Your laptop gets stolen from a coffee shop. Your cloud provider gets subpoenaed. A backup drive walks out of your office. In every one of these scenarios, the only thing standing between your data and whoever now has it is encryption — if you turned it on. Most folks assume their data is encrypted because they set a login password. That’s not encryption. That’s a screen lock. The data on the disk is still sitting there in plaintext, readable by anyone who pulls the drive and plugs it into another machine.
Encryption is the difference between a stolen laptop being an inconvenience and a stolen laptop being a catastrophe. Here’s what to actually turn on, what tools to use, and what “encrypted” really means when the corporate giants throw the word around in their marketing.
DO / DON’T
DO:
- Enable full disk encryption on every device you own — today
- Encrypt backups, not just live data
- Use end-to-end encrypted messaging (Signal, not SMS)
- Verify TLS certificates when accessing sensitive sites
- Use a password manager to generate and store encryption passphrases
- Encrypt sensitive files before uploading them to cloud storage
DON’T:
- Assume a login password protects your data at rest — it doesn’t
- Trust “encrypted” marketing claims without knowing what’s actually encrypted and who holds the keys
- Store encryption keys alongside the encrypted data
- Use legacy encryption tools or algorithms (TrueCrypt, DES, RC4)
- Skip encrypting external drives and USB sticks
- Forget that encryption without key management is just math without a point
Full Disk Encryption
Full disk encryption (FDE) encrypts everything on your drive — operating system, applications, temporary files, swap space. If the device is powered off and someone pulls the drive, they get noise. Nothing readable.
Windows — BitLocker
Path: Settings > Privacy & security > Device encryption or search “BitLocker” in the Start menu.
- BitLocker is built into Windows Pro, Enterprise, and Education editions. If you’re on Windows Home, you get “Device Encryption” which is a simplified version that works if your hardware supports it.
- Enable it. Use a TPM + PIN configuration for strongest protection — the TPM alone protects against casual theft, but a PIN adds a pre-boot authentication step that defeats more sophisticated attacks.
- Recovery key: BitLocker will generate a recovery key. Store it somewhere safe — your password manager, a printed copy in a secure location. Not taped to the laptop.
- For external drives, use BitLocker To Go.
macOS — FileVault
Path: System Settings > Privacy & Security > FileVault
- FileVault 2 uses XTS-AES-128 encryption. Turn it on. Apple makes this painless — it encrypts in the background while you keep working.
- Store your recovery key in your password manager. You can also escrow it with Apple via your Apple ID, but that means Apple can decrypt your drive. Your call on that tradeoff.
- FileVault is on by default on Apple Silicon Macs, but verify it. Trust but verify — actually, just verify.
Linux — LUKS
- LUKS (Linux Unified Key Setup) is the standard for Linux disk encryption. Most distributions offer it during installation — if you didn’t check the box, you’ll need to reinstall or encrypt manually with
cryptsetup. - Use LUKS2 with Argon2id for key derivation. Choose a strong passphrase — this is the key to everything.
- Encrypt swap space too. Unencrypted swap can leak decrypted data from RAM to disk.
File and Folder Encryption
Sometimes you need to encrypt specific files rather than the entire disk — especially before uploading to cloud storage where someone else controls the infrastructure.
VeraCrypt
VeraCrypt is the successor to TrueCrypt (which was abandoned under mysterious circumstances in 2014). It creates encrypted containers — virtual encrypted volumes that mount as drives. You can also encrypt entire partitions or create hidden volumes for plausible deniability.
- Use AES-256 as the encryption algorithm and SHA-512 for the hash.
- For maximum paranoia, cascade ciphers: AES-Twofish-Serpent uses three layers of encryption with three different algorithms. Slower, but if one algorithm is broken, the other two still hold.
7-Zip (Encrypted Archives)
For quick file encryption, 7-Zip supports AES-256 encrypted archives. Right-click a file or folder, create a .7z archive with a password. It’s not as robust as VeraCrypt for ongoing use, but it’s effective for encrypting files before email or upload.
Email Encryption
Email was designed in the 1970s with zero consideration for privacy. By default, emails traverse the internet in plaintext, readable at every hop.
PGP/GPG
GnuPG implements the OpenPGP standard. You generate a key pair, share your public key, and anyone with it can encrypt messages that only your private key can decrypt. Tools like Thunderbird have built-in OpenPGP support.
The honest assessment: PGP email encryption works, but it’s a usability nightmare for most folks. Key management is complex, key discovery is fragile, and one mistake — like replying without encryption — exposes the thread. For most people, encrypted messaging apps (Signal) are more practical than encrypted email.
S/MIME
S/MIME uses X.509 certificates (the same PKI infrastructure as HTTPS) for email encryption and signing. It’s more integrated into corporate email clients (Outlook, Apple Mail) but requires obtaining a certificate from a CA. More seamless than PGP if your organization supports it.
TLS Configuration (Server-Side)
If you run any internet-facing service, your TLS configuration matters. NIST SP 800-52 Rev. 2 provides the authoritative guidance.
- TLS 1.2 minimum. Disable TLS 1.0 and 1.1. They’re deprecated.
- TLS 1.3 preferred. Faster, more secure, fewer cipher suite options (which is a feature, not a bug).
- Forward secrecy required. Use ECDHE key exchange. If your cipher suite doesn’t include “ECDHE,” fix it.
- Disable weak ciphers. No RC4, no DES, no 3DES, no CBC-mode ciphers with TLS 1.0/1.1. Use Mozilla’s SSL Configuration Generator for tested configurations.
- HSTS (HTTP Strict Transport Security). Add the header. Force browsers to always use HTTPS.
Test your configuration with SSL Labs. Aim for an A+ rating.
Database Encryption
Transparent Data Encryption (TDE)
TDE encrypts database files at rest. SQL Server, Oracle, and PostgreSQL all support it. The encryption is transparent to applications — they don’t need to change. But understand what TDE does and doesn’t protect: it protects data on disk. It does not protect data in memory or in transit. A DBA with query access can still read everything. TDE stops the “stolen backup tape” threat, not the “insider with credentials” threat.
Application-Level Encryption
For truly sensitive fields (SSNs, credit card numbers, health records), encrypt at the application layer before the data hits the database. This means even a compromised DBA or database dump reveals only ciphertext. The tradeoff: you lose the ability to query or index encrypted fields. There’s no free lunch.
What “Encrypted” Actually Means in Cloud Marketing
When a cloud provider says “your data is encrypted at rest,” ask two questions: who holds the keys? and encrypted from whom?
If the provider holds the encryption keys, they can decrypt your data. That means they can comply with subpoenas, government requests, or be compelled to hand over your data in plaintext. “Encrypted at rest” with provider-managed keys protects you from a physical disk theft at the data center. It does not protect you from the provider, their employees, or anyone with a court order.
Customer-managed keys (AWS KMS with customer-managed CMKs, Azure Key Vault BYOK, GCP Customer-Managed Encryption Keys) shift key control to you. Better. But the keys still exist within the provider’s infrastructure during encryption/decryption operations.
Client-side encryption — where you encrypt data before it ever reaches the cloud — is the only model where the provider truly cannot access your plaintext data. Services like Cryptomator for cloud storage or age for file encryption give you this.
The bottom line: encryption you don’t control the keys to is encryption that protects someone else’s liability, not your data. Know who holds the keys. That’s the whole game.