How to Encrypt Your Files with AES-256: Complete Step-by-Step Guide

Why Encrypt Your Files?

Before diving into the how-to, understand the why:

✓ Privacy: Prevent unauthorized access ✓ Compliance: Meet GDPR, HIPAA requirements ✓ Security: Protect against theft/breaches ✓ Control: You decide who accesses your data

Real example: 60% of data breaches involve unencrypted data (Verizon DBIR 2024). Encryption makes stolen data useless.

Method 1: Using Filarr (Easiest)

Best for: Non-technical users who want automatic encryption

Step-by-Step

# 1. Install Filarr
Download from https://filarr.com/download

# 2. Create account
- Email and strong password
- Your password is your encryption key (never share!)

# 3. Upload files
- Drag and drop files into Filarr
- Files encrypt automatically before upload
- AES-256-GCM encryption applied

# 4. Access encrypted files
- Download and decrypt automatically
- Files stay encrypted on server

Pros: ✓ Zero technical knowledge required ✓ Automatic encryption/decryption ✓ Cloud backup included ✓ Multi-device sync

Cons: ~ Requires Filarr account ~ Monthly cost for >5GB

Method 2: Using 7-Zip (Windows/Linux)

Best for: One-time file encryption, no cloud needed

Windows Instructions

Step 1: Install 7-Zip

1. Download from https://www.7-zip.org/
2. Run installer
3. Choose "Install for all users"

Step 2: Encrypt Files

1. Right-click file(s) → 7-Zip → Add to archive
2. Archive format: zip or 7z
3. Encryption method: AES-256
4. Enter strong password (minimum 12 characters)
5. Check "Encrypt file names" (important!)
6. Click OK

Result: yourfile.zip (encrypted with AES-256)

Step 3: Decrypt Files

1. Double-click encrypted .zip file
2. Enter password
3. Extract files

Command Line (Advanced)

# Encrypt
7z a -p -mhe=on -tzip encrypted.zip yourfile.pdf

# -p: Password (will prompt)
# -mhe=on: Encrypt headers (filenames)
# -tzip: ZIP format

# Decrypt
7z x encrypted.zip

Pros: ✓ Free and open-source ✓ Works offline ✓ Strong AES-256 encryption ✓ Cross-platform

Cons: ~ Manual process (not automatic) ~ Must remember password (no recovery) ~ No cloud sync

Method 3: Using VeraCrypt (Encrypted Containers)

Best for: Creating encrypted drives/folders

Setup VeraCrypt

Step 1: Install

1. Download from https://www.veracrypt.fr/
2. Install (verify signature)
3. Launch VeraCrypt

Step 2: Create Encrypted Container

1. Click "Create Volume"
2. Select "Create an encrypted file container"
3. Choose "Standard VeraCrypt volume"
4. Select location and filename (e.g., "secure.hc")
5. Encryption: AES-256
6. Volume size: 100MB (adjust as needed)
7. Enter strong password
8. Format volume

Step 3: Mount and Use

1. Click "Select File" → Choose your .hc file
2. Click a drive letter (e.g., "M:")
3. Click "Mount"
4. Enter password
5. Use M:\ like any drive
6. Dismount when done

Pros: ✓ Military-grade encryption ✓ Encrypted container = one password for many files ✓ Plausible deniability features ✓ Free and open-source

Cons: ~ Complex for beginners ~ Must mount/unmount manually ~ No automatic sync

Method 4: macOS Built-In Encryption

Best for: Mac users wanting easy encryption

Using Disk Utility

Create Encrypted DMG:

1. Open Disk Utility
2. File → New Image → Image from Folder
3. Select folder to encrypt
4. Encryption: 256-bit AES encryption
5. Set password
6. Save

Result: Encrypted .dmg file

Mount Encrypted DMG:

1. Double-click .dmg file
2. Enter password
3. Access files
4. Eject when done

Using FileVault (Full Disk)

1. System Preferences → Security & Privacy
2. FileVault tab
3. Turn On FileVault
4. Choose recovery method
5. Restart to encrypt

Pros: ✓ Built into macOS ✓ AES-256 encryption ✓ FileVault encrypts entire disk ✓ Transparent to user

Cons: ~ macOS only ~ FileVault is all-or-nothing

Method 5: Command Line (Linux)

Best for: Linux users, automation, scripting

Using GPG

# Encrypt file
gpg --symmetric --cipher-algo AES256 document.pdf
# Enter passphrase
# Creates: document.pdf.gpg

# Decrypt file
gpg document.pdf.gpg
# Enter passphrase
# Creates: document.pdf

Using OpenSSL

# Encrypt
openssl enc -aes-256-cbc -salt -in file.txt -out file.txt.enc
# Enter password

# Decrypt
openssl enc -aes-256-cbc -d -in file.txt.enc -out file.txt
# Enter password

Pros: ✓ Available on all Linux systems ✓ Scriptable for batch operations ✓ Industry-standard tools

Cons: ~ Command-line only ~ Requires technical knowledge

Method 6: Programmatic Encryption

Best for: Developers, automation

Node.js Example

const crypto = require('crypto')
const fs = require('fs')

function encryptFile(inputFile, outputFile, password) {
  // Derive key from password
  const salt = crypto.randomBytes(32)
  const key = crypto.pbkdf2Sync(password, salt, 100000, 32, 'sha256')
  const iv = crypto.randomBytes(16)

  // Create cipher
  const cipher = crypto.createCipheriv('aes-256-cbc', key, iv)

  // Encrypt file
  const input = fs.createReadStream(inputFile)
  const output = fs.createWriteStream(outputFile)

  // Write salt and IV (needed for decryption)
  output.write(salt)
  output.write(iv)

  // Pipe encrypted data
  input.pipe(cipher).pipe(output)

  output.on('finish', () => {
    console.log('File encrypted successfully')
  })
}

// Usage
encryptFile('secret.pdf', 'secret.pdf.enc', 'MyStr0ngP@ssw0rd!')

Python Example

from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2
import os

def encrypt_file(input_file, output_file, password):
    # Derive key
    salt = os.urandom(32)
    kdf = PBKDF2(
        algorithm=hashes.SHA256(),
        length=32,
        salt=salt,
        iterations=100000,
        backend=default_backend()
    )
    key = kdf.derive(password.encode())

    # Create cipher
    iv = os.urandom(16)
    cipher = Cipher(
        algorithms.AES(key),
        modes.CBC(iv),
        backend=default_backend()
    )
    encryptor = cipher.encryptor()

    # Encrypt file
    with open(input_file, 'rb') as f_in:
        with open(output_file, 'wb') as f_out:
            # Write salt and IV
            f_out.write(salt)
            f_out.write(iv)

            # Encrypt and write data
            while True:
                chunk = f_in.read(64 * 1024)  # 64KB chunks
                if not chunk:
                    break
                # Pad last chunk if necessary
                if len(chunk) % 16 != 0:
                    chunk += b'\0' * (16 - len(chunk) % 16)
                f_out.write(encryptor.update(chunk))

            f_out.write(encryptor.finalize())

# Usage
encrypt_file('secret.pdf', 'secret.pdf.enc', 'MyStr0ngP@ssw0rd!')

Password Best Practices

Strong Password Requirements

Minimum:

• 12+ characters
• Mix: uppercase, lowercase, numbers, symbols
• Not in dictionary
• Not personal info

Better:

• 16+ characters
• Passphrase: "Correct-Horse-Battery-Staple-2025!"
• Use password manager

Test strength: https://www.security.org/how-secure-is-my-password/

Password Managers

Recommended:

• Bitwarden (open-source)
• 1Password
• KeePassXC (local)

Recovery Options

Important: AES-256 encryption has NO password recovery

Protect yourself: ✓ Store password in password manager ✓ Write recovery key on paper (stored safely) ✓ Share with trusted person (sealed envelope) ✗ Don't email passwords ✗ Don't store in same location as encrypted files

Common Mistakes to Avoid

1. Weak Passwords

❌ BAD: password123
❌ BAD: yourname2025
❌ BAD: qwerty

✅ GOOD: Tr0pic@l-Sunshine-M3rm@id-2025!
✅ GOOD: 4$RandomWordPa$$phrase!

2. Reusing Passwords

❌ BAD: Same password for all encrypted files
✅ GOOD: Unique password per file/container
✅ BETTER: Use password manager to generate unique passwords

3. Forgetting to Encrypt Filenames

❌ BAD: secret-salary-document.pdf.enc (filename reveals content)
✅ GOOD: Enable "encrypt filenames" option

4. Leaving Decrypted Copies

❌ BAD: Decrypt → Edit → Save → Forget to delete decrypted file
✅ GOOD: Delete decrypted file immediately after use
✅ BETTER: Use encrypted containers (auto-encrypt on dismount)

Verification: Is Your File Encrypted?

Check Encryption

Method 1: Try to Open

• Encrypted files won't open in normal programs
• You'll see gibberish if opened in text editor

Method 2: File Command (Linux/macOS)

file encrypted.pdf
# Output: "data" (not "PDF document")

Method 3: Strings Command

strings encrypted.pdf
# Should show no readable text

Comparison of Methods

Method	Difficulty	Cost	Automation	Cloud Sync
Filarr	Easy	€5/mo	✓	✓
7-Zip	Easy	Free	✗	✗
VeraCrypt	Medium	Free	~	✗
macOS Disk Utility	Easy	Free	✗	~
GPG/OpenSSL	Hard	Free	✓	✗
Programming	Hard	Free	✓	~

Recommended Approach by Use Case

Personal Documents

Best: Filarr or 7-Zip

• Filarr: Automatic, cloud backup
• 7-Zip: Free, offline

Sensitive Work Files

Best: VeraCrypt containers

• Plausible deniability
• Multiple files, one password

Developer/Automation

Best: GPG or programmatic

• Scriptable
• Integrates with workflows

Mac Users

Best: Disk Utility or Filarr

• Built-in convenience
• Or cloud sync with Filarr

Conclusion

Encrypting files with AES-256 is easier than ever:

Quick solution: Use Filarr (automatic encryption) Free solution: Use 7-Zip (manual but effective) Advanced: VeraCrypt or command-line tools

Key takeaways: ✓ Use AES-256 encryption (industry standard) ✓ Choose strong passwords (12+ characters) ✓ Store passwords safely (password manager) ✓ No password recovery exists (be careful!)

Start Encrypting with Filarr

The easiest way to encrypt files with AES-256:

✓ Automatic encryption before upload ✓ Zero-knowledge security (only you have keys) ✓ Cloud backup included ✓ Multi-device sync

Try Filarr free (5GB) →

Additional Resources

• AES Specification (NIST)
• Encryption Best Practices
• Password Guidelines