There are two honest answers to "how to encrypt a file" — and which one you want depends on what you're protecting against. To stop someone reading a single document you email or store, you can encrypt that file with a password in a couple of clicks. To stop your cloud provider from reading what you upload, you need encryption that happens on your own device first. This guide covers both, with the four methods that actually work in 2026, and the small mistakes that quietly leave files readable.
First: what are you protecting against?
The right tool depends entirely on the threat:
- A stolen or lost laptop → encrypt the whole disk (BitLocker on Windows, FileVault on macOS) or keep sensitive files in an encrypted vault.
- A file you email, share, or hand off on a USB stick → encrypt that individual file with a password.
- A cloud provider that can read your files → use client-side (zero-knowledge) encryption so files are scrambled before they ever reach the provider.
Mix these up and you'll "encrypt" the wrong thing. Below, the four methods map to these cases.
Method 1 — Password-protect a file with 7-Zip (Windows, free)
The simplest free way to encrypt a single file or folder on Windows:
- Install 7-Zip (free, open-source).
- Right-click the file → 7-Zip → Add to archive…
- Set Archive format to 7z, then under Encryption type a strong password and set the method to AES-256.
- Click OK. You now have an encrypted archive; anyone needs the password to open it.
The key detail: use the 7z format with AES-256, not the old "ZipCrypto" built into Windows Explorer, which is weak and breakable. On macOS, the equivalent is creating an encrypted disk image in Disk Utility (File → New Image → Blank Image, choose 128- or 256-bit AES encryption).
Method 2 — Cryptomator for an encrypted folder (Windows, Mac, free)
If you want an ongoing folder that stays encrypted — not a one-off archive — Cryptomator is the standard free, open-source choice. It creates a "vault": you drop files into it as normal, and Cryptomator transparently encrypts each one with AES-256 behind the scenes. Crucially, the vault lives inside any folder you like, including a cloud folder, so the provider only ever sees ciphertext.
We compare it head-to-head with another popular tool in Cryptomator vs VeraCrypt — VeraCrypt is better for encrypting a whole drive or a fixed container; Cryptomator is better for files you sync to the cloud.
Method 3 — Encrypt before uploading to the cloud
This is the case most people actually mean. Mainstream clouds (Dropbox, Google Drive, OneDrive) encrypt your files "in transit and at rest" but hold the keys themselves, so they can technically read what you store. Two ways to fix that:
- Bolt on encryption: put a Cryptomator vault inside your existing cloud folder. The provider syncs only the encrypted blobs.
- Use a zero-knowledge provider: pick a service that encrypts on your device by default, so there's nothing to bolt on and the company cannot read your files. pCloud's Crypto add-on does client-side encryption; Proton Drive is end-to-end encrypted by default.
The difference between the two is just whether you add a layer or choose a service built that way. See client-side encryption for how the mechanism works.
Add zero-knowledge encryption → pCloud Crypto
Client-side encryption · only you hold the key · Swiss jurisdiction
Method 4 — Full-disk encryption (the whole laptop)
If your real worry is a lost or stolen device, encrypting individual files is the wrong layer — encrypt the whole disk once and every file on it is protected at rest:
- Windows: turn on BitLocker (Settings → Privacy & security → Device encryption, on supported editions).
- macOS: turn on FileVault (System Settings → Privacy & Security → FileVault).
Full-disk encryption protects against someone pulling your drive out, but it does not protect a file once your computer is unlocked and running, nor a file you upload to the cloud. That's why it complements — rather than replaces — the per-file methods above.
The password is the whole game
Every method here reduces to one thing: your password is the key. A weak password makes AES-256 pointless; a lost password usually means the file is gone for good, because well-built encryption has no master key or reset. So:
- Use a long, unique passphrase (four or more random words, or 16+ mixed characters).
- Never reuse an encryption password.
- Store it in a password manager, not next to the file.
- For irreplaceable files, keep a securely-stored backup of the password before you rely on the encryption.
The bottom line
To encrypt a single file fast, use 7-Zip with AES-256 (Windows) or an encrypted disk image (macOS). For a folder that follows you into the cloud, use Cryptomator. To keep your cloud provider from reading anything, encrypt client-side or move to a zero-knowledge service. And to protect a whole laptop, turn on BitLocker or FileVault. Match the method to the threat — and guard the password, because it's the one thing standing between your file and anyone who wants it.
Editorial guide based on the documented behaviour of the named tools (7-Zip AES-256, Cryptomator AES-256 vaults, BitLocker/FileVault full-disk encryption) and the provider-held-keys model of mainstream clouds. We distinguish per-file, per-folder, full-disk and zero-knowledge encryption plainly. Commercial links carry the rel="sponsored nofollow" attribute; an affiliate commission may apply at no extra cost to you and with no influence on the assessment.
Frequently asked questions
- What is the easiest way to encrypt a file?
- For a single file or folder, the easiest free method is a password-protected archive. On Windows, install 7-Zip (free), right-click the file, choose 7-Zip then 'Add to archive', set the format to 7z and pick AES-256, then type a strong password. On macOS you can use Disk Utility to create an encrypted .dmg, or zip and password-protect via Terminal. Anyone you send it to needs the password — and only the password — to open it. This is plenty for emailing or storing one sensitive document; it's not the same as protecting your whole disk or your cloud account.
- How do I encrypt a file with a password?
- Password encryption means the file is scrambled with a key derived from your password, so without that password it's unreadable ciphertext. Use 7-Zip (Windows) or an encrypted disk image (macOS) for one-off files, or Cryptomator for a whole folder that stays encrypted. The critical part is the password itself: make it long and unique, because there is no 'forgot password' recovery — lose it and the file is gone. Store it in a password manager, not in the same folder as the file.
- Is encrypting a file with a ZIP password safe?
- It depends on the ZIP. The old 'ZipCrypto' standard built into Windows Explorer is weak and can be broken — avoid it for anything sensitive. A modern 7-Zip archive in 7z format with AES-256, or WinRAR with AES, is genuinely strong as long as your password is strong. So 'a ZIP password' is safe only when it uses AES-256, not the legacy method. When in doubt, use 7-Zip's 7z format and set encryption to AES-256.
- How do I encrypt files before uploading to the cloud?
- Two reliable ways. Encrypt them yourself first with a tool like Cryptomator, which creates an encrypted vault inside any cloud folder (Dropbox, Google Drive, OneDrive) so the provider only ever stores ciphertext. Or use a zero-knowledge provider that encrypts on your device automatically — then you don't bolt anything on, and the company cannot read your files by design. Both give you encryption the provider can't undo; the difference is whether you add a layer or pick a service built that way.
- What happens if I forget the encryption password?
- In a properly designed encryption tool, forgetting the password usually means the file is permanently unrecoverable — that's the whole point: no one, including the maker, holds a master key. There is no support line that can unlock it. This is why you should always store encryption passwords in a password manager and, for irreplaceable files, keep a securely-stored backup of the password (or the file in a second protected location) before you rely on it.
Add zero-knowledge encryption → pCloud Crypto
Client-side encryption · only you hold the key · Swiss jurisdiction
