documents/sensitive/
gpg --symmetric --cipher-algo AES256 --output documents.tar.gz.gpg documents.tar.gz
rm documents.tar.gz  # Remove the unencrypted archive

Asymmetric Encryption (Public/Private Key)

This is the modern way that you would want to go with if you were sending an encrypted file to somebody else, or if you wanted something like public/private key authentication that avoids passwords altogether.

Generate a new key pair:

gpg --full-generate-key

This should walk you through options, including RSA and RSA, key size (use 4096 bits), and a passphrase to protect your private key (which must be strong). If you already have a pair, then skip this part. This only has to be run once.

Encrypt a file for yourself (using your own public key):

gpg --encrypt --recipient your@email.com --output secret.pdf.gpg secret.pdf

GPG would see that your email is entered. As you have keys generated, GPG would look to "your@email.com", see your key on its public key ring, and encrypt "secret.pdf" using your public key.

Encrypt a file for someone else:

First of all, import that person's public key, and then encrypt:

gpg --import their_public_key.asc
gpg --encrypt --recipient their@email.com --output secret.pdf.gpg secret.pdf

Decrypt a file that somebody else sent you:

gpg --output secret.pdf --decrypt secret.pdf.gpg

GPG will prompt you for the passphrase that you originally associated with your private key. You can also use this method to retrieve a copy that somebody has sent you, where they have used your public key to encrypt it.

GPG Tips and Best Practices

Use --cipher-algo AES256 for encryption while using the symmetric method. The default one is not strong enough.
Do not use an online drive or any remote access to store a backup copy of your GPG private key. Store it locally at your home.
While pasting ciphertext into text fields, use the gpg --armor option to generate its ASCII equivalent.
For encrypting files in bulk, use a shell script.

Method 3: VeraCrypt — Full Volume Encryption for Large Collections

If you want to encrypt hundreds or thousands of files, doing it one by one is obviously not a smart choice. Use VeraCrypt to solve this problem. It creates an encrypted container that holds all your files. This container is more or less like an encrypted virtual disk.

What VeraCrypt Creates

At first glance, the encrypted container looks like a simple file, e.g., archive.vc. Once you mount it using a password and/or a keyfile (optional), it appears as a disk drive containing all the files. Upon unmounting, it reverts to a file which is essentially an encrypted blob of data.

Installing VeraCrypt

You can download VeraCrypt from the official website. It is available for Windows, macOS, and Linux platforms.

# On Ubuntu, download the .deb from the official site, then:
sudo dpkg -i veracrypt-X.XX-Ubuntu-XX.deb

Creating an Encrypted Volume

Open the VeraCrypt app and click the Create Volume button.
Leave the default selection, "Create an encrypted file container", as it is.
Next, select the Standard VeraCrypt volume option.
Choose the location and file name (e.g., D:\Vault\VCDrive)
Keep the default encryption algorithm AES selected, as it is good enough for most use cases. If the data is extremely sensitive, choose AES-Twofish or AES-Twofish-Serpent to ensure paranoid layering is done for maximum security.
Choose the volume size (e.g., 10 GB) as per your need.
Add a strong password. You can also add a keyfile (optional) for added security.
Tell VeraCrypt if you are going to store huge files in your volume. If yes, it will use an appropriate filesystem for maximum performance.
Finally, randomly move the mouse cursor within the application window to increase the cryptographic strength of the encryption keys. Click the Format button to finish the volume creation process.

Mounting and Using the Volume

First of all, use the Select File option to pick the encrypted .vc file and assign a drive from the list.
Click the Mount button and enter the password you used while creating this volume earlier.
The volume will show up in the file explorer as a regular disk drive (e.g., H:\).
You can now move files in and out of this drive like a normal disk drive.
When your work is done, click the Dismount button in the VeraCrypt app.

The encrypted .vc file can be uploaded to your preferred cloud service.

Note: The size of VeraCrypt's encrypted file is always fixed. Even if it has no user files, the size will remain the same as it was during the volume creation process.

Command-Line Usage (Linux/macOS)

# Mount a volume
veracrypt --text --mount /path/to/vault.vc /media/veracrypt1

# Dismount all volumes
veracrypt --text --dismount

I use this application for encrypting my important files.

Method 4: OpenSSL — Easy Encryption from the Terminal

OpenSSL is available on Linux, Windows (via Git Bash or WSL), and macOS. It's one of the best options to quickly encrypt a file without any need for additional software.

Encrypt a File

openssl enc -aes-256-cbc -salt -pbkdf2 -in secret.pdf -out secret.pdf.enc

Provide a strong password after firing this command. And, here's what each of these flags means:

-aes-256-cbc: Use AES-256 in CBC mode
-salt: Add a random salt to increase the cryptographic strength
-pbkdf2: Use PBKDF2 key derivation function

Decrypt a File

openssl enc -d -aes-256-cbc -pbkdf2 -in secret.pdf.enc -out secret.pdf

Encrypt with a Key File

If you are writing a shell script and do not want an interactive password prompt, use a keyfile like this:

# Generate a random 256-bit key and save it
openssl rand -hex 32 > my.key

# Encrypt
openssl enc -aes-256-cbc -salt -pbkdf2 -in secret.pdf -out secret.pdf.enc -pass file:my.key

# Decrypt
openssl enc -d -aes-256-cbc -pbkdf2 -in secret.pdf.enc -out secret.pdf -pass file:my.key

Make sure you store the .key file offline at a secure location.

Automating Encryption Before Upload

If you regularly encrypt files within a directory already synced with your cloud service, you can automate the encryption process through a shell script. Here's a sample script you can tweak and modify to meet your needs.

#!/bin/bash
# encrypt_and_sync.sh

SOURCE_DIR="$HOME/Documents/sensitive"
ENCRYPTED_FILE="$HOME/Dropbox/sensitive_backup.tar.gz.gpg"
PASSPHRASE_FILE="$HOME/.config/backup_passphrase"  # Protect this file!

echo "Compressing..."
tar -czf /tmp/sensitive_backup.tar.gz "$SOURCE_DIR"

echo "Encrypting..."
gpg --batch \
    --passphrase-file "$PASSPHRASE_FILE" \
    --symmetric \
    --cipher-algo AES256 \
    --output "$ENCRYPTED_FILE" \
    /tmp/sensitive_backup.tar.gz

echo "Cleaning up..."
rm /tmp/sensitive_backup.tar.gz

echo "Done. Encrypted file is in the Dropbox folder."

Make the shell script executable and use it whenever required.

chmod +x encrypt_and_sync.sh
./encrypt_and_sync.sh

You can fully automate this encryption process to run every fortnight by scheduling its execution either through the cron system or through a systemd service.

Key Management: Best Practices and Rules

The strongest encryption system is useless if you are not taking care of the passphrase file or the GPG private key. The safety of these two determines how secure your encrypted data is.

Rules for Managing Encryption Keys and Passphrases

Always use a strong and unique passphrase. Use a mix of special characters, numbers, and letters of at least 20 characters in length.
Always store passphrases in a password manager. Instead of storing them in a plain text file, opt for a password manager and store them there. I use Proton Pass, but there are other options as well.
Encrypt the private key as well. If you are going to store your GPG private key in your cloud account, encrypt it as well before uploading.
Keep recovery keys handy. You never know when you will lose access to private keys or the passphrase. That's why, always keep the recovery keys saved locally on your system.
Change keys every 3 to 6 months. For long-term archived data, make sure you are changing the keys at regular intervals to keep security at its highest.

Final Checklist for a Robust Encryption Workflow

Before you start the encryption and upload process, go through this checklist.

Depending on your use case, always choose the right encryption tool.
Use AES-256 without fail (avoid using older algos) for most use cases.
Use a password manager for creating extremely strong passphrases.
Recovery keys and backups should be stored offline on your local system.
Encrypt both the content and the file name.
Never store encrypted files and private keys at the same location on the cloud.
Always test recovery and decryption on dummy data first.
Document your encryption process. It'll come in handy in the event of recovery, if required.

Conclusion

Cloud services make your digital life simple and dependable. But, since they own the keys to your data, relying on a cloud service provider with your sensitive files is a deep security trade-off.

Client-side encryption is about changing the equation. Using your files with an encrypted volume means your cloud-stored data is encrypted both with your own key (that you keep) and the security measures used by the cloud service provider.

Cryptomator is one of the best solutions that protects your folders in the best possible way. GPG encryption works flawlessly from the command line. VeraCrypt can be used to manage large encrypted disks that can be mounted at will. Use OpenSSL to encrypt files through a shell script.

All these encryption tools have different use cases. Go with the one that works for you and start encrypting files before putting them in the cloud. A cloud service is a wonderful, convenient, and huge hard drive. But a hard drive is not your personal safe. Make sure to bring your key to protect your data.