The OP was asking for information on file protection and protection from hacking and so the response was very appropriate IMHO.

Thanks for the info on TrueCrypt...I'll get us switched over to VeraCrypt and look into the Bitlocker + TPM suggestion too.

If you share in the cloud, you could consider Hitachi Credeon.

http://psg.hitachi-solutions.com/cre...ction-overview

On Linux, the general thing is called LUKS, and the command-line tool is called "cryptsetup."

(Usually, distributions will just have a checkbox during set-up to enable encryption.)

Enterprise, or Ultimate, for Vista and 7.
Pro or Enterprise for 8/8.1
Pro, Enterprise, or Education for 10.

As a regular user would use it, and for the normal range of attacks, TPM just saves you from needing a pre-boot password; it can be used to make it more secure, but unless you're dealing with say, the PRC or FBI or some very serious industrial hackers trying to break into your machine, the extra possible security is an irrelevance. Plus, if you don't know what you're doing (or your corporate security detail does) you may actually be less secure with TPM -- or liable to locking yourself out and needing a recovery key.

I wouldn't say it's TrueCrypt that had developed its own bugs needing its own addressing.

http://www.theregister.co.uk/2015/08...rypted_by_fbi/

Umm. TPM does much more than that. Give me a machine that's bitlockered without TPM and I can break my way in (and have). -note I'm not a hacker. I'm on the good side

And no, in a corporate environment, there are ways to ensure that people don't lock themselves out. The recovery key can be tied to Active Directory so a user can retrieve it, say by just using their alias.

If so, it wasn't configured adequately (and a misconfigured machine with a TPM is equally prone to being broken into; it's just a different set of attacks.)

TPM basically just gives you two things; pre-boot configuration verification (although this has the risk of a lot of accidental lock-outs) and being a physical token for pre-boot authentication.

Windows still caches the key, so memory-based attacks can be used to recovery the key -- given a locked machine without a BIOS password, there are some realy fun hacks involving cooling the DIMMs.

It's also still pretty easy to grab Windows passwords via trojan horse programs (or via browser hacks if the user uses Webmail, and the Outlook password is the domain password.) It's also pretty easy to beat a password out of someone, or get it via subpoena.

If you think you can break bitlocker on a totally cold environment without TPM, I tell you what -- I'll bitlocker-encrypt your choice of a cheapo USB stick or an old bootable hard drive with a strong password and then mail it to you, with a message. Post the message here, and I'll donate $100 to a US 501(c)3 charity of your choice.

Like I said, that's a matter of if you (or your IT support) knows what they're doing. And assuming giving people self-service access to their recover keys (either directly, or through AD) opens up a whole new volume of potential attack avenues.

The number of people I know who've either printed their recovery key and/or saved it to Google/Dropbox/Box/Onedrive is really high.

Bitlocker, with or without TPM, or LUKS, or most of these full-disk encryption programs are best for preventing casual data theft after a machine is lost or stolen, but they're hardly perfect protection (indeed, there is literally no such thing on a portable, network connected computer -- and even perfect security in an electronic sense -- air gap and faraday cage -- is only as good as the physical security guarding it.)

Agreed.

So true, as with how ATMs are used to rob people made to give up or even enter their own card PIN at the ATM; but the "wrench" may sometimes be things that don't involve direct physical violence: examples such as threat of prosecution on more charges or of worse sentencing outcomes if/when convicted; such as threats to ruin the lifestyles/opportunities of relatives/friends.

Sure.

Ain't a much bigger wrench on earth than the force of the law.

for individual files/directories, I use axcrypt (free): http://www.axantum.com/AxCrypt/

if I need to put that data in the cloud, I use tresorit (also free with paid plans as well): https://tresorit.com/

Surprised no one has mentioned Jetico's BestCrypt. I know it's not open source (although they do publish their encryption and keygen routines), but their volume and container encryption is excellent, fast, and secure.

I did a lot of homework on this a year or so ago, and ultimately decided on them.

The linux version (at least) of BestCrypt is open source. It and TrueCrypt are (were) very similar.

To the OP: I could suggest separating the problems of encrypting flies on disk v. being shared. For things on local disk, use some combination of full disk encryption + BestCrypt or some other "container" encryption.

For encrypting individual files (e.g. to share), there are countless tools. One answer might be GnuPG in symmetric mode:

gpg --output doc.gpg --symmetric doc