Thanks to Crypteron for sponsoring this side-project! If you're a developer building cloud / server applications and are concerned about compliance and data security, check out Crypteron's Data Security Platform.
Who should use this?
- the convenience of cloud storage solutions like Dropbox, Google Drive, OneDrive etc
- to keep your private information, well, private even when the files are kept with someone else
- simplicity ... just double click a file, edit/view it and be done with it. You find the default GPG workflow to be tedious and error prone.
End User Experience
- Double click an encrypted file to work with it (e.g. double clicking
proposal.docx.gpgdirectly opens it in Word)
What does it do?
It keeps your files encrypted while allowing seamless access to read/edit/update those files. Opening any encrypted file (e.g.
proposal.docx.gpg) is a just a simple double-click in Windows Explorer. If you edit your document, those changes go back into the encrypted file without any additional effort. Note that you need to close the application used for editing the file (e.g. Microsoft Excel) with before these scripts proceed to check for changes and re-encrypting the file(s).
On a technical level, it's a bunch of PowerShell scripts that glue OpenPGP/GnuGP, Windows Explorer, Windows Applications and Cloud Storage Tools (e.g. Dropbox, OneDrive etc). If you are a developer and want to improve, please feel to collaborate via GitHub pull requests.
Installation takes seconds but encrypting all your files may take several minutes/hours depending on how many files you've got.
WARNING 1: It is recommended that you create a backup of your files before proceeding - in case you mess things up.
WARNING 2: Be sure to backup your certificate/keypair created below. Without them even you will NOT be able to decrypt your own encrypted file. Your files will be effectively lost forever. Example: Keep a copy on a USB stick and put the stick inside a safe
- Install Gpg4Win. Basically get the
.exefile and run it. Need more help? Look here.
- Create your OpenPGP certificate/keypair. Try the Kleopatra tool installed by Gpg4Win. Details here
- Clone/download this repository of files
- Using Notepad, edit the top of
EncryptFilesHelper.ps1and replace the email inside
$global:recipient = "email@example.com"to your OpenPGP/GnuPG keypair ID/name from the above step.
- Install these scripts by double clicking the
- Encrypt your files by double clicking the
EncryptFiles.batfile. You will be asked to select a folder and all files in there (including subfolders) will be encrypted. Specifically, all files NOT ending in
.gpgwill be considered for encryption and we use AES 256 for all our encryption. Optionally you can delete the leftover original unencrypted files after they have been encrypted. It's recommended to delete the unencrypted leftovers for a clean workflow (as long as you have a 'just in case' backup elsewhere).
You're set up! All files in the folder of your choice (e.g. your
Dropbox folder) are now encrypted.
How it works
During normal usage we automatically do a few things behind the scenes. We
- decrypt the file via GPG into a temporary local folder
- open the file with the registered application (e.g.
docfiles will be opened by Microsoft Word,
- If you edit the file (new edit timestamp or file contents change) then we will re-encrypt the modified temporary file via GPG and move it back into your original cloud folder (overwriting the older encrypted version).
- This may be obvious or subtle based on your background but other devices sync'd with your onedrive/dropbox/google drive won't be able to open the encrypted files without GPG (or these wrapper scripts) and your private GPG key installed on it.
- Currently assumes a single authorized person for each file. Files are encrypted/re-encrypted for a single GPG key like
firstname.lastname@example.org. So if you want to share that private financial spreadsheet with someone like
email@example.com- that's currently not supported. To clarify, they may get the encrypted file via email or by sharing via the cloud service itself - but they won't be able to decrypt it and see anything inside.
- No continuous file system monitoring to detect new unencrypted files and encrypting them. Currently you must run the encryption script from the
Installation stepsstage periodically. Explore via something like
$monitor = New-Object System.IO.FileSystemWatcherin the future ?
- Windows based: Although gpg and powershell are cross platform, the explorer based integration makes them Windows specific. Eventually we want to expand these powershell scripts to integrate with Finder (Mac) and Nautilus (Linux) too.
- Google Docs files (*.gdoc, *.gslides, *.gsheet, *.gdraw, *.gtable, *.gform) are skipped in reality those are only small pointer files on your hard drive. Your actual data is hidden behind a Google Docs API. If this concerns you and you want to 'own' your data and encrypt it, best to export all your Google Docs' into self-contained Office/OpenOffice document files.
- We're using
.batfiles to launch
powershellscripts because windows, by default allows double-click-to-run on those. Yes, batch files suck for programming but PowerShell is incredible.
- Although you may delete the unencrypted files, you should realise these were previously uploaded to your cloud storage provider. As such, you should check with your storage provider on their data retention policies.