If your computer gets stolen, it’ll cost you to replace it, but that may be the least of your worries. You can bet the thief will comb through your files for credit card numbers, account passwords, secret documents, or anything at all that could be monetized. The cost of losing that data could be way more than the cost of a new computer, but you can minimize that collateral damage by using encryption to protect your sensitive files! Steganos Safe makes creating secure, encrypted containers for your sensitive files simple, and it offers some uncommon advanced features.
For $34.95, $5 less than when I last reviewed this product, you can install Steganos Safe on up to five PCs. This is a one-time fee, not a subscription. You only pay again if you want to buy a newer version. Folder Lock and Ranquel Technologies CryptoForge cost about the same, while Cypherix PE and CryptoExpert go for $45 and $59.95 respectively. These are also one-time prices, but they just give you a single installation. The five-license package that Steganos offers is a distinct bargain.
In addition to this standalone product, Steganos Safe is an integral part of the full Steganos Privacy Suite. This suite also includes Steganos Password Manager and other useful tools.
What Is Encryption?
Throughout history, kings, queens, and generals have needed to communicate their plans in secret, and their enemies have toiled mightily trying to crack their secret communication systems. A cipher that simply replaces every letter with a different letter or symbol is easy enough to crack based on letter frequency, so old-time cryptographers needed something stronger.
France’s Louis XIV used a system called The Great Cipher, which held out for 200 years before anyone cracked it. Father-son team Antoine and Bonaventure Rossignol conceived the idea of encoding syllables rather than letters, and letting multiple code numbers represent the same syllable. They also included nulls, numbers that contributed nothing to the cipher. And the use of syllables from the French put yet another obstacle in the way of foreign code breakers. But even this long-unbroken cipher pales in comparison with modern encryption technology.
Advanced Encryption Standard (AES), the US government’s official standard, runs blocks of data through multiple transformations, typically using a 256-bit key. Bruce Schneier’s Blowfish algorithm should be even tougher to crack, as it uses a 448-byte key.
Whatever the size of the key, you must transmit it to the recipient somehow, and that process is the weakest point in the system. If your enemy obtains the key, whatever its size, you lose. Public Key Infrastructure (PKI) cryptography has no such weakness. Each user has two keys, a public key that’s visible to anybody and a private key that nobody else has. If I encrypt a file with your public key, you can decrypt it with your private key. Conversely, if I encrypt a file with my private key, the fact that you can decrypt it with my public key proves it came from me—a digital signature.
Getting Started With Steganos Safe
The Steganos encryption utility’s installation is quick and simple. Once finished, it shows you a simple main window that has two buttons at top, one to create a new safe and one to open a hidden safe. In this context, a safe is just the name for an encrypted container. New since my last review, you can choose from light, medium, and dark versions of the modern or classic user interface. Screenshots in this article use the default modern light appearance.
When a safe is open, it looks and acts precisely like a disk drive. You can move files into and out of it, create new documents, edit documents in place, and so on. But once you close the safe, its contents become totally inaccessible. Nobody can unlock it without the password—not even Steganos.
Most encryption tools that use the encrypted container model work like Steganos, meaning an open container looks just like any other disk drive. NordLocker is an exception. You can only copy files into the locker, and getting back a plaintext version requires an export operation. On the plus side, NordLocker has a secure sharing system built right in.
Like Editors’ Choice tools CertainSafe, AxCrypt Premium, and Folder Lock, Steganos uses AES for all encryption. However, it cranks the key size up from the usual 256 bits to 384 bits. CryptoExpert and CryptoForge offer four different algorithms, and Advanced Encryption Package goes over the top with 17 choices. Few users have the knowledge to make an informed choice of algorithm, so I see no problem sticking with AES.
New since my last review, the main window has an icon whose tooltip says, “AES-NI active – for significantly speedier safe creation.” I had to look that one up. Turns out that some years ago Intel added a set of New Instructions (NI) to its processor line, aimed specifically at speeding AES encryption by doing more in hardware. If your PC is remotely modern, it probably has AES-NI, which Steganos can use to speed encryption and decryption.
Steganos pops up a warning if you try to close a safe while you still have files from the safe open for editing. In addition to the basic safe, Steganos can optionally create portable safes, partition safes, and cloud safes. I’ll cover each safe type separately.
Create a Safe
The process of creating a new safe for storing your sensitive documents is simple, with a wizard that walks you through the steps. The wizard starts by asking a few questions to determine what kind of safe you want to create. A local safe that encrypts data on the computer you’re using (or a network drive) is the simplest.
You start by assigning a name and drive letter to the safe—the program’s main window displays the name. By default, Steganos creates the file representing your safe in a subfolder of the Documents folder, but you can override that default to put it wherever you want, including on a network drive.
Next, you define the safe’s capacity, from a minimum of 2MB to a maximum that depends on your operating system. Unlike Cypherix PE and CryptoExpert, with Steganos the initial capacity doesn’t have to be a hard limit. You can create a safe whose size grows dynamically. If the safe is small enough, you’ll see a note saying it may be hidden in an audio or video file; more about that later.
Folder Lock works a bit differently. While you must set a maximum size at creation, it only uses as much space as its current content requires. A newly created Cypherix volume requires formatting. With Steganos and others, the safe is ready for use immediately.
The next step is to select a password. If you’ve created a master password for Steganos Password Manager, the password dialog should look familiar. Steganos rates password strength as you type. If you wish, you can define the password by clicking a sequence of pictures rather than typing it. This PicPass feature is cute, but it doesn’t produce a strong password. I don’t advise using it. Just create a strong password and record it in your password manager.
To foil any possibility of password capture by a keylogger, you can enter the password using a virtual keyboard. Folder Lock and InterCrypto Advanced Encryption Package also offer a virtual keyboard. Those enjoying a high degree of paranoia can set Steganos Safe to scramble key locations on each use, and suppress visual keypress cues.
If you wish, you can store the password on a removable drive, making that drive effectively the safe’s key. By default, a safe opened in this way closes automatically when you remove the key. In itself, this isn’t two-factor authentication, as you can unlock the safe using either the key or the password, but it’s certainly convenient. In a similar situation, you can configure InterCrypto CryptoExpert to require both the master password and the USB key.
Starting a few years ago with version 19, Steganos offers actual two-factor authentication. You can use any authentication app that supports the standard Time-based One Time Password (TOTP) algorithm. Google Authenticator is a well-known example, but there are plenty of others. To link the app with your safe, you snap a QR code displayed by Steganos, and enter the code that your app returns. Now unlocking the safe requires both your master password and the ever-changing TOTP code.
Hide Your Safes
There’s a special option that only appears for safes smaller than 3MB. If you’ve chosen an acceptable size, a link appears explaining how you can create a hidden safe. After you create a small-enough safe, Steganos can hide it inside a video, audio, or executable file.
This technique of hiding the fact that a secret even exists is called steganography, which is the inspiration for the company name Steganos. The concept was first mentioned in a 1499 treatise on encryption, but has really blossomed with the advent of digital media. A plot point in a recent Doctor Who special revolved around steganography!
To hide a safe, you click it, choose Hide from the menu, and select a carrier file. Steganos stuffs the entire safe into the carrier, without affecting that file’s ability to function as a program or audio/video file. To open it, you click Open a Hidden Safe on the main window, select the carrier, and enter the password. Just don’t forget where you hid the safe! Once you hide a safe inside a file, it can no longer resize dynamically as needed, which makes sense.
I copied a couple large media files to the test system, one each in MOV and MP4 format. I was surprised to find that Steganos rejected both. Despite mentioning hiding safes in audio or video files, its supported filetype list holds only MP3, M4A, AVI, and EXE. I chose a large EXE file from my collection of old PCMag utilities and successfully hid a safe within it.
When I last reviewed Steganos Safe, I discovered a serious problem—hiding a safe protected by two-factor authentication was a recipe for losing your data permanently. That’s been fixed. I had no trouble opening a hidden safe using both password and 2FA code.
For additional security, consider creating a portable safe that you store in a secure location when you’re not using it. From the safe creation wizard’s first screen, click the option to create a portable safe. Next you select the target device, which can be a USB storage device or an optical drive. You define the size, as for a regular safe. Note that to save a portable safe of 4GB or larger, you may need to reformate the USB device to use NTSF rather than FAT32. After you add the necessary password, you get into territory specific to portable safes.
Steganos creates and opens what it calls a prepackaging drive. You drag the desired files into the prepackaging drive. When you click Next, Steganos creates the necessary files on the target device. By observation, the prepackaging drive isn’t needed after the initial creation step.
If the portable safe is small enough, not much more than 400MB, Steganos creates what it calls a SelfSafe by default. As with the hidden option for regular safes, this option only appears when the safe size is small enough. The SelfSafe is a single executable file called SteganosPortableSafe.exe that contains both the necessary decryption code and the data representing the safe’s contents. For larger portable safes, Steganos stores the contents in a portable safe folder and adds a file called usbstarter.exe. Either way, launching the program lets you enter the password and open the portable safe.
In testing, I did run into one surprise. It turns out that a portable safe is not completely portable; it requires the Steganos Live encryption engine. Installing the engine apparently doesn’t use up one of your licenses, but it does require rebooting the computer.
As noted, you can open a portable safe on any PC on which you’ve installed the Steganos Live encryption engine. Creating a cloud safe is another way to share your encrypted files between PCs. Steganos supports the cloud storage services Dropbox, Google Drive, and Microsoft OneDrive. Whichever you choose, you must install that service’s desktop app. The help advises sticking to small safes with Google Drive and OneDrive, as these two must re-sync the entire safe when there’s any change. DropBox can selectively sync changes only. For testing purposes, I installed the Dropbox app.
As with a regular safe, you select a name and drive letter and then choose the safe’s size. For a cloud safe, you don’t get the option to have the safe expand as needed, but you can use two-factor authentication. Create your password, wait for the safe’s initialization, and you’re ready to go. The safe syncs to the cloud each time you close it, and you can use it on any PC that has both Steganos Live encryption and the proper cloud app installed.
A few years ago, Steganos introduced the concept of a partition safe, meaning it can convert an entire hard drive partition into a safe. Doing so requires restarting Steganos Safe with administrator privileges. When Steganos turns a partition into a safe, it wipes out all existing data, so tread carefully. Naturally you don’t set a size, as the safe occupies the entire partition. You do enter a master password, with the option to invoke two-factor authentication, or store the password on a USB device.
When I first tested this feature, I tried to convert the main Windows partition into a safe. Fortunately, that attempt failed, and did no harm.
This time around, the main Windows partition correctly did not appear in the list of available partitions, though the Recovery Partition created by Windows 10 did show up. When I chose a non-system partition, the process went smoothly. Converting a 20GB partition to a safe took less than three minutes, much faster than when I last timed this process.
Of the four types of safes, this one’s my favorite. Just unlock it and you’ve got a whole drive partition to store important stuff in. Lock it and nobody can touch your stuff. Note that the original partition, in my case drive E:, still shows up in Windows Explorer, but to Windows, it looks like it a drive that’s corrupt or not formatted. Don’t get flustered and format it, else you’ll wipe out your partition safe.
Advanced Safe Features
Click a safe and click Settings to bring up the administration dialog. Here you can change the password, name, and file location for the safe, but that’s not all. On the main page of the dialog you can color-code the safe and choose whether Windows should see it as a local drive or a removable drive. On the Events tab, you can choose whether to open the safe when you log on, and whether to close it on events such as screen saver activation or going into standby. If you’ve configured the safe to unlock with a USB device, you can set it to unlock automatically when the device connects and close automatically when the device is removed.
There’s an option to run a specific command right after the safe opens, and another right after it closes. For example, you could configure it to automatically launch a file that resides within the safe after opening it, or automatically make a backup copy after closing it. I’m not sure how many consumers will use this feature, but I imagine it’s popular with security geeks.
Perhaps most peculiar is the Safe in a Safe feature. Safe in a Safe defines a separate safe, hidden within a normal safe that’s at least 10MB in size. The inner safe occupies a user-defined percentage of available space and has its own separate password. Depending on which password you use to open the safe, you either open the Safe in a Safe, or the original safe that contains it. Sneaky!
But take care. If you overfill the outer safe, its contents can wipe out the super-secret Safe in a Safe. And you’d better not forget which safe contains your Safe in a Safe.
Putting your most sensitive files into an encrypted safe is smart, but if you leave the unencrypted originals on disk, you haven’t accomplished much, security-wise. Even if you delete the originals and empty the Recycle Bin, they’re not really gone, because their data remains on disk until new data overwrites it. For true privacy, you must use a secure deletion tool that overwrites file data before deletion, something like this program’s simple file-shredder component.
To use the shredder, just right-click a file or folder and choose Destroy from the menu that appears. Steganos overwrites the file’s data once and then deletes it. This should be enough to foil software-based file recovery systems, though it would still be theoretically possible for a hardware-based forensic tool to get back some or all of the data. Folder Lock, by contrast, lets you choose up to 35 overwrite passes, which is overkill, as there’s no added benefit after seven passes. AxCrypt, CryptoForge, Cypherix SecureIT, and several others also offer secure deletion of original files.
When I last examined this product, the main menu included an option to launch the full File Shredder utility. Among other things, this tool could overwrite all free space on a disk, effectively shredding all previously deleted files, and it could shred an entire drive’s data. This feature is no longer present in Steganos Safe. Also absent is the Trace Destructor, which aimed to enhance privacy by wiping out traces of your browser and computer use.
Comprehensive Encrypted Storage
Steganos Safe focuses on the singular task of creating encrypted storage containers for your sensitive files, and it does that task very well. It’s easier to use than most of its competitors, and its Safe in Safe and hidden safe options are unique. Your purchase gets you licenses to install and use the product on five PCs.
However, Folder Lock does most of what Steganos does, and quite a lot more. Its features include encryption of individual files and folders, secure storage of private data, and (at an extra cost) secure online backup. AxCrypt Premium is even easier to use than Steganos, and it supports public key cryptography. CertainSafe Digital Safety Deposit Box protects your cloud-stored encrypted files against any possibility of a data breach. These three are our Editors’ Choice products for encryption, but Steganos is a worthy contender.