Encryption for personal documents: a beginner's guide

My neighbor Gary keeps a folder on his desktop called "Important Stuff." Inside are scanned copies of his will, his Social Security card, the deed to his house, and a spreadsheet of every password he uses. None of it is encrypted. He told me this over the fence one afternoon like he was telling me he'd changed his oil.

I asked him what would happen if his laptop got stolen. He paused for a second and said, "I guess that would be bad."

That's where most people are with document encryption. They know, vaguely, that it exists. They suspect they should probably do something about it. And then they don't, because the whole topic sounds like it requires a computer science degree and three hours of free time.

It doesn't. Encrypting your personal documents is simpler than most people assume, and once you understand what's actually happening, the setup takes less time than organizing a junk drawer.

What encryption does (and why your documents need it)

Encryption takes a readable file and scrambles it using a mathematical formula so that anyone who opens it without the right key sees gibberish. That's it. The file still exists, still lives wherever you stored it, but its contents are locked behind a password or key that only you control.

Without encryption, your personal documents are sitting in plain text on whatever device or cloud service holds them. That means anyone who gets access to that device (a thief, a hacker, a nosy roommate, a repair technician) can read everything. Bank account numbers, Social Security numbers, medical directives, the letter you wrote to your daughter. All of it, wide open.

According to the FBI's Internet Crime Report, identity theft and personal data theft accounted for over $12.5 billion in losses in 2023 alone. Most victims didn't have their data stolen through some sophisticated cyber attack. They lost a laptop, used a weak password, or stored sensitive files without additional protection.

Encryption changes the math. Even if someone gets your device or breaks into your cloud account, they still can't read the files. They'd need the decryption key, and if you've chosen a strong password, cracking it through brute force would take longer than a human lifetime.

Encryption you already have (and probably aren't using)

Here's the part that surprises people: your computer almost certainly has built-in encryption tools that you've never turned on.

If you use a Mac, FileVault encrypts your entire hard drive. You enable it in System Settings under Privacy & Security. Once it's on, everything on your drive is automatically encrypted when the laptop is locked or shut down. If someone steals the machine, the drive is unreadable without your login password.

Windows has BitLocker, which does the same thing for your hard drive. It's available on Windows Pro and Enterprise editions. You turn it on in Settings under Privacy & Security, then Device Encryption. If you're on Windows Home, Device Encryption offers a simpler version of the same protection.

iPhones and modern Android phones encrypt their storage by default, as long as you have a passcode set. If your phone has a lock screen, your data is already encrypted at rest. Take the lock screen off, and that protection goes away.

The catch with full-disk encryption is that it protects you while the device is locked, but once you're logged in, everything is readable again. It stops a thief from pulling data off a stolen laptop. It doesn't stop someone who sits down at your unlocked computer while you're in the kitchen.

For that, you need file-level encryption.

How to encrypt individual files and folders

File-level encryption lets you lock specific documents with their own passwords, independent of your device. Even if someone is logged into your computer, they can't open the encrypted file without knowing its password.

A few practical approaches:

Encrypted PDFs. Most PDF software lets you add a password when saving. In Adobe Acrobat, you choose "Protect Using Password" under the security options. Preview on Mac can do this too: export as PDF and check "Encrypt." This is the simplest option for individual documents like scanned wills or insurance policies. Make sure the option specifies AES-256 encryption, not just a viewing restriction. Some PDF password features only block the "Open" dialog without actually encrypting the underlying data.

7-Zip (free, Windows and Linux). 7-Zip lets you create an encrypted archive, essentially a locked folder, using AES-256 encryption. Right-click any file or folder, choose "Add to archive," set a password, and select the encryption method. The resulting .7z file is unreadable without the password. It's free, open-source, and has been around since 1999.

VeraCrypt (free, all platforms). VeraCrypt creates encrypted containers, which are virtual drives that look like a single large file. You mount the container, enter your password, and it appears as a regular folder. When you're done, you dismount it and everything inside is locked. This is the best option if you have a whole collection of documents you want to protect together. VeraCrypt is the successor to TrueCrypt, which was independently audited by the Open Crypto Audit Project and found to be solid.

Encrypted disk images on Mac. Disk Utility lets you create an encrypted .dmg file, basically a virtual container that works like VeraCrypt but is built into macOS. Open Disk Utility, choose File > New Image > Blank Image, select 256-bit AES encryption, and set a password. Drag your documents in. When you eject the disk image, everything is locked.

Each of these approaches has trade-offs. Encrypted PDFs are the most portable but only work for single files. 7-Zip archives are easy to share but require the recipient to have 7-Zip. VeraCrypt containers are powerful but take a few more steps to set up.

Encrypting documents in the cloud

Cloud storage services like Google Drive, Dropbox, and iCloud encrypt your files on their servers. This protects against outsiders breaking in, but it doesn't protect against the company itself. The service holds the encryption keys, which means their employees can technically access your data, and a court order can compel them to hand it over.

For most files (recipes, vacation photos, work spreadsheets) that's fine. For your Social Security number, your will, your bank account details, and the personal letters you've written for your family, it's not enough.

The fix is to encrypt your files yourself before uploading them. If you create an encrypted archive with 7-Zip or a VeraCrypt container and then upload that to Google Drive, the cloud service only sees a blob of encrypted data. Even if their servers get breached, your documents stay locked.

Another option is a cloud service that uses end-to-end encryption by design. How to protect your family's documents with encryption covers this in detail, but the short version is: look for services that explicitly state they cannot access your data, because they don't hold the decryption keys.

Services like Tresorit and Proton Drive are built this way. They cost more than free cloud storage, but for your sensitive documents, the trade-off is worth it.

The password problem (and how to solve it)

Encryption is only as strong as the password protecting it. Use "password123" and you might as well not bother.

A good encryption password is long (at least 16 characters), unpredictable, and not used anywhere else. The easiest way to create one is a passphrase: four or five random words strung together. Something like "correct horse battery staple" (the famous example from the xkcd comic) is both strong and memorable. Your own version should use words that aren't a well-known example from the internet.

The real problem isn't creating the password. It's the question of what happens if you forget it or if something happens to you.

Strong encryption means there's no backdoor. No "forgot password" link. No customer support agent who can reset it for you. If you lose the password, the files are gone. This is true for VeraCrypt, 7-Zip, FileVault, and every other tool on this list.

So you need a backup plan: write the password on paper and store it somewhere physically secure. A fireproof safe, a sealed envelope with your attorney, or alongside your estate documents. If you use a password manager (and you should), store the encryption passwords there too, but make sure someone you trust can access the password manager itself. Password managers after death walks through how to set that up.

Think of it as two locks that protect each other. The encryption protects the documents. The physical, written-down password protects access to the encryption. Neither is useful to an attacker without the other.

What to encrypt first

If you're staring at a messy folder of documents wondering where to begin, start with the files that would do the most damage in the wrong hands.

Your highest priority should be anything containing identification numbers: Social Security cards, tax returns, passport scans. Identity thieves can do a lot with a Social Security number and a date of birth.

Next, encrypt financial records: bank statements, investment account details, property deeds, loan documents. Then legal documents: your will, power of attorney, advance directive. And finally, personal documents you want to keep private: letters to loved ones, journal entries, medical records.

You don't have to encrypt everything in one sitting. Spend thirty minutes on the ID documents. Come back next weekend for the financial stuff. The point is to start with the material that's most dangerous if exposed, and work outward from there.

Making encrypted documents accessible to your family

There's a tension at the center of all this: encryption keeps people out, and at some point, you need to let the right people in.

If you encrypt all your important documents and then get hit by a bus, your family is locked out of the very files you organized for them. The encryption that protects your privacy in life becomes a barrier to your family in death.

This is where digital legacy planning and document encryption overlap. You need a system where:

1. Your documents are encrypted and safe right now
2. A specific person (or people) can access them when the time comes
3. That access doesn't compromise security while you're alive

The simplest version: encrypt your documents, write down the password, seal it in an envelope, and put it with your will or estate documents. Tell your spouse or executor that the envelope exists and where to find it. Don't tell them the password — just that they'll find it when they need it.

A more sophisticated version: use a service that builds this in. When I Die Files, for instance, lets you store personal letters and documents with encryption, and set delivery conditions so the right people get access at the right time. You don't have to build the handoff mechanism yourself.

Whatever approach you pick, test it. Ask yourself: if I died this week, could the people I care about actually get to these files? If the answer is "probably not," then the encryption is working against you instead of for you.

A few things people get wrong

Encryption doesn't protect files you've shared unencrypted. If you emailed a plain-text copy of your will to your sister three years ago, encrypting the version on your computer doesn't claw back the email. Old copies in sent folders, messaging apps, and email threads still exist.

Password-protected doesn't always mean encrypted. Some office documents let you set a "password to open" that doesn't actually encrypt the file contents. The data is still there in the file; the password just blocks the software from displaying it. A determined person with the right tool can sometimes extract the text anyway. If security matters, use proper AES-256 encryption.

Encryption isn't a substitute for backups. An encrypted file that only exists on one hard drive is still at risk if that drive fails. Encrypt the file, then back it up to a second location. The encryption travels with the file, so the backup is just as secure as the original.

Getting started today

Here's a thirty-minute plan:

Gather your most sensitive digital documents into one folder. If they're scattered across your desktop, your Downloads folder, and three different cloud services, pull them together first.

Pick an encryption method from the options above. If you just want to lock down a few PDFs, use the password-protect feature built into your PDF software. If you have a larger collection, create a VeraCrypt container or an encrypted disk image on Mac.

Set a strong passphrase. Write it down on a piece of paper. Put that paper in your fireproof safe, your filing cabinet, or wherever you keep things that matter.

Then tell someone — your spouse, your executor, a trusted family member — that you've set this up and where they can find the password if they ever need it.

That's it. Your most sensitive files are now behind a lock that would take a supercomputer centuries to crack, and the people who matter can still get in when the time comes. Half an hour for something that could save your family real grief.