Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Question

How do I transfer files securely?

Aug 4, 2014 9:52PM PDT

I have to send some private files to my accountant, but I'm not sure how to do that securely. Can someone recommend me an encryption service?

Discussion is locked

- Collapse -
Answer
Re: encryption
Aug 4, 2014 9:57PM PDT

I'd use a zip-program (like free 7zip) to compress those files and set an encrypion key on the resulting zip-file. Then mail the zip-file to your accountant as an attachment and in a seperate mail tell him the encryption key.
No need to use a service on the web.

Kees

- Collapse -
Answer
How secure must it be?
Aug 5, 2014 4:55AM PDT

The usual ZIP and password should suffice unless you think you need protection from the usual three letter governmental agencies. In that case we have to move beyond what you find online as all fail to address a common flaw.

And mail/shipping is now less secure than it ever was:
http://www.businessweek.com/news/2014-07-17/fedex-indicted-for-distributing-controlled-drugs-online
"
Basic Tenet

FedEx said last year that an indictment or prosecution in the case would threaten a basic tenet of its shipping business - - not opening packages.
"
Sounds to me that you should put them on a memory stick and hand it to them directly if you must keep it safe.
Bob

- Collapse -
Answer
Encryption
Aug 6, 2014 12:11AM PDT

I wouldn't trust vanilla .zip file encryption, period. The only app I'd trust is Truecrypt. It's compromise is questionable, and its encryption is second to none.

If you have to do it by e-mail or DVD, I'd use Truecrypt (only v7.1a, NOT 7.2 readonly one!!). Use very long key, 25+ characters. Send encrypted files and the key over separate cover. Ideally send files on DVD via US Mail, and use separate US Mail letter for key, with no identification of what its a "key to"; just the key. The recipient should be alerted and will know what to do with the key when they receive it. Of course be sure to point recipient at the source to download Truecrypt. You can walk them through the install if needed.
I'd use Steve Gibson's website: https://www.grc.com/misc/truecrypt/truecrypt.htm

Alternatively, you'd have to set up a VPN connection with the party receiving it. Probably not possible with most small businesses.

**** Luck,
PChem

- Collapse -
Answer
Securely Send
Aug 6, 2014 9:15AM PDT

You could try letting a cloud based service send the file. You could try out Securely Send - Securelysend.com.
It allows you to send the file as an encrypted message with links only to the intended recipients.

- Collapse -
Answer
Couple of ways
Aug 6, 2014 3:54PM PDT

The easiest way, without the need for either person to install any software, is to use a service like https://www.sendfilessecurely.com . It handles all of the encryption for you and you can password protect it. You upload the file; they download the file. Simple, secure, and free. This is the service I've used with my accountant and mortgage lender.

If both you and the other person are willing to install software, use something like http://www.axantum.com/AxCrypt. This is arguably more secure since the encryption happens on your PC, but it requires you both to have the software installed which is not always an option.

- Collapse -
Answer
Encrypted transfer
Aug 7, 2014 6:55PM PDT

If you don't want to register or pay for your transfer, pCloud Transfer is an option https://transfer.pcloud.com/ .
However, if you want to use an encryption software, try searching for cloud-based services like bcsman79 pointed out.

- Collapse -
Answer
Do Folks Really Understand What "Secure/Private" Means?
Aug 7, 2014 10:28PM PDT

I'm seeing replies about using Cloud Services and sending your data somewhere to be encrypted, etc.
The ENTIRE point of Secure/Private is to have the data in as few hands as possible, and for you to control exactly whose hands touch it. I know I suggested U.S. Postal Service to send encrypted data and separate key, but at least all data was pre-encrypted by you personally, and it's a felony to tamper with it (and pretty anonymous amongst the millions of letters sent every day). Pretty hard to find it unless you're on "their" list.
Any "cloud" service has unknown/questionable ability to handle your critical data. Are they doing due-dilligence on their Server security? Are you handing them anything not encrypted? Big mistake in my book.
We already know GMail is "scanned" like it or not (this weeks article on catching child porn "bad guys.")
Frankly, I wouldn't trust anyone with my truly sensitive data. Want convenience of "cloud", then set up your own on your home network with a NAS, and access it through VPN (capable on many Routers). Putting pictures of yourself and your family for public access? Your travel plans? Your tax info (SS #, etc.) No thanks. Just sit back and think about it. Yes, the Gov. and NSA can probably get at anything they want, but don't make it dumb-***-easy for them. Or for the Black Hat hackers in Eastern Europe and Asia. Remember, your data starts out secure in your hands and in your house. Then YOU are the one that compromises it for convenience or through lack of knowledge.

PChem

- Collapse -
Reality?
Aug 8, 2014 3:11PM PDT

PChem, what you say is absolutely true, but as Steve Gibson often eludes to, there is a balance between usability and security that we all have to decide upon. Sure I can encrypt a hard drive with TrueCrypt and mail it to my accountant, but is he going to know what to do with it. It depends, but my experience is that it's not likely. I once tried four different methods to get my financials to a loan officer in a secure manner. Every method failed for one reason or another... he didn't have permission to install certain software, their firewall blocked the self-extracting encrypted .exe, etc. The fact is security is difficult for the average person. Thus we have to compromise a little if we want usability which may result in using something like an encrypted cloud service.

Oh, and do YOU really understand what "secure/private" means? I assume you do and you make your own computer components from scratch, right? Or are you placing your trust in the manufacturers of said components which probably come from another country?

- Collapse -
I sure do!
Aug 11, 2014 2:40AM PDT

Yes I understand what secure/private means quite well, thank you. Most folks do not. And sending anything off to the Cloud is NOT. I quite successfully sent Truecrypt'ed files to my lawyer, and he opened them easily with the software already on the CD; and he is NOT a techie. My clear instructions and set of files is all one needs.
You don't send a self-extracting .exe, that gets flagged by the System and A/V for sure (but should still be OK after a scan). Send a file with no extension. Truecrypt let's you manually browse to the file. If an accountant can't follow simple directions, I'd seriously consider getting a new one.
Another advantage of sending encrypted files, is that if the accountant leaves the CD lying around, it still does nobody any good because they don't have the decryption key.
Bottom line: If you are sending your SS # and other such info to ANYONE you are not familiar-with in an un-encrypted manner, along with personal financial information, your are taking risks I would never be comfortable with. But it's your identity, not mine. Do as you please. Convenience will be most people's Achilles' Heel. The 1-2 hours of extra effort to perhaps drive somewhere and hand-deliver a package is inconvenient. But its' nothing compared to the 1-2 years to get our from under an Identity Theft.
I most certainly do build my own PC's from retail parts and software. No crapware, no OEM-hobbled boards. Performance: outstanding.
If the NSA wants to get at my machines, neither you nor I will stop them. But with proper personal security practices, NAT-router, software Firewall, and A/V, I'm at least doing my due diligence to discourage the "easy-pickens" black-hats.

Good Luck
PChem

- Collapse -
Reply
Aug 13, 2014 12:28PM PDT

Try telling someone's mother that your "clear instructions" are all they need. I'm guessing you don't deal much with the computer illiterate.
And I didn't mean building your own PC with retail parts. I was referring to making the parts yourself from scratch. You "think" you are secure, but if you didn't manufacture your computer components, router, software, etc. yourself then you are no better than the person trusting a cloud provider.

- Collapse -
SYNTAX ERROR
Aug 13, 2014 6:33AM PDT

"PChem, what you say is absolutely true, but as Steve Gibson often ELUDES to, there is a balance between usability and security that we all have to decide upon"

alludes

- Collapse -
LOL
Aug 13, 2014 12:11PM PDT

Welcome to the Internet! A place where people take time to leave a comment that has nothing to do with the discussion at hand, but instead corrects one spelling/grammar error (ignoring the fact that people leave comments from various devices that are known to incorrectly auto-correct). Bravo Ferretkeeper, bravo.