Google Drive is generally a secure way to store data on the cloud, but as with any cloud service provider, you are not necessarily the only person with access to your data. Google owns the servers that host your data, after all, and that means Google can access them.
Google’s data security practices are rigorous, audited, monitored, and transparent. They have an entire knowledge base dedicated to their security procedures. Google Drive has a very limited number of Google employees that can access your data. Those that do are monitored at all times, and their actions are logged. Not only can Google see any actions those users take, but you can also see those actions. Editions with Access Transparency can see a log of any Google employees’ activities on your account.
What about those who have a Google Drive edition that lacks transparency?
What about people worried about Google’s accounts or servers being compromised (especially in the wake of them laying off thousands of employees)? Are there other ways to secure the data on your Google Drive against intrusion?
One possible answer is encryption.
How Encryption Works
In simple terms, encryption takes the contents of a file and scrambles them to the extent that they cannot be read or used, and reversing the process without the encryption key is virtually impossible.
This scrambling is performed via a mathematical algorithm using a string (like a password) as a seed for the scrambling algorithm. The encrypted file has a public key attached, which, combined with a private key only you possess, can decrypt the file and make it readable and usable again.
When you encrypt a file, no one – not even you – can read, access, or use the file without the key. It is, essentially, junk data; nonsense that has no purpose. The data can be reverted into a usable state only when the secret key is used. This technique is a considerable benefit for things like privacy and security. If you upload a text file to Google Drive and someone compromises your account and accesses unencrypted data, they can see anything in that file.
If you encrypt it first, they can still see the file, but without your key, that file is useless to them and cannot be opened.
Encryption is a vast industry with various mathematical algorithms and processes involved. The above is an extreme simplification and only accurate to some forms of encryption. Encryption is also used every day – every website you visit using HTTPS encrypts your traffic between your computer and the destination server (including Google), so anyone trying to snoop on it in the middle will see junk instead of usable information.
This technology isn’t an esoteric “government secrets and paranoid nerds” kind of technology. You use encryption every day, possibly without even knowing it.
The question is, can you encrypt the files and folders in your Google Drive? The answer is both yes and no.
Does Google Support File Encryption in Drive?
The first question is, does Google support encryption through Google Drive? As with all things relating to Google, the answer is “it’s complicated.”
There are several methods to encrypt files and folders on Google Drive, both natively and utilizing third-party tools, and each has its benefits and limitations.
Google, by default, uses AES256 encryption for all data created in Google Docs or uploaded to Google Drive, applying this encryption to data in transit and at rest. However, this is server-side encryption. Anyone with legitimate access to your account can still see the files in unencrypted form, which includes you, anyone with access to your account (legitimate or otherwise, as long as they have your email and password), and Google employees on their auditing and security teams.
Some kinds of Google Workspace accounts have access to client-side encryption. This encryption is limited to Work and School accounts of various types. Admins must enable client-side encryption on these accounts to take advantage of this feature.
You can read Google’s guide to turn on (or turn off) client-side encryption. Google is also rolling out client-side encryption for Gmail; it’s currently in beta at the time of writing, and you’ll have to apply for it here.
To create a new encrypted Google Docs file, you can follow the usual process to make a new file but choose “Blank Encrypted File” instead of simply “Blank File.”
Alternatively, to upload an encrypted file, you can log into drive.google.com. Once there, click on the + to upload a file, and click “Encrypt and Upload File.”
This process will encrypt a file as you upload it, so it’s encrypted in your Drive.
Note: Even Google cannot decrypt files uploaded this way. This limitation makes it essential to ensure that your account information is secure and that you do not lose it; if you lose access to your account or your password is changed, you will not be able to recover your data.
Restrictions and Limitations on Encrypted Files
Typically, you can’t access an encrypted file at all. However, you can still access and edit the file when you create an encrypted document through Google Docs or another Google app.
There are, however, some restrictions:
- Encrypted files will have a lock icon next to them so you can recognize which files are encrypted and which aren’t.
- Collaboration is disabled; only one person can work on an encrypted file simultaneously.
- Auto-save is timed rather than immediate, and exiting an unsaved file will warn you. You may lose changes you’ve made to your document if you proceed.
- Office Editing mode is disallowed.
- Commenting is disabled.
- Using the mobile app to access your files has limited support. File types supported by Google Drive (including Microsoft Office and PDFs) are supported, but Google Docs, Sheets, and Slides are not yet supported.
- Sheets functions that make external calls are disabled.
- Offline access is disabled.
- Tools like spellcheck, translate, and voice typing are disabled.
Most of these disabled features use external or tertiary services, which cannot access your encrypted data as a security measure. Rather than try to maintain secure encryption control across dozens of services, Google simply disables the features instead.
Using Third-Party Encryption
Google’s native encryption is fine for some people. However, since it limits what can be done with the files in a Drive, it’s not useful for collaborative environments. It’s also limited to specific paid editions of Google Workspace and is not available for casual free users. Users who don’t have an edition that supports encryption will need to turn to third-party encryption services to handle the encryption of their data.
The benefit of this is that everything you upload to Drive can be encrypted. Anything you choose to store can be encrypted or not, at your choice.
One of the significant drawbacks of using Google’s encryption is that offline access is disabled. If you want access to synced versions of your encrypted data, you need to encrypt it yourself and upload/sync the encrypted version.
Due to the nature of encryption, however, this is generally only viable if you use Google Drive as storage and not for collaboration. An encrypted file is, of course, encrypted; you can’t share it with other users and expect it to work unless they have the same key to decrypt it.
You can do this, but the more you spread around your encryption key, the less secure it is.
Option 1: Encrypt and Compress with a Compression Utility
The first available option allows you to encrypt any given file or folder before uploading it. The resulting upload will be smaller than the original file or folder, will be a single self-contained file (or split into .part files if your file exceeds the single file size limits of Google Drive or you want it broken into multiple parts), and can use a variety of different encryption protocols.
Utilities that can do this include:
- Archiver 4
Most modern compression tools support some form of password protection and encryption on the file.
The downside to this method is that you can only access the stored version of the file by unencrypting and uncompressing it. This limitation means you have to download and extract the contents of the compressed file, which can be time-consuming and uses up bandwidth in situations where you may be limited on speed or data transfer quotas.
On the upside, this allows for a relatively secure data transfer. You can share an encrypted zip file with someone else and provide them the password through another means, such as email or in person.
As long as you use different passwords for different files you want to be controlled in various ways, you’ll still have reasonably good security. On the other hand, this makes it significantly easier to forget any given password, resulting in losing access to the data in that file or folder.
This method requires you either manually encrypt each file one at a time, or encrypt a folder containing multiple chunks of data. For example, you could encrypt each song in an album separately or encrypt the album as a whole. The latter would prevent anyone from accessing an individual song and require them to download the entire album, even if they only wanted to access a single song.
Option 2: Use Cloud Encryption Apps
A second option is to use an app designed to encrypt data on a cloud service.
One of the big names in this space is Boxcryptor. This app provides encryption services for files on your local Drives and cloud Drives, including Google Drive, Dropbox, One Drive, and more.
Essentially, it encrypts anything you tell it to encrypt on a cloud platform without inhibiting visibility.
People can still see the files and folders if they have access to your Google Drive account, but they can only actually access them or see what’s inside them if they, too, have Boxcryptor and the relevant account name and password.
Cryptomator is another app that works similarly, encrypting data and storing it on Google Drive, allowing decryption only by other devices that have the same access via Cryptomator. One difference here is that Cryptomator also has Android and iOS apps, which helps increase the versatility of your encryption.
Note: Some articles recommend using software like Bitlocker to encrypt the files and folders (or whole drive) you sync with Google Drive. Unfortunately, this is of limited use; it means your files are encrypted when your device isn’t accessing them, but when you upload a file to Drive, you’re accessing it, so it’s not encrypted.
Enhancing Google Drive Security
A question you should ask yourself when thinking about encryption is: “From who do you want to protect your data?”. Often, encryption is defeated not by cracking the encryption itself but by defeating the security around it.
Data stored in Google Drive is encrypted by default, but only to the extent that it’s encrypted to anyone who does not have legitimate access to the data. That means it’s functionally encrypted to anyone except you, Google, and anyone with illicit access to your login credentials on either side of the coin.
Google’s default encryption won’t protect you against a rogue Google employee (though their data protections and legal action should dissuade them), and it won’t protect you against a potentially-compromised account.
Thus, it’s often better to buff up your security in other ways.
Encrypting the data you upload to Google Drive can help, but this only helps if someone gains illicit access to your account but not your specific device. It also adds some friction to Google Drive’s collaboration features, which can be a deal-breaker for many.
Make sure you pick strong passwords for your accounts. Research suggests that changing passwords too frequently is a bad thing, so if you already have a strong and unique password for your Google account, consider investing in additional layers of security instead.
Google’s Security Checkup page can help you review the security of your account and audit devices that you may not recognize.
You can also use two-factor or multi-factor authentication using an authenticator app or SMS passkey. You can also use a password manager to help keep your passwords secure and only need to remember a single master password. Alternatively, you can use a “cold storage” device like a YubiKey for even more protection.
Encrypting the data you put on Google Drive is, unfortunately, limited. There’s no easy way to use Google collaboratively while encrypting your data and preventing Google itself from accessing it. Encryption like that requires encrypting your data locally before syncing it with Google Drive.
While this is fine if you only want to store your data securely, you’ll grow tired of constantly encrypting and decrypting your files. Depending on the app you use, it can also be tricky to know which files are (and aren’t) encrypted.
What is your preferred way of encrypting files and folders on Google Drive? Did I leave any techniques out, or do you have anything to share? Please drop a comment in the section below! I take the time to read and reply to every comment I receive, and it would be great to get a conversation started on this topic to help others.
Leave a Reply