How to Encrypt a File in 2026: Windows, Mac, Linux, and Browser

File encryption protects data such that only someone with the correct key can read it — regardless of how the file is stored or transmitted. This guide covers five methods across all platforms, ranging from a browser tool that requires no software installation to Ghostscript and GPG for advanced scenarios.

What File Encryption Actually Does

Encryption transforms the contents of a file into unreadable ciphertext using a mathematical cipher and a key. AES-256-GCM — the current gold standard for symmetric encryption — produces ciphertext that is computationally indistinguishable from random data to anyone who doesn't possess the key. The security of the encrypted file is then bounded by two things: the strength of the key (or password it's derived from) and the correctness of the key derivation and encryption implementation.

"File encryption" and "password protection" are frequently confused. A Word or Excel "password" on pre-2013 versions of Office used weak algorithms that could be cracked in minutes. True encryption — using AES-256 with a proper key derivation function (KDF) like PBKDF2, bcrypt, or Argon2 — is categorically different.

Method 1: Browser-Based File Encryption — All Platforms, No Installation

FileShot's File Encrypt tool performs AES-256-GCM encryption entirely in your browser. No file is uploaded; all computation happens in WebAssembly/JavaScript on your device.

1. Open fileshot.io/tools/encrypt.
2. Drag your file onto the tool or click to browse.
3. Enter a strong password, or click Generate Key to create a cryptographically random key.
4. Click Encrypt. The encrypted file downloads immediately to your device.
5. To decrypt: return to the same tool, select the encrypted file, and enter the same password or key.

Method 2: Windows — 7-Zip AES-256

7-Zip is a free, open-source archive tool available at 7-zip.org. It supports AES-256 encryption when using the 7z format ("7z" container, not ZIP). ZipCrypto (ZIP format encryption) is insecure and must be avoided — always use 7z format.

1. Download and install 7-Zip from 7-zip.org (free).
2. Right-click the file or folder you want to encrypt.
3. Select 7-Zip > Add to archive...
4. In the "Archive format" dropdown, select 7z (not ZIP — see below).
5. In the Encryption section, set "Encryption method" to AES-256.
6. Check Encrypt file names — this prevents anyone from seeing the filenames inside the archive without the password.
7. Enter and confirm your password. Click OK.

Method 3: Windows EFS and BitLocker (Built-In)

Windows includes two built-in encryption systems, each with different use cases:

EFS (Encrypting File System) — available on Windows 10/11 Pro and Enterprise. EFS encrypts individual files or folders and ties the encryption key to your Windows user account. When you log in, encrypted files are seamlessly accessible. When another user logs in or the files are moved to a different machine, they're inaccessible.

• Right-click a file or folder > Properties > Advanced > Encrypt contents to secure data > OK > Apply.
• Windows will prompt you to back up the encryption certificate — do this. If your user account is unavailable (reinstall, AD changes), the backup certificate is the only recovery path.
• EFS is not suitable for sharing — the key is tied to your user account, not a password the recipient knows.

BitLocker — available on Windows 10/11 Pro and Enterprise. BitLocker encrypts entire drives (including USB drives with BitLocker To Go), not individual files. Suitable for protecting a USB drive full of sensitive files.

• Right-click a drive in File Explorer > Turn on BitLocker > follow the wizard.
• Save or print the recovery key — without it, if you forget the password, the drive contents are permanently inaccessible.
• BitLocker uses AES-128 by default; set AES-256 via Group Policy (Administrative Templates > Windows Components > BitLocker Drive Encryption > Choose drive encryption method).

Method 4: macOS — Disk Utility and OpenSSL Terminal

Disk Utility encrypted disk image (easiest)

1. Open Disk Utility (from Spotlight or Applications > Utilities).
2. File > New Image > Image from Folder...
3. Select the folder to encrypt.
4. Set Encryption to "256-bit AES encryption".
5. Set Image Format to "read/write disk image".
6. Enter and confirm a password. Click Choose.
7. Disk Utility creates a .dmg file. Double-clicking it prompts for the password to mount the image.

OpenSSL via Terminal (for individual files)

macOS ships with OpenSSL. To encrypt a single file:

openssl enc -aes-256-cbc -pbkdf2 -iter 100000 -in secret.txt -out secret.txt.enc

To decrypt:

openssl enc -d -aes-256-cbc -pbkdf2 -iter 100000 -in secret.txt.enc -out secret.txt

The -pbkdf2 -iter 100000 flags enable PBKDF2 key derivation (required for secure password-based encryption — without this, older OpenSSL versions use a weak KDF).

Method 5: Linux — GPG and OpenSSL

GPG (GnuPG) — symmetric encryption of a single file

# Encrypt (will prompt for passphrase)
gpg --symmetric --cipher-algo AES256 secret.txt
# Outputs: secret.txt.gpg

# Decrypt
gpg --decrypt secret.txt.gpg > secret.txt

GPG also supports public-key encryption — each recipient has a public/private keypair. You encrypt with the recipient's public key; only their private key can decrypt. This is the most secure model for sharing encrypted files with named recipients and provides non-repudiation.

# Encrypt for a specific recipient (they must have a GPG keypair)
gpg --encrypt --recipient recipient@example.com secret.txt

# Recipient decrypts with their private key
gpg --decrypt secret.txt.gpg > secret.txt

OpenSSL — AES-256-CBC with PBKDF2 (same as macOS above)

openssl enc -aes-256-cbc -pbkdf2 -iter 100000 -in secret.txt -out secret.txt.enc
openssl enc -d -aes-256-cbc -pbkdf2 -iter 100000 -in secret.txt.enc -out secret.txt

Method 6: VeraCrypt — Encrypted Containers (All Platforms)

VeraCrypt creates encrypted virtual disk volumes — a single encrypted container file that mounts as a drive. Suitable when you have many files to protect, or when you need plausible deniability (VeraCrypt supports hidden volumes). Free and open-source. Available for Windows, macOS, and Linux.

1. Download VeraCrypt from veracrypt.fr.
2. Open VeraCrypt > Create Volume.
3. Choose "Create an encrypted file container" for a portable encrypted file, or "Encrypt a non-system partition/drive" for a USB drive.
4. Choose Standard VeraCrypt volume.
5. Select a location and name for the container file.
6. Choose encryption algorithm: AES with XTS mode is the default and appropriate for most use cases.
7. Set the volume size.
8. Set a strong password. After creation, the container appears as a drive letter when mounted.

VeraCrypt is particularly appropriate for storing a large collection of sensitive documents, a development secrets folder, or sensitive client files locally.

Comparison: File Encryption Methods

After Encrypting: Sharing Securely

Encrypting a file is one layer. When you share it, the channel you use adds a second layer of risk. Email providers (Gmail, Outlook) can read attachments. Google Drive and Dropbox can access content they host.

For an end-to-end solution: encrypt the file locally using the FileShot File Encrypt tool or 7-Zip, then upload the encrypted file to FileShot's file sharing service. FileShot applies an additional layer of AES-256-GCM encryption before upload, so the server sees double-encrypted ciphertext. Set a link expiry. The recipient receives the link, downloads the ciphertext, FileShot decrypts the outer layer in their browser, and they use your password to decrypt the inner layer.

Frequently Asked Questions

What is the best free program to encrypt files?

For no-installation encryption: fileshot.io/tools/encrypt (AES-256-GCM, browser-based). For Windows desktop: 7-Zip (7z format, AES-256, free). For encrypted containers: VeraCrypt (free, open-source, all platforms). For command-line/developer use: GPG or OpenSSL (free, cross-platform).

How do I encrypt a file on Windows 10 or 11?

Three options: (1) Browser tool — no install: fileshot.io/tools/encrypt. (2) 7-Zip (free): right-click > 7-Zip > Add to archive, set format to 7z, enable AES-256, check "Encrypt file names", set password. (3) Windows EFS (built-in, Pro/Enterprise): right-click > Properties > Advanced > Encrypt. Note: EFS is not shareable — it ties encryption to your Windows account.

How do I encrypt a file on Mac?

Three options: (1) Browser tool: fileshot.io/tools/encrypt in Safari or Chrome. (2) Disk Utility: File > New Image > Image from Folder, set encryption to AES-256. (3) Terminal OpenSSL: openssl enc -aes-256-cbc -pbkdf2 -iter 100000 -in file -out file.enc.

Is AES-256 encryption safe for files?

AES-256 is the current NIST standard and is used for classified government data. No practical attack exists. Security depends on: key/password strength (use a password manager to generate a strong one), the key derivation function (must be PBKDF2, Argon2, or scrypt), and the mode of operation (GCM is preferred, CBC with PBKDF2 is acceptable). FileShot's File Encrypt uses AES-256-GCM with PBKDF2-SHA256.

What is the difference between encrypting and password-protecting a file?

Password protection (e.g., pre-2013 Office documents) often applies an access control check without truly encrypting the underlying data — bypassed by free tools in seconds. True encryption transforms the file contents into ciphertext mathematically bound to the key. With AES-256 and a strong password, the file is computationally inaccessible regardless of how it's obtained. Always verify that a tool uses a recognized cipher (AES-256) and proper key derivation — not just "password protection".