Sending Files Securely
by Carey Parker
[This is a shortened version of a more detailed blog article which can be found here.]
If you need to send someone private or sensitive information over the internet (like, say, sending your financial info to your tax preparer or sending medically sensitive information), then you really must do it securely. You should never send this sort of info in an email – as an attachment or in the email body itself. Email is just not secure (unless you go to great pains to make it so) and your file(s) may last forever on some server somewhere, even if both the sender and receiver “delete” the email.
As you might suspect, the key to sending files securely is to use encryption. If done properly, encryption makes a file unintelligible gibberish – and only someone with the key can decrypt it. We’re going to be talking about two distinct modes of encryption here: encrypting the files themselves (‘data at rest’) and encrypting the files as they are traversing the interwebs (‘data in motion’). Ideally, you will want to do both – that is, encrypt the files you’re sending and then send those files using an encrypted transfer mechanism. But at a bare minimum, you need to encrypt the files themselves.
STEP 1: Encrypting Your Files
Whether you have one or many files to send, you should compress and zip them up into a single bundle. Fortunately, the same tools we’re going to use to encrypt the files will also take care of compressing and bundling them all into a single output file called a ‘zip file’. When your recipient decrypts this zip file, they will get all the original files back.
a) Choosing Your Zip File Password
Before we can encrypt the file, we need to choose a password. This is a crucial step in the process – don’t wimp out here and go with your name, “password”, or “12345678”. Just make it easy: go to this online password generator and have it create a killer password for you. You can tweak the settings on this page if you want to make it a little easier for the recipient to enter, but make sure it’s at least 12 characters long (20 is better) and includes upper & lower characters, numbers, and special characters.
b-Win) Creating Your Zip File on Windows
On Microsoft Windows, we’ll be using a free app called 7zip. While there are others, 7zip is free and uses much better encryption algorithms. Download it from here and install it. (See the next section if you have a Mac.)
To create an encrypted .zip file on a Windows PC with 7zip, follow these steps:
- Start by putting all of your files into a single folder, say “My Private Files”.
- Then right-click this folder and select “7-zip -> Add to archive”.
- In the window that pops up, you only have to change three things:
- set the “Archive format” to “7z” (upper left)
- set the “Encryption method” to “AES-256” (lower right)
- enter your chosen password
Note carefully where the zip (“archive”) file will be created (top of the window). Click “OK” and you’re done!
b-Mac) Creating Your Zip File on Mac
To create an encrypted .zip file on an Apple Mac with Keka, follow these steps:
- Launch the Keka app.
- From the Keka menu, open Preferences and select the “Compression” tab. Select the “Use AES-256 when encrypting ZIP files” option at the bottom.
- Now, in the main Keka window, select “7Z” option at the upper right (shorthand for “7zip”), if not already selected. Fill in your chosen password. I usually also select “Exclude Mac resource forks” (harmless and invisible to Mac users but confusing for Windows users).
- Put all of your files into a single folder, say “My Private Files.” Drag that folder on top of the Keka window and it will magically change to a different look, saying “drop here to compress.” Drop the folder there.
- When you drop the folder on Keka, you will be presented with a save dialog. Choose where you want your 7zip file to be saved. You can change the name of the file, if you wish.
Click “OK” and you’re done!
c) Decrypting the 7z File
The process at the receiving end is much simpler – the receiver usually just needs to double-click the .7z file. They will need a zip/compression application installed to handle this, of course. 7-Zip and Keka are obvious choices, but there are others that will decrypt these files like Unarchiver for Mac or PeaZip for Windows. Obviously, the recipient will also need the password (see the next step).
STEP 2: Sharing Your Zip File Password
Now you have your strong password and you’ve used it to encrypt your zip file. Now, how do you get this crazy password to the other guy? Believe it or not, this one step is where so many people fail miserably. Don’t send the password along with the file! (Don’t laugh… people do this.) In general, you need to share the password using a different mechanism than whatever you used to share the file.
Here are some options. Note that in all cases, I wouldn’t say anything like “here’s the password”. Just send it with no other information, if possible.
- Old school method: The simplest and most secure way to share a password is to just call the recipient and read it to them. No “paper trail” and very unlikely to be recorded.
- Most secure method: If you both happen to have a secure messaging app like Signal or Wire or Keybase, you can send the password that way. (WhatsApp isn’t trustworthy now that Facebook owns it.)
- Fairly secure method: If both you and the recipient use Apple’s Messages (ie, you both have Apple devices), you can feel fairly secure sending the password this way (a “blue bubble” text message).
- Okay method: A regular text message isn’t great, but it’s not horrible, especially if you don’t say what it is.
STEP 3: Sending Your Encrypted Files
Now that you’ve encrypted and zipped up your files into a single .7z file, and you’ve securely communicated the password to the recipient, now you need to actually send the zip file. While you could just email the zip file (because, after all, it is encrypted), I would still recommend that you choose an encrypted transfer mechanism.
Why? Whenever you send something via email, copies of that message and the attachments can be made all along the path between you and the receiver. Those copies may survive for a very long time and are subject to being stolen or copied. If you didn’t choose a good password or if in the future someone finds a glitch in the encryption algorithm (less likely), then those copies could be compromised.
There are various ways to transfer a file to someone securely over the internet. Here are a few you could use:
- Use a temporary share link with a secure cloud storage service (like Sync.com)
- Use an encrypted email service (like ProtonMail)
- Use an end-to-end encrypted messaging app (like Signal or Wire or Keybase)
- Use an encrypted web file transfer tool
For the sake of brevity and simplicity, I’m going to strongly recommend the last option. It’s quite easy and very secure. All you need is a web browser – no special tools to install or services to sign up for. Here are the ones I recommend:
They each work a little differently, but basically you drag your zip file onto the page and it gives you a link that you share with your intended recipient. With Swiss Transfer, you can limit the number or downloads, add an expiration date for the link, or both. You can even add a password for the download (separate from the one you’ve already used to encrypt the file itself). Filemail has an option for sending an email, though personally I prefer to use the download link (“Send as link”).
This article was contributed by Carey Parker, author of Firewalls Don't Stop Dragons.