Most encryption guides hand you a list of tools and call it done. They skip the parts that actually matter: which threats a given layer defends against, which ones it doesn’t, and what you lose when you turn encryption on. The result is people who encrypt their laptop and assume their cloud backup is safe, or who install a password manager without understanding that a weak master password undoes the entire point.
This guide covers every layer of encryption a normal person or small team realistically touches — disk, files, cloud, messaging, email, passwords, and the long-tail stuff no one mentions — with current tools as of April 2026, the standards underneath them, and honest notes on where each one breaks down. Where facts are in motion — quantum timelines, legal fights over end-to-end encryption — it says so.
What Encryption Can and Cannot Actually Do For You
Encryption protects data at rest (sitting on a drive) and data in transit (moving across a network). It does essentially nothing for data in use — the moment you unlock a drive, open a vault, or decrypt a message on your screen, that data is plaintext in RAM and visible to anything running on your machine. Malware, a shoulder-surfer, or a subpoenaed running device all bypass the world’s strongest cipher.
The second thing encryption doesn’t do is protect against losing your keys. Lose your FileVault recovery key and a dead Mac, forget your VeraCrypt passphrase, or misplace the only device that can decrypt your iCloud backup, and the data is gone — not “gone until we call support,” but gone in the thermodynamic sense. This is the correct behavior of a secure system. It is also the single most common way people lose irreplaceable data to encryption.
Everything below assumes you understand those two boundaries. Now the layers.
Full-Disk Encryption: The First Layer, and Why Almost Everyone Gets It Right By Accident
Full-disk encryption (FDE) encrypts every block on your storage drive so that without the key, the contents are indistinguishable from random noise. It defends against exactly one class of threat: someone with physical access to your powered-off device. A thief, a lost laptop, a drive pulled from e-waste, a border inspection of a shut-down phone.
On modern hardware FDE is essentially free. Apple Silicon Macs encrypt the internal drive by default via FileVault, using XTS-AES-128 with a 256-bit key tied to the Secure Enclave. Windows 11 enables BitLocker automatically on most new devices with a TPM, using AES in XTS mode at 128 or 256 bits. iPhones and modern Android devices have been encrypted by default since roughly 2015. On Linux, LUKS2 is the standard, and it now defaults to Argon2id as the password-based key derivation function — the same memory-hard KDF that makes GPU brute-forcing drastically more expensive than the PBKDF2-based LUKS1.
The catch is recovery. BitLocker recovery keys land in your Microsoft account by default, which is convenient and which also means a Microsoft subpoena ends your plausible deniability. FileVault offers the same tradeoff with iCloud. If that matters to your threat model, both let you opt out and hold the recovery key yourself — at the cost of losing access forever if you misplace it.
For encrypted volumes that need to move between operating systems, or for pre-boot protection on Windows Home (where BitLocker isn’t available), VeraCrypt remains the cross-platform answer. It’s the successor to the abandoned TrueCrypt, it supports hidden volumes for plausible deniability, and it works identically across Windows, macOS, and Linux. It’s slower to set up than native tools and less convenient for daily use, which is exactly why most people should use the native tool for their system drive and reach for VeraCrypt only for containers that actually need to travel.
| Platform | Default Tool | Cipher / KDF | Gotcha |
|---|---|---|---|
| macOS | FileVault | XTS-AES-128 / SE | iCloud recovery key is the default — opt out if threat model demands it |
| Windows Pro+ | BitLocker | XTS-AES-256 / TPM | Recovery key escrows to Microsoft account by default |
| Windows Home | Device Encryption / VeraCrypt | AES-256 / PBKDF2 | No BitLocker — Device Encryption is limited; VeraCrypt for real control |
| Linux | LUKS2 (cryptsetup) | AES-XTS / Argon2id | Back up the LUKS header — header corruption = unrecoverable data |
| Cross-platform / portable | VeraCrypt | AES-256-XTS / PBKDF2 | No password recovery at all — lose the passphrase, lose the data |
File and Container Encryption: When The Disk Isn’t Enough
FDE protects the drive in your machine. It does not protect the files you copy to a shared NAS, a USB stick handed to a contractor, or a folder syncing to a cloud provider — those leave the encrypted domain the moment they move. This is where per-file or container encryption earns its place.
The modern answer for file-level encryption is age — a small, opinionated tool with a command line that reads age -r <public-key> secrets.txt > secrets.txt.age and essentially no room for misconfiguration. It uses X25519 for key exchange and ChaCha20-Poly1305 for encryption, and the design deliberately refuses the knobs that made PGP a footgun for thirty years. For users who want a signing tool alongside, minisign pairs with it.
For encrypted containers — a mounted “folder” that looks normal to your file manager but is one big encrypted blob on disk — VeraCrypt is still the standard for static containers, and gocryptfs or Cryptomator work better for containers that need to sync file-by-file (critical for cloud storage, covered below).
The open-source ecosystem has quietly converged on a handful of well-designed tools. The common failure mode isn’t picking the wrong one; it’s layering them inconsistently — encrypting one sensitive folder and leaving three others in plaintext on the same synced drive.
Cloud Storage: The Layer Where Most People’s Encryption Actually Falls Apart
Here’s the thing providers don’t advertise: “encrypted in transit and at rest” means nothing about whether they can read your files. Google Drive, Dropbox, and OneDrive all encrypt your data, and all of them hold the keys. A subpoena, a rogue admin, a server breach, or a policy change reaches your files.
End-to-end encrypted (E2EE) or zero-knowledge cloud storage is different: the provider never sees the keys, so even a full server compromise yields ciphertext. Your options split into two architectures.
The first is natively E2EE providers — Proton Drive, Tresorit, Sync.com, MEGA. You trust them to implement zero-knowledge correctly, and in exchange you get a seamless experience. Proton Drive is the strongest consumer pick as of 2026: Swiss jurisdiction, open-source clients, and tight integration with Proton Mail and Proton Pass. Tresorit is the enterprise gold standard and carries ISO 27001, SOC 2, and HIPAA compliance, at roughly $19 per user per month.
The second is a transparent encryption layer over an existing provider. This is what Cryptomator does: it creates a “vault” folder inside Dropbox/Drive/OneDrive, encrypts each file client-side with AES-256-GCM (filenames included), and lets the dumb cloud provider sync the ciphertext. Your existing cloud subscription becomes a zero-knowledge service without you moving anything. It’s free, open-source, and the correct answer if you already pay for Google One or Microsoft 365 and don’t want to migrate. Boxcryptor used to fill this niche but was acquired by Dropbox in 2022 and retired; Cryptomator inherited its users.
One important caveat, aired in the October 2024 ETH Zurich analysis “End-to-End Encrypted Cloud Storage in the Wild”: several major E2EE storage providers had non-trivial cryptographic flaws in their implementations — MEGA, pCloud, Sync.com, and Icedrive all featured in the findings. Marketing claims of “end-to-end encryption” are not the same as a clean cryptographic implementation. For this reason, Cryptomator and Proton Drive tend to get the warmest reception from cryptographers, because their specifications and code are open and have been repeatedly scrutinized.
The Apple Exception
If you’re in the Apple ecosystem, Advanced Data Protection (ADP) turns iCloud into an end-to-end encrypted service. With ADP enabled, the number of iCloud data categories protected by E2EE rises from the default 14 to 25, including iCloud Backup, Photos, Notes, and iCloud Drive. Apple deletes the service keys from its HSMs and your trusted devices become the only holders. Losing access means losing the data — Apple cannot recover it.
ADP has been available globally since December 2022 with one exception. In February 2025 the UK government served Apple with a Technical Capability Notice under the Investigatory Powers Act, and Apple responded by removing ADP for new UK users rather than build a backdoor. In August 2025 the UK appeared to drop the specific demand, but as of September 2025 Apple confirmed that ADP remains unavailable to new UK users, and existing UK users still have to disable it themselves. The underlying legal authority remains on the books. If you’re in the UK, iCloud without ADP is Apple-accessible storage; Cryptomator over iCloud Drive is the realistic workaround.
Messaging: Signal, and Why “End-to-End Encrypted” Has Become a Spectrum
Signal is the default recommendation, and remains so because the Signal Protocol is both well-specified and aggressively updated. In September 2023 Signal upgraded its X3DH key agreement to PQXDH, combining X25519 with the NIST-standardized post-quantum KEM ML-KEM (formerly CRYSTALS-Kyber). In late 2025 Signal went further and announced the Triple Ratchet, which layers a Sparse Post Quantum Ratchet (SPQR) using ML-KEM Braid alongside the existing Double Ratchet. The point of these upgrades isn’t that quantum computers exist today — they don’t, at scale — but that encrypted messages captured today could be decrypted decades later under the harvest-now, decrypt-later threat model.
WhatsApp uses the Signal Protocol for message content, but the metadata picture is very different: who you talk to, when, and from where is visible to Meta. iMessage is end-to-end encrypted between Apple devices, and Apple rolled out PQ3 (its own post-quantum upgrade) in early 2024, but iMessage cross-platform falls back to unencrypted SMS/RCS; only recent Android-to-iOS RCS via a supported app preserves encryption.
Telegram’s default “chat” is not end-to-end encrypted — only its “Secret Chats” feature is, and Secret Chats are not available for group messages, which is where most abuse happens. Calling Telegram an “encrypted messenger” without qualification is misinformation.
For organizations that need a matrix-based federated alternative, Element (on the Matrix protocol) implements E2EE with the Olm/Megolm protocols, and was selected by a number of European governments. For self-hosting, it’s the serious answer.
Email: The Problem No One Has Solved
Email was designed in 1982 without a notion of encryption, and every modern attempt to bolt it on leaks metadata. The subject line, the sender, the recipient, the timestamps, the routing path — none of it is protected by standard PGP/OpenPGP, which encrypts only the message body. This is not a bug in the tools; it is a limitation of SMTP.
Your practical options, in descending order of purism:
Provider-side E2EE — Proton Mail and Tuta (formerly Tutanota) encrypt messages inside their own ecosystems automatically. Proton uses OpenPGP under the hood and federates cleanly with external PGP users; Tuta uses its own scheme but encrypts subject lines too, which Proton cannot (OpenPGP doesn’t define subject encryption). Both are based in privacy-friendly jurisdictions (Switzerland and Germany respectively). Neither protects you if your recipient is on Gmail — at that point, only the leg between you and Proton’s servers is E2EE; everything after is subject to the recipient’s email provider.
OpenPGP via Thunderbird or a bridge — If you must use a mainstream provider, OpenPGP still works. The latest OpenPGP standard, RFC 9580 (the “crypto refresh,” finalized 2024), adds AEAD modes and Argon2 for passphrase-protected keys, fixing long-standing weaknesses. Thunderbird has OpenPGP built in; gpg on the command line covers everything else. The problem is and always has been key management — exchanging and verifying public keys out of band, dealing with expired keys, and not leaking your entire contact graph to keyservers.
Subject-line aware alternatives — Tuta and some small providers encrypt more than PGP does, but inter-provider encryption rarely survives.
The honest answer is that email is a poor channel for sensitive content. If you actually need to send something confidential, send a link to a Signal message, a Proton Drive shared file, or an age-encrypted attachment over a channel that doesn’t leak metadata. Encrypting email is worth doing — it raises the cost of passive surveillance considerably — but calling it “private” overstates the case.
Password Managers: The Keystone
Every layer above collapses if your master password is guessable. A password manager is how you sustain a unique, high-entropy password per account without keeping them in a notes file. The short list as of 2026:
Bitwarden — open source, audited, cloud-synced, and free for unlimited passwords across unlimited devices. Uses AES-256-CBC with PBKDF2 (default 600,000 iterations) or optional Argon2id. Self-hosted via Bitwarden Server or the community Vaultwarden fork. The obvious default for almost everyone.
1Password — closed source, but the most polished UX and the only mainstream manager with a Secret Key architecture: a 34-character device-bound key combines with your master password, meaning a server breach yielding password hashes still cannot be cracked offline. Excellent for families and teams. Paid only.
KeePassXC — local-first, no cloud by default, uses AES-256 or ChaCha20 with Argon2id. You control the database file and sync it yourself (Syncthing, an encrypted cloud folder, whatever). Best for threat models where “never trust a vendor” is the baseline. Mobile story is weaker.
Proton Pass — Swiss, open-source, free tier, integrated with the Proton ecosystem. Reasonable if you already use Proton Mail.
A note on what not to use: LastPass remains off the recommendation list. The 2022 breach that dumped encrypted vaults into attackers’ hands has now been linked by TRM Labs (December 2025) to approximately $438 million in cryptocurrency thefts, and LastPass settled a related class action for $24 million the same month. Migrate out if you haven’t.
In mid-2025 researchers at ETH Zurich published cryptographic analysis of several cloud password managers identifying flaws in how master passwords, vault keys, and sharing features were composed. Cloud-sync password managers are a complicated kind of software, and the lesson is to prefer ones with open code, published audits, and responsive disclosure processes — which is most of the list above.
Everything Else: DNS, VPN, Backups, Phones, Tokens
The long tail matters more than people think.
DNS is the layer that tells the world what sites you visit. Unencrypted DNS (still the default on many networks) lets your ISP, your network operator, and any passive observer log every domain you look up. DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) fix this. Cloudflare (1.1.1.1), Quad9, and NextDNS all offer encrypted DNS; modern browsers and both major mobile OSes support it natively.
VPNs encrypt your traffic between your device and the VPN server — that’s the boundary. Beyond that server, your traffic is indistinguishable from any other VPN user’s, which shifts trust from your ISP to the VPN operator. Mullvad and IVPN are the usual picks for minimal logging and independent audits. The WireGuard protocol has largely replaced OpenVPN as the modern default; it uses ChaCha20-Poly1305 for encryption and Curve25519 for key exchange, and is an order of magnitude less code than its predecessor.
Backups need their own encryption. restic and Borg are the standard answers — both encrypt client-side before uploading to whatever storage backend you pick (S3, Backblaze B2, a local drive). Neither depends on the trustworthiness of the remote storage. Time Machine encrypts backups if you check the “Encrypt backup disk” box when you set up the destination, but most people don’t.
Phones are where encryption lives or dies for most people, because phones hold more sensitive data than laptops. iPhones are encrypted by default; keep the passcode alphanumeric (not a 6-digit PIN) and enable ADP if you’re not in the UK. Android encryption varies by vendor — stock Pixel and Samsung devices on recent Android versions are encrypted by default with file-based encryption, but lower-end devices may have weaker implementations. GrapheneOS on a Pixel remains the hardening option for people whose threat model justifies it.
Hardware tokens — YubiKey, Nitrokey, SoloKeys — are how you avoid having your password manager itself become a single point of failure. Pair one with your Bitwarden/1Password account for FIDO2/WebAuthn, and pair a second with your email account. The second key goes in a drawer. The cost is about $50 and one weekend of setup; the upside is that phishing and password-reuse attacks against your most important accounts become near-impossible.
The Post-Quantum Transition, Briefly
In August 2024, NIST finalized the first three post-quantum cryptography standards: FIPS 203 (ML-KEM, derived from CRYSTALS-Kyber, for key encapsulation), FIPS 204 (ML-DSA, derived from CRYSTALS-Dilithium, for signatures), and FIPS 205 (SLH-DSA, the hash-based SPHINCS+ backup). In March 2025 NIST added HQC as a code-based KEM backup for ML-KEM, providing algorithmic diversity in case lattice-based schemes turn out to have unknown weaknesses. The NSA’s CNSA 2.0 suite sets 2030 as the mandatory migration deadline for National Security Systems.
For individuals, the practical consequences in 2026 are: Signal is already post-quantum. Apple’s iMessage PQ3 is already post-quantum. Chrome and Firefox negotiate ML-KEM on TLS 1.3 handshakes where the server supports it. Most other consumer-facing tools are still classical, and the tooling for PQ OpenPGP is not yet standardized. This is changing on a rolling basis; the harvest-now-decrypt-later threat is why the transition is happening a decade ahead of the worst-case quantum timeline, not because quantum computers are imminent.
FAQ
If my disk is already encrypted, do I also need to encrypt individual files? If the file never leaves your disk, no. If it ever goes to a cloud service, a USB stick, an email attachment, or a shared drive, yes — it exits the encrypted boundary of your disk the moment it moves.
Is encryption legal in my country? In most jurisdictions, using strong encryption is legal and unregulated for individuals. A handful of countries restrict it or can compel decryption under legal order. The UK’s Investigatory Powers Act and the RIPA provisions for key disclosure are the most active example in democracies; compelled decryption laws also exist in Australia, France, and elsewhere. If this matters to your situation, consult a lawyer familiar with local law.
What’s the single most impactful thing I can do? A password manager with a strong, unique master password and hardware-key 2FA on your email. More than any single encryption tool, this defends the account that can reset every other account you own.
Do I still need a VPN if I use HTTPS everywhere? HTTPS already protects the content of your traffic. A VPN mainly hides the destination (what sites you visit) from your local network and ISP. If that’s your threat, yes. If not, HTTPS plus encrypted DNS covers most of what a VPN claims to do.
The Last Word
The dream of encrypting “literally everything” is really a dream of not having to think about it. That dream is closer than it’s ever been: disk encryption is on by default, messaging is post-quantum by default on the leading app, cloud storage has real zero-knowledge options, and password managers have become good enough that there’s no legitimate excuse not to use one.
What hasn’t changed is that encryption has edges. It protects data at rest and in transit, not data in use. It depends on keys you can lose. Its legal status is, in some places, actively being renegotiated. Treat those edges as the real threat model and build around them, and the rest of the stack mostly handles itself.
