How To Guide
How to Encrypt Cloud Data for Extra Security
Cloud providers encrypt your data in transit and at rest, but they hold the encryption keys. Client-side encryption means only you can decrypt your files.
Overview
Standard cloud encryption protects against external hackers, but the provider can technically access your files. Client-side encryption adds a layer where only you hold the key.
Step 1: Encryption Tools
Free and paid tools for encrypting cloud files.
1
Cryptomator (Recommended - Free)
- Download from cryptomator.org (free, open source)
- Create a new vault inside your cloud sync folder
- Set a strong password for the vault
- A virtual drive appears where you can save files
- Files are encrypted before syncing to the cloud
- Works with OneDrive, Google Drive, Dropbox, and any cloud provider
2
VeraCrypt
- Download from veracrypt.fr (free, open source)
- Create an encrypted container (a single encrypted file)
- Mount the container as a virtual drive
- Save sensitive files inside
- Unmount when done — the container file syncs to cloud
- More complex than Cryptomator but extremely secure
Pro Tip:
Cryptomator is the easiest option for most people. It integrates seamlessly with cloud sync folders and encrypts individual files rather than one large container.
Step 2: Cloud Encryption Best Practices
Use encryption effectively.
1
What to Encrypt
- Financial records: tax documents, bank statements, invoices
- Personal documents: passport scans, medical records, insurance
- Business files: contracts, client data, intellectual property
- Password databases (though use a password manager instead)
- Don't encrypt everything — only sensitive files need client-side encryption
2
Password and Key Management
- Use a unique, strong password for each encrypted vault
- Store the password in a password manager (not in the cloud vault!)
- Keep a written backup of the password in a physical safe
- If you lose the password, the data is permanently inaccessible
- Test decryption periodically to ensure you can access your files
- Share vault passwords only through secure channels
3
Implementation Best Practices
- Encrypt before uploading: Client-side encryption must happen on your device, not in the cloud
- Test the encryption workflow end-to-end before relying on it for critical data
- Create a documented procedure for encrypting and decrypting files
- Ensure the encryption software works on all platforms your team uses
- Consider performance impact: Encrypted files take slightly longer to open and save
- Maintain an inventory of which files and folders are encrypted
4
Key Management
- NEVER store the encryption password in the same cloud account as the encrypted files
- Use a password manager to store encryption passwords securely
- Create an emergency access procedure: What happens if the person with the password is unavailable?
- Consider key escrow: Store a copy of the encryption key in a physical safe
- Test decryption periodically to verify you still have access to the keys
- If using team encryption, document the key distribution and rotation process
Need Professional Help?
Our engineers provide expert assistance with setup, troubleshooting, and ongoing support for businesses and individuals across Cornwall.