You can replace a stolen computer (though your wallet may complain), but that theft has wider implications. A clever thief will peruse all your files looking for anything that can be monetized, from credit card details to bank account passwords. Don’t let that happen. When you’ve encrypted your sensitive files, a thief (or data-stealing Trojan) can’t get at that sensitive data. Steganos Safe makes creating secure, encrypted containers for your sensitive files simple, and it offers some uncommon advanced features.
How Much Does Steganos Safe Cost?
For $34.95, you can install Steganos Safe on up to five PCs. This is a one-time fee, not a subscription. You only pay again if you want to buy a newer version. Folder Lock and CryptoForge cost about five dollars more, while Cypherix PE and CryptoExpert go for $45 and $59.95, respectively. These are also one-time prices, but they just give you a single installation. The five-license package that Steganos offers is a distinct bargain.
In addition to this standalone product, Steganos Safe is an integral part of the full Steganos Privacy Suite. This suite also includes Steganos Password Manager and other useful tools.
What Is Encryption?
Throughout history, kings, queens, and generals have needed to communicate their plans in secret, and their enemies have toiled mightily trying to crack their secret communication systems. A cipher that simply replaces every letter with a different letter or symbol is easy enough to crack based on letter frequency, so old-time cryptographers needed something stronger.
France’s Louis XIV used a system called The Great Cipher, which held out for 200 years before anyone cracked it. Father-son team Antoine and Bonaventure Rossignol conceived the idea of encoding syllables rather than letters and letting multiple code numbers represent the same syllable. They also included nulls, numbers that contributed nothing to the cipher. And the use of syllables from the French put yet another obstacle in the way of foreign code breakers. But even this long-unbroken cipher pales in comparison with modern encryption technology.
Advanced Encryption Standard (AES), the US government’s official standard, runs blocks of data through multiple transformations, typically using a 256-bit key. Bruce Schneier’s Blowfish algorithm should be even tougher to crack, as it uses a 448-byte key.
Whatever the size of the key, you must transmit it to the recipient somehow, and that process is the weakest point in the system. If your enemy obtains the key, whatever its size, you lose. Public Key Infrastructure (PKI) cryptography has no such weakness. Each user has two keys, a public key that’s visible to anybody and a private key that nobody else has. If I encrypt a file with your public key, you can decrypt it with your private key. Conversely, if I encrypt a file with my private key, the fact that you can decrypt it with my public key proves it came from me with no tampering—a digital signature.
Getting Started With Steganos Safe
Step one is to create a My Steganos account online and register the key you received on purchasing the product. When you launch the installer, you supply your My Steganos credentials to activate the key. There’s also a 30-day trial option.
The Steganos encryption utility’s installation is quick and simple. Once finished, it shows you a simple main window that has three buttons at top, one to create a new safe, one to open a hidden safe, and one to invoke the secure deletion File Shredder. In this context, a safe is just the name for an encrypted container. If you’ve created any local safes, they’ll show up as panels within the main window.
The default Modern user interface uses stylized icons with a light color scheme; you can switch it to medium or dark. There’s also a Classic user interface that changes out the icons for near-photographic pictures of safe, shredder, and so on. This, too, comes in light, medium, and dark. Screenshots in this article use a variety of interface selections.
When a safe is open, it looks and acts precisely like a disk drive. You can move files into and out of it, create new documents, edit documents in place, and so on. But once you close the safe, its contents become totally inaccessible. Nobody can unlock it without the password—not even Steganos.
Most encryption tools that use the encrypted container model work like Steganos, meaning an open container looks just like any other disk drive. NordLocker is an exception. You can only copy files into the locker; getting back a plaintext version requires an export operation. On the plus side, NordLocker has a secure sharing system built right in.
Like Editors’ Choice tools CertainSafe, AxCrypt Premium, and Folder Lock, Steganos uses AES for all encryption. However, it cranks the key size up from the usual 256 bits to 384 bits. CryptoExpert and CryptoForge offer four different algorithms, and Advanced Encryption Package goes over the top with 17 choices. Few users have the knowledge to make an informed choice of algorithm, so I see no problem sticking with AES.
At the top left corner of the main window is an icon whose tooltip says, “AES-NI active – for significantly speedier safe creation.” This refers to a set of New Instructions (NI) in Intel processors, aimed specifically at speeding AES encryption by doing more in hardware. If your PC is remotely modern, it probably has AES-NI, which Steganos can use to speed encryption and decryption. You can’t do anything with that icon; it’s just an encouraging reminder that you’ve got enhanced encryption speed.
When you close a safe, Steganos displays an advisory suggesting that you make a backup of your safe, with an icon link to create a backup that you can store on removable media or in the cloud. That same advisory touts the wisdom of shredding file originals after copying them into the safe, with a link to the shredder. You can turn off this notification once you’ve internalized its advice.
In addition to the basic safe, Steganos can optionally create portable safes, partition safes, and cloud safes. I’ll cover each safe type separately.
Creating a Safe
The process of creating a new safe for storing your sensitive documents is simple, with a wizard that walks you through the steps. The wizard starts by asking a few questions to determine what kind of safe you want to create. A local safe that encrypts data on the computer you’re using (or a network drive) is the simplest.
You start by assigning a name and drive letter to the safe—the program’s main window displays the name. By default, Steganos creates the file representing your safe in a subfolder of the Documents folder, but you can override that default to put it wherever you want, including on a network drive.
Next, you define the safe’s capacity, from a minimum of 2MB to a maximum that depends on your operating system. Unlike Cypherix Cryptainer PE, CryptoExpert, and many others, with Steganos the initial capacity doesn’t have to be a hard limit. You can create a safe whose size grows dynamically. If the safe is small enough, you’ll see a note saying it may be hidden in an audio or video file; more about that later.
Folder Lock works a bit differently. While you must set a maximum size at creation, it only uses as much space as its current content requires. A newly created Cypherix volume requires formatting. With Steganos and most others, the safe is ready for use immediately.
The next step is to select a password. If you’ve created a master password for Steganos Password Manager, the password dialog should look familiar. Steganos rates password strength as you type. If you wish, you can define the password by clicking a sequence of pictures or symbols rather than typing it. This PicPass feature is cute, but it doesn’t produce a strong password. I don’t advise using it. Just create a strong password and record it in your password manager.
There’s also an option to generate a random password. Steganos goes farther than most, using your random mouse movements to seed the random generator. If you go for a generated password, you must record it in a password manager. You’re not going to remember a7mb4wRo7nBPHfZM, are you?
To foil any possibility of password capture by a keylogger, you can enter the password using a virtual keyboard. Folder Lock and Advanced Encryption Package also offer a virtual keyboard. Those enjoying a high degree of paranoia can set Steganos Safe to scramble key locations on each use and to suppress visual keypress cues.
New since my last review, there’s an option to create a separate emergency password. The idea is that you deposit the emergency password with a trusted third party who can use it to open the safe in read-only mode.
If you wish, you can store the password on a removable drive, making that drive effectively the safe’s key. By default, a safe opened in this way closes automatically when you remove the key. In itself, this isn’t two-factor authentication, as you can unlock the safe using either the key or the password, but it’s certainly convenient. In a similar situation, you can configure CryptoExpert to require both the master password and the USB key.
Starting a few years ago with version 19, Steganos offers actual two-factor authentication. You can use any authentication app that supports the standard Time-based One Time Password (TOTP) algorithm. Google Authenticator is a well-known example, but there are plenty of others. To link the app with your safe, you snap a QR code displayed by Steganos, and enter the code that your app returns. Now unlocking the safe requires both your master password and the ever-changing TOTP code.
Hide Your Safes
There’s a special option that only appears for safes smaller than 3GB. If you’ve chosen an acceptable size, a link appears explaining how you can create a hidden safe. After you create a small-enough safe, Steganos can hide it inside a video, audio, or executable file.
This technique of hiding the fact that a secret even exists is called steganography, which is the inspiration for the company name Steganos. The concept was first mentioned in a 1499 treatise on encryption but has really blossomed with the advent of digital media. A plot point in a recent Doctor Who special revolved around steganography!
To hide a safe, you click it, choose Hide from the menu, and select a carrier file. Acceptable file types are MP3, M4A, AVI, WMV, and EXE. Steganos stuffs the entire safe into the carrier, without affecting that file’s ability to function as a program or audio/video file. To open it, you click Open a Hidden Safe on the main window, select the carrier, and enter the password. Just don’t forget where you hid the safe! Once you hide a safe inside a file, it can no longer resize dynamically as needed, which makes sense.
For additional security, consider creating a portable safe on removable media that you store in a secure location when you’re not using it. From the safe creation wizard’s first screen, click the option to create a portable safe. Next you select the target device, which can be a USB storage device or an optical drive. You define the size, as for a regular safe. Note that to save a portable safe of 4GB or larger, you will need to reformat the USB device to use NTSF rather than FAT32. After you add the necessary password, you get into territory specific to portable safes. In testing, even a portable safe small enough to fit in the FAT32 format took much longer to create than a standard safe.
Steganos creates and opens what it calls a prepackaging drive. You drag the desired files into the prepackaging drive. When you click Next, Steganos creates the necessary files on the target device. By observation, the prepackaging drive isn’t needed after the initial creation step.
If the portable safe is small enough, not much more than 500MB, Steganos creates what it calls a SelfSafe by default. As with the hidden option for regular safes, this option only appears when the safe size is small enough. The SelfSafe is a single executable file called SteganosPortableSafe.exe that contains both the necessary decryption code and the data representing the safe’s contents. For larger portable safes, Steganos stores the contents in a portable safe folder and adds a file called usbstarter_*.exe, where the asterisk is replaced by the name of the safe. Either way, launching the program lets you enter the password and open the portable safe.
In testing, I did run into one surprise. It turns out that a portable safe is not completely portable from one computer to another. Even the supposedly self-contained SelfSafe requires the Steganos Live encryption engine. Installing the engine apparently doesn’t use up one of your licenses, but it does require rebooting the computer.
As noted, you can open a portable safe on any PC on which you’ve installed the Steganos Live encryption engine. Creating a cloud safe is another way to share your encrypted files between PCs. Steganos supports the cloud storage services Dropbox, Google Drive, and Microsoft OneDrive. Whichever you choose, you must install that service’s desktop app, a task that Steganos helps you complete. For testing purposes, I installed the Dropbox app.
As with a regular safe, you select a name and drive letter and then choose the safe’s size. For a cloud safe, you don’t get the option to have the safe expand as needed, but you can use two-factor authentication. Create your password, wait for the safe’s initialization, and you’re ready to go. The safe syncs to the cloud each time you close it, and you can use it on any PC that has both Steganos Live encryption and the proper cloud app installed.
The basic safe is a special encrypted file that Steganos processes so it looks like a drive to Windows. Steganos can also encrypt a whole drive or partition into a safe. Doing so requires restarting Steganos Safe with administrator privileges. When Steganos turns a partition into a safe, it warns that this will wipe out all existing data, just like formatting, so tread carefully. Naturally, you don’t set a size, as the safe occupies the entire partition. You do enter a master password, with the option to invoke two-factor authentication, or store the password on a USB device.
Of course, you must choose a partition other than the main Windows partition for this feature. When I chose a non-system partition, the process went smoothly. Converting a tiny 5GB partition to a safe took less than a minute.
Of the four types of safes, this one’s my favorite. Just unlock it and you’ve got a whole drive partition to store important stuff in. Lock it and nobody can touch your stuff. Note that the original partition, in my case drive E:, still shows up in Windows Explorer, but to Windows, it looks like it a drive that needs formatting. Don’t get flustered and format it, else you’ll wipe out your partition safe.
Advanced Safe Features
Click a safe and click Settings to bring up the administration dialog. Here you can change the password, name, and file location for the safe, but that’s not all. On the main page of the dialog you can color-code the safe and choose whether Windows should see it as a local drive or a removable drive. On the Events tab, you can choose whether to open the safe when you log on, and whether to close it on events such as screen saver activation or going into standby. If you’ve configured the safe to unlock with a USB device, you can set it to unlock automatically when the device connects and close automatically when the device is removed.
On the Actions tab, there’s an option to run a specific command right after the safe opens, and another right after it closes. For example, you could configure it to automatically launch a file that resides within the safe after opening it, or automatically make a backup copy after closing it. I’m not sure how many consumers will use this feature, but I imagine it’s popular with security geeks.
Perhaps most peculiar is the Safe in a Safe feature. Safe in a Safe defines a separate safe, hidden within a normal safe that’s at least 10MB in size. The inner safe occupies a user-defined percentage of available space and has its own separate password and optional two-factor authentication. Depending on which password you use, you either open the Safe in a Safe, or the original safe that contains it. Sneaky!
But there’s a catch, and it’s a big one. If you overfill the outer safe, its contents can wipe out the super-secret Safe in a Safe without warning. And you’d better not forget which safe contains your Safe in a Safe. To me, using this feature just doesn’t seem, well…safe!
Putting your most sensitive files into an encrypted safe is smart, but if you leave the unencrypted originals on disk, you haven’t accomplished much, security-wise. Even if you delete the originals and empty the Recycle Bin, they’re not really gone, because their data remains on disk until new data overwrites it. For true privacy, you must use a secure deletion tool that overwrites file data before deletion, something like this program’s simple file-shredder component.
To use the shredder, just right-click a file or folder and choose Destroy from the menu that appears. Steganos overwrites the file’s data once and then deletes it. This should be enough to foil software-based file recovery systems, though it would still be theoretically possible for a hardware-based forensic tool to get back some or all of the data. Folder Lock, by contrast, lets you choose up to 35 overwrite passes, which is overkill, as there’s no added benefit after seven passes. AxCrypt, CryptoForge, Cypherix SecureIT, and several others also offer secure deletion of original files.
New since my last review, there’s a top-row icon to invoke the File Shredder. It starts with a warning that you should double-check the integrity of the encrypted files in your safe and regularly back up the safe.
The full File Shredder utility goes way beyond simple permanent deletion. You can browse for files and folders to shred, or just drag them onto the window. If you choose Free Space Shredder, Steganos overwrites all free space on a disk, effectively shredding all previously deleted files. This can take a while, but you can stop the process if needed and pick up again where it left off. There’s also an option to schedule regular free space shredding.
The Complete Shredder option totally wipes out an entire drive, right down to the partitions. After Steganos finishes this process, you must repartition and reformat the drive from scratch.
Comprehensive Encrypted Storage
Steganos Safe focuses on the singular task of creating encrypted storage containers for your sensitive files, and it does that task very well. It’s easier to use than most of its competitors, and its Safe in Safe and hidden safe options are unique. Your purchase gets you licenses to install and use the product on five PCs.
However, Folder Lock does most of what Steganos does—and quite a lot more. Its features include encryption of individual files and folders, secure storage of private data, and (at an extra cost) secure online backup. AxCrypt Premium is even easier to use than Steganos, and it supports public key cryptography. CertainSafe Digital Safety Deposit Box protects your cloud-stored encrypted files against any possibility of a data breach. These three are our Editors’ Choice winners for encryption, but Steganos is also a worthy contender.
The Bottom Line
Steganos Safe creates secure encrypted storage “safes” for your sensitive files. It’s simple to use, and it offers some unique options for maintaining privacy and secrecy.
Steganos Safe Specs
|Public Key Cryptography||No|
|Rate Password Strength||Yes|
|Create Encrypted Storage||Yes|
|Create Self-Decrypting EXE||No|
|Secure Deletion of Originals||Yes|