I used the built-in encryption capability on my Windows 10 laptop to lock down some folders and individual files. Today I emailed myself one of those files and found I was able to view it on my phone. No encryption, didn’t need to enter the code.
So far, I’m unable to find an answer to this. Me doing something wrong is probably a good guess. Or does that sort of encryption not work between different platforms?
Encryption does work between different platforms. Perhaps you accidentally emailed the plaintext?
You likely used the at-rest disk encryption. The file is decrypted automatically on access.
To email an encrypted file, use something like GPG, by itself or as a plugin. The message should look like a bunch of random characters, and the recipient will not be able to read it without the right key or without entering a password, whatever you used.
ETA: Mostly ninja-ed while I was stuck on the phone. …
The answer depends on exactly how you did the file- or folder-level encryption. Windows 10 Home does not have built-in file- or folder-level encryption. The higher SKUs of Win10 do.
If you ever have to enter a code to read a file you are not using Win10 built-in encryption. So the first question we need answered to get your FQ resolved is what encryption tool you actually used.
The Win10 higher SKU encryptions never need you to enter a code. Those file- and folder-scoped encryptions only apply to the copy on your disk. As soon as the file is transferred into another app, such as an email client, word processor etc, the file is silently transparently decrypted along the way. The use case for this type of encryption is to make your stolen laptop or hard drive unusable unless they can log on as you.
Here’s more layman-level coverage of Win10 built-in encryption and other options that are probably closer to what the OP intended to do
This is from the Arch Linux Wiki but the discussion is generic:
Data-at-rest encryption
Stranger
I think I’m following this so far.
Does the same hold if I were to copy my “encrypted” files onto an external hard drive? Last week I moved one and it showed the gold lock symbol - but what happens if that file is viewed on a different computer? I’m guessing nothing. Which raises, the question, what the hell good is this?
There are also many ways to transfer files from one device to another over an insecure network, if that is what you need. Magic Wormhole, for instance.
Do you ever have to type in a password or insert a key dongle/file to unlock any data? Like before or during boot, or login? If not, then it’s no good. If the external drive is encrypted, it should ask you for a password or key when you insert it (especially on a different computer!!!). @Stranger_On_A_Train 's link is very informative.
No. So, what exactly have I accomplished? The files / folders are encrypted on my laptop only? What is the point of calling this encryption if it doesn’t actually encrypt anything in a useful manner?
I’ll read the provided links (thank you!) and figure out what I really need, but this sort of thing annoys me. Reminds me of that Simpsons episode where Lisa tries to ride the bus. She gets on the number 22, only to find herself stranded - turns out on Tuesdays and Thursdays it’s the 22-A bus with a completely different route.
Data at rest encryption is intended solely to protect against the scenario of somebody reading or stealing your hard drive. What they get off it that way is gibberish. What you and all your apps get is the plain text. Effortlessly.
That’s in fact a real valuable security feature. For what it’s for. If you thought it did something else, well oops.
Someone can’t pull the hard drive out of your machine (or mirror it) and access the data without logging in as you or entering your password for authentication. But if someone can access your laptop and log in under your account (or whatever accounts are authorized) then they have full access to the files. Any individual files or folders you send from your laptop that are not themselves independently encrypted are completely accessible to anyone who can access them.
Stranger
Security is always a difficult balancing act. Security, at its essence, means making it harder to access things. But if you make it too hard, then people will choose not to use it, and it becomes completely worthless. The result is that the only security that’s universally available (like, pre-installed and enabled by default on Windows PCs) is security that’s almost completely transparent to the user, and which therefore probably isn’t very secure.
It is definitely possible to set up a Windows (and not only Windows) machine so that when you turn it on, it boots and auto-logs in as a user, all without entering any password.
That really isn’t the way to look at it. Security isn’t a single encryption software, or a complex password, or physically locking down the machine; it is all of those things in layers and including the user understanding that they shouldn’t do things like open unknown email attachments, click on links from strange IT-ish messages, or install unvalidated software, and certainly not share passwords or keep them on a spreadsheet in their “Public” folder using only the built-in “Protect Sheet” function in Excel that a talented eight-year-old could break in thirty seconds flat.
In this case, the files on the hard drive are secure from non-authorized users (at least, ones that can’t break the encryption) but are accessible once the o.p. logs in, with the default assumption that this is a single-user laptop that doesn’t connect to a LAN or share those files with a server somewhere. So, the security stops with the authorized user and their awareness of what networks or systems they might attach to. If the user wants to send those files via email or some other plaintext system then they either need to install a peer-to-peer encryption on the email client (both sides) and have a shared key or symmetric-key system like the GPG system—a ‘freeware’ version of the commerical Pretty Good Privacy (PGP) public key system—to transmit in the clear while maintaining security of the message. If you wanted to directly transmit files to another secure system, you could use ssh (Secure SHell) using a similar encryption protocol.
The default security on Windows is generally pretty out of date in terms of algorithms and implementations although I have to admit a lack of familiarity because I don’t configure Windows systems, but security on MacOS, Linux, and *BSD systems is generally as up-to-date with current encryption standards as possible. But again, encryption is just one piece of security, and frankly not the one that is generally attacked by ‘hackers’ because it is usually easier to just call up a user, pretend to be “tech support”, and get them to tell you their password, which despite decades of warnings users do all the time anyway.
Nobody should ever do this, ever, on a personal or occupational machine that has any kind of important or proprietary data for reasons that I would think should be obvious.
Stranger
This is no longer the case for either stand alone or domain joined Windows computers anymore. TLS 1.2 or higher, SMB 3.0, and NTLM is deprecated and replaced by Kerberos. Bitlocker full disk encryption with keys in TPM 2 is as secure as it gets.