olivia_headshot_new

Deputy Director of Digital Security

Last updated
Media encryption toolkit banner

No matter who we are, each of us has information to keep secure and private. For media makers working in film, journalism, and the arts, data protection is essential. Audio, video, image, and text files make up the bulk of their work, and thus, their livelihoods. The stakes to keep these files from falling into the wrong hands are extremely high.

We rely on encryption to protect our data as we browse the web and communicate. When media makers require additional protection and fine-tuned control over access to project data throughout the production process, encryption is key. Encryption gives media makers the power to restrict access to their video archive to a single key, or to password-protect folders containing contracts and scripts sitting on a computer.

Technical solutions for these operational needs don’t need to be cost-prohibitive, or difficult to master. We can rely on tools built into our operating systems, as well as free and open source software, to get the job done.

Strategies

How to encrypt external storage devices for medium- to long-term storage

External storage devices — like USB storage devices, CF cards, SD cards, and hard drives — hold files for projects current and past. Encrypting these devices protects the files you place on them. This workflow is a travel essential, a useful strategy for highly sensitive archives, and has a multitude of other applications.

How to encrypt containers on your computer to safeguard files

You can think of an encrypted container as a password-protected folder you use to store sensitive files. You can use these folders for small and large files, depending on the size of the container you make. You can keep them on your computer or storage device, as well as upload them to a cloud service to serve as a remote backup for sensitive files.

Technical terms

The term “storage device” refers to entire external storage devices, like USB drives, CF and SD cards, and hard drives.

When you “format” storage media, you are virtually rebuilding a storage device or partition from the ground up. This process allows you to wipe and/or encrypt the storage space.

On a computer or storage device, you store and locate your files through a “filesystem.” Every time you format device storage, you are preparing it with a new filesystem to handle the data you plan to store on it.

A “partition” refers to a subdivision of the total capacity of a storage device. You can start out with a single partition on a device, and then format it to have many partitions — some can be made to be encrypted, and others may not.

We use the terms “container” or “disk image” or “file container” interchangeably (depending on the operating system in question). In a basic sense, these are spaces you create on your computer to hold a certain storage capacity. You can format them with or without encryption.

Passphrase” might sound clunky or unfamiliar, but it is just another way to refer to what is commonly known as a password or passcode. We prefer to use passphrase to stress the important requirement of length when creating one.

Software

Windows/Linux/macOS users: VeraCrypt

VeraCrypt is a free and open source volume management tool you can use on all major operating systems. Encrypted VeraCrypt volumes can be read by virtually any computer with no issue, so long as you have VeraCrypt installed. Because of its versatility, it is ideal for teams that plan on sharing encrypted data between macOS, Linux, and Windows devices.

macOS users: Disk Utility

macOS users can use Disk Utility to wipe and encrypt external storage devices, and create encrypted disk images on a computer’s local file system. It comes installed on every macOS device, and is simple to use. When you encrypt a volume with Disk Utility, you'll only be able to decrypt and read that data on macOS devices.

Windows users: Bitlocker To Go

PC users running Windows 10 Pro, Enterprise or Education edition have access to Microsoft’s built-in BitLocker suite of disk encryption tools, including BitLocker To Go. Similar to macOS’s Disk Utility, BitLocker To Go allows you to encrypt external hard drives that can be decrypted by other Windows PCs using a shared password. BitLocker To Go is not natively supported by macOS or Linux.

Pro-tips

Not all solutions will work with every operating system

In order to choose the correct tool and workflow for your needs, you'll have to think about a couple of factors. Ask yourself:

  • What operating system will I be using to format storage media? The answer will impact the tool that you use. MacOS users have the choice between Disk Utility and VeraCrypt. Windows users can use either Bitlocker To Go or VeraCrypt.
  • Do I need to use this storage media on more than one operating system? If you answer yes, then VeraCrypt is the simplest choice for cross-platform use. If you answer no, we recommend using the tool your operating system natively supports, either Disk Utility or Bitlocker To Go.

Most workflows will feature at least one of the following standard format options

Every time you format a drive or memory card, you’ll select a type that works with how you intend to use the storage device (e.g. compatible with both macOS and Windows, or just one of the two).

  • Apple File System (APFS): Optimal file format for newer macOS versions, which replaced Mac OS Extended as the default format for users of macOS 10.13 and later
  • exFAT: Compatible with all major operating systems and devices, optimized for use with drives over 32GB and handling files larger than 5GB
  • MS-DOS or FAT32: Compatible with all major operating systems and devices, optimized for use with drives under 32GB and handling files smaller than 5GB

When you format a partition or device, you erase all its data in the process

All the files currently on your storage device will be lost during the formatting process. Make sure you move any files you want to save off of the device before continuing through the formatting process.

Use a long, unique encryption passphrase and keep it somewhere safe

When you go through the process of encrypting storage devices and containers, you’ll be asked to designate an encryption passphrase. You’ll use your encryption passphrase to decrypt your encrypted device or container, thereby granting you the ability to access the files it contains. This encryption passphrase should be long, and unique. Even with the best cryptography in the world, a weak encryption passphrase is trivial for an attacker to guess.

Do not forget your encryption passphrase. Without it, you won’t be able to unlock your partition and will lose any data you haven’t backed up elsewhere. You have options for safekeeping. You can: Memorize your passphrase, write it down in a secure physical location, or keep it in a password manager. Consider making a backup of files you cannot afford to lose.

Ready to encrypt all the things?

Now that you’ve got the basics covered, you can follow our step-by-step guides to encrypt external storage devices and containers on your computer.

MacOS users can get started with our Disk Utility guide.

Windows, Linux, and macOS users can follow along with our VeraCrypt guide.

Windows users can follow along with our BitLocker To Go guide.