Encryption of Files stored on OneDrive. what works best and how to do

I want to encrypt dome documents I am storing in OneDrive. These are not ultra sensitive documents  but some are academic and I would like to keep them private What would you Advise?

My O.S. is Windows 10.  OneDrive sync client version
Michael MurphyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nociSoftware EngineerCommented:
use 7zip or winzip and password encrypt the files before uploading them.
modern version should use aes to encrypt.

gnupg or pgp  are also useful tools
Aaron TomoskyDirector of Solutions ConsultingCommented:
for small files, make a versacrypt container and use that to hold them, put the file in onedrive. make sure to change the defaults so the file modified time changes. con: will only work from computers with versacrypt, so no access via the onedrive app on your cell.
Michael MurphyAuthor Commented:
I already have these files stored in OneDrive. Can I encrypt them within the program or must I extract them and encrypt before syncing to OneDrive?
Introduction to R

R is considered the predominant language for data scientist and statisticians. Learn how to use R for your own data science projects.

Aaron TomoskyDirector of Solutions ConsultingCommented:
Versa crypt is a container, like a zip file. You mount it to a drive letter and copy files into it. OneDrive sees it as a single file.
Also possible: EFS. Introduction: https://technet.microsoft.com/en-us/library/cc962121.aspx
Anyway: backup your encryption keys - for EFS, that would be a certificate.
EirmanChief Operations ManagerCommented:
A lot depends on the number of files/documents you wish to encrypt.
This directly will affect the size of your encrypted container.
A large encrypted container may be the cause of some inconverience.

As far as I know, most backup providers will not allow you work inside a remotely decrypted container.
If you have for ecample, a 2gig container with a bunch of documents and you wish to edit one document
you decrypt it locally (i.e. client side) and then backup the whole 2gig.

However ....
This describes using Veracrypt in conjunction with Dropbox.
You CAN work inside a large remotely decrypted container.

Personally, I don't trust any cloud backup service 100%.
I don't upload any unencrypted files - I always encrypt/decrypt locally.
If you only have a handful of documents that need to be encryped, it might be better
to encrypt them individually and continue to use OneDrive.
(Work on and decrypt the files locally and then Synch them with OneDrive).
https://www.axcrypt.net/   (128-bit AES encryption)
http://www.7-zip.org/  (256-bit AES encryption)
EirmanChief Operations ManagerCommented:
I already have these files stored in OneDrive. Can I encrypt them within the program or must I extract them and encrypt before syncing to OneDrive?
You should remove from OneDrive >>> Encrypt them locally >>>> Backup the encrypted files.

Another one worth looking at .... https://www.boxcryptor.com
Michael MurphyAuthor Commented:
Right. I decided to install AES encruption. I downloaded a Guide to installation.
 I downloaded the AES  file.  I clicked on the Aescrypt.msi file and it ran, installing successfully. I then clicked on  the setup.exe file. It ran so far. Then it told me I had a conflict that a more recent version Microsoft Visual ++  2010 was installed on my system.  I then removed this from programs.
I started again and when I ran setup.exe it appeared to work. But at the end I was told that there was an error: this was the message:
Unable to locate application file 'AESCrypt.msi'.
The following components were successfully installed:
- Visual C++ 2010 Runtime Libraries (x64)
See the setup log file located at 'C:\Users\smarc\AppData\Local\Temp\VSD71C0.tmp\install.log' for more information.
 I tried to encrypt a Word file. I clicked on the encrypt option and filled in a password and it appeared to work. However when I tested  to unencrypt the file and entered my password I was told that although the file was there it could not be unencrypted.
What to do?
(P.S. I tried this on two computers - same result with each).
Use EFS.
Michael MurphyAuthor Commented:
So, am trying to set up EFS. Got step by step guide.
The First instruction is: 'Log in to the Client01 using domain user account (Btech\Darshana).

Am stumped. How do I do this?

I put the question to Internet and got this Youtube Video.
But when I tried to open it all I got was a blank black screen.
Right click a file or folder, select "properties" - advanced and put a checkmark on "Encrypt contents to secure data". That's it. Now after you do it, you will have to backup the encryption key.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Michael MurphyAuthor Commented:
I created a file and put some text in it. Called Test File.docx
I right clicked on it and checked 'Encrypt contents .....'. Now a yellow padlock appears on the file icon. I click on the file expecting to be asked for the encryption key. But the File opens without it.
I try another file. The yellow padlock appears, but the file is not encrypted.
Remember that in my first comment I linked something? Read it, please, it explains why what you see is normal and expected. For a test, please logon as another user and try to open that file.
nociSoftware EngineerCommented:
So with EFS the key is stored on the system somewhere, retrievable by the user..., sysadmin, whoever knows where to look.
With tools like winzip (recent)  the earlier aestools.. this key is separate.
Can with EFS also send the files somewhere and  and the key in a separate way so the recepient can decipher.
If the key is stored in the cloud the owner of the cloud has access there.

If The windows AES tools don't work because to DLL-Hell,   cygwin might provide a solution.  (they say the tools should work on windows 7 or 8.., assuming you found it here: https://www.aescrypt.com/windows_aes_crypt.html )

Cygwin provides a linux/unix emulator library  for windows. Cywin has been usable technology for >15 years.
"So with EFS the key is stored on the system somewhere, retrievable by the user..., sysadmin..." - the sysadmin is always in charge. You feel you can hide things from the sysadmin? What if he deploys a keylogger? Any solution is unsafe against other admins on the same system.
"...whoever knows where to look." - no, other users cannot get the key since they cannot access certificates of other users.
nociSoftware EngineerCommented:
Any solution is unsafe against other admins on the same system.
 That is where cloud systems fail.
In the AES method the key can be kept somehere else eand only the crypted text is sent around..

Remember the Cablegate?    images of the AESencrypted collection were sent all over the net.  The key  was only sent to specific parties.
Michael MurphyAuthor Commented:
Cannot get anywhere and am very frustrated. Decided Veracrypt would be best for me. Downloaded Verscrypt and 'Beginner's Tutorial: 'How to CREATE and USE VERACRYPT.
Went through all the steps until the one to Mount the Volume. Told I could not because I did not have Administrator Privileges. So logged in as Administrator and went through all the steps, finally being told that I had Mounted the Volume successful.

What comes next: I want to put files into the Container, and then only to access them by using the password (which opens the encrypted Container). Cannot succeed in doing this.
I locate the container file using search. I click on it to open it, but cannot. I go to THIS PC, see the Drive which I nominated (M) click on it, see the container. I am able to transfer files into the container (not asked for password). Later I want to test that the container is encrypted. so I again go to THIS PC, click on the Drive. It opens, showing the container. When I click on the Container the files which I put there appear, and they open when I click on them. Where is the Encryption?

Furthermore when I close down my Computer and restart it, and go to THIS PC  I find that the Drive M in which the container was mounted, has disappeared. What to do?
If you could tell me what speaks against EFS, I would be happy to assist.
EirmanChief Operations ManagerCommented:
When I close down my Computer and restart it, and go to THIS PC  I find that the Drive M in which the container was mounted, has disappeared
That's exactly as it should be. At this point in time your files are excrypted within the container.

Double click on your container .... enter password ..... Drive M should appear.

The contents of your container are now decrypted and available on M:.

Dismount the container to encrypt the contents. Drive M should dissappear.
Michael MurphyAuthor Commented:
When I double click on my container I do not get asked for password. Instead I am asked 'How do you want to open the file?
I am attaching a screenshot of this. (the container is named :'My Container'.)  Clearly I am doing something wrong.
Michael MurphyAuthor Commented:
Am trying EFS again in response to McKnife above.
I find that when I reach the point when I am to click the box opposite:  'Encrypt Contents to Secure Date', that line is blanked out. I can see it but cant click on it.
I  then ran the laptop  as Administrator. Same result. Same result too for several different files (all created with Word 2013 (docx files).
My OS is Windows 10 Home (2017)
The home edition does not support EFS, so it's out unless you are willing to pay for a windows version upgrade.
EirmanChief Operations ManagerCommented:
When I double click on my container I do not get asked for password. Instead I am asked 'How do you want to open the file?
That sometimes happens with windows10 the first time you open a certain file type. Just choose veracrypt as the program to open the file and tick the ALWAYS OPEN WITH option.  Windows will not ask you again, once you have set the default program for Veracrypt Containers.

Note: If Veracrypt  is not listed as a program choice, you will have to "browse" to it.
Michael MurphyAuthor Commented:
For McKnife.
I I found a PC I use has Windows 10 pro. I tried to encrypt a file using this.  

Right Click on file, Properties/ Advanced.   As you indicated the the line 'Encrypt Contents to Secure Date', is NOT blanked out, indicating EFS is installed.
I tick this option. Then given choice to encrypt either 'file' or 'folder' I select  to encrypt the file, not the folder.
 I click 'apply' and 'ok'.
 I click on 'details' and see thumb certificate (
something like B(CD7B28333...)
What more should I be doing, as when I reach this  stage I thought the file would be encrypted. However it is not encrypted. When I click on the file it opens straight. When I reboot the PC  the file is still not encrypted.
It is encrypted to a certificate that belongs to your user, which means, it automatically unlocks when your user tries to open the file. That is how EFS works, nice and easy. Now try top open it as another user (copy it to a public folder) to verify.
Michael MurphyAuthor Commented:
Thanks for that. I logged in as Administrator and could not open the file.  Thanks for putting me right on this. Much appreciated. Am a pensioner and brain cells are not  what they used to be. But I will now be able to do what I want with regard to encrypting files.
Michael MurphyAuthor Commented:
Now I can encrypt documents / files using EFS, but I still want to also use VeraCrypt. I went through the instructions  (Beginner's Tutorial - How to CREATE and USE a Veracrypt). I think I am find as far as the point when I receive the message that 'you have successfully created a VeraCrypt volume.'  I may be going wrong in the next steps.  STEP 10 tells me to select a drive from the list of Drives.  I select M.  It also tells me to 'Click Select File ... the standard file selector window should appear'. It does appear and I see the container.  STEP 11 tells me to 'Select the Container File' and click 'open'.  I do this. STEP 12 Says: 'In main VeraCrypt window, click "Mount". Password prompt dialog window appears'.  I do this and the dialog window appears.  STEP 13 says:  'type the password ( which you specified in Step 10).  But I did not specifiy a 'password' in STEP 10. I entered a password in STEP 8 (The Volume Password). I enter the Volume password and VeraCrypt does not object. I click OK. I am told that the Volume has been successfully Mounted as a virtual disk M.

Any what happens now is I go to My PC, locate the M drive. Click on it and open the Container. I put a Word file into this Container.
The container is supposed to be encrypted. However when I sign on as a different user (as Administrator), and locate the container, the Container is not encrypted and I can access and open the Word File.
Normal and expected.

You need to dismount the volume to protect it from other users on the same machine.
Michael MurphyAuthor Commented:
Eureka. I understand how it works now. Really must thank you for staying with me on this and guiding me. Much appreciated.
Michael MurphyAuthor Commented:
Got there in the end. Thanks to all
Fine. Now focus on backups of encryption keys and practice recovery at least once.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.