If you have a Gmail account, you have 15GB of free cloud storage from Google. It's pretty handy, because it works across a variety of devices, and desktop users can create a special folder on their computer and drop files into it, and that folder syncs with your Drive account as fast as the file can be sent to the cloud. Of course, convenience isn't the only concern for cloud backup services, as we explained recently in our review roundup. Our cloud of choice is SOS Online Backup. But because you may have good reasons for sticking with Google Drive, we've come up with a few things you can do to tighten its security.

Pre-encrypting your files

SOS has an optional function called client-side encryption, sometimes called "zero knowledge." Most cloud backup services keep a copy of your encryption keys, so they can access the files in your account. With client-side encryption, only you can unlock your cloud data.

Google Drive does not use client-side encryption. So if you don't want Google to have its own set of keys to your cloud files, you have to take a few extra steps. One option is to put your files inside a ZIP file, put a password on that, and send it to the cloud. This has to be done manually, however, so it's pretty inefficient and tedious if you need to handle a large volume of files. A better option is to automate encryption and compression with third-party tools that plug into your Google Drive account. Your options include Cloudfogger, CryptSync, Duplicati, and Boxcryptor, among others. Ideally, you want an app that is multiplatform, low-cost, and straightforward. Boxcryptor arguably fits that description the most, so let's look at how that one works.

Setting up Google Drive on a desktop computer

To set up Boxcryptor on a desktop, first create a Google Drive folder. You can install Boxcryptor first, if you like, but this way is easier, because Boxcryptor will automatically locate your Google Drive folder during installation and add it to its list. Download Google Drive (Windows, Mac), and it will walk you through its installation, which is pretty straightforward. However, keep in mind that it will download everything in your Google Drive cloud by default. So you can grab all your files from the cloud and encrypt them now, or you can tell the app to only look in specific folders that you've created in Google Drive. Anything not in a folder will get downloaded no matter what. If you don't want that to happen, go to a Web browser, log in to your Drive account, create a new folder, sweep all your loose files into it, and optionally create a folder specifically for Boxcryptor items.

To tell the version of Google Drive on your desktop to ignore or monitor specific folders in your cloud Drive, go to Step 4 of 4 in Google Drive's installer, click Advanced Setup, and click the radio button next to "Only these folders." A list of your cloud Drive files shows up underneath. Check the boxes next to the folders that you want to sync, and click the Start Sync button.


Once you're done setting up Google Drive, it will create a folder that you drop files in, which syncs automatically with the cloud Drive that you can access from anywhere. The next step is to use Boxcryptor to pre-encrypt those things before they get synced, since Google Drive doesn't provide its own client-side encryption.

Setting up Boxcryptor

First, download and install Boxcryptor (Windows, Mac). When you are finished, it will tell Windows users to reboot to finish installation, and then you'll see the Boxcryptor login window. If you don't want to create a Boxcryptor account right now, click the three dots in the lower right-hand corner, go to Local Account, and click the Setup Account link. Since you are creating an offline account, you need to be responsible for the key that you use to decrypt your files. The program will ask you to affirm that you're aware that losing the key file will make it impossible to decrypt your files. To continue, check the box and click the Create Key File button. Give this file a name and click the Save button.


Now Boxcryptor will tell you to create a password for that key. If you have a password manager, you can use that to make a strong password. When you check the boxes to affirm that you read the Terms of Use and the privacy policy, your Web browser will open the pages on the company's website that house those documents, for review. Click Next, affirm the importance of remembering your password (you can't reset this one or get it from a third party), click Next, review your settings, and click Next one last time to finish creating your local Boxcryptor account. The next window will give you three plans to choose from, with a link to a page that explains each in detail. For now, we can stick with the free option. Once you've chosen, enter your new password to activate Boxcryptor.

Using Boxcryptor

Once you've logged in, you'll see a window displaying a virtual Google Drive, plus a side window with several short tutorials on the the program's mechanics. When you click and drag a file to the Google Drive folder, you will get a prompt asking if you want to encrypt it. Files encrypted with Boxcryptor will have a small green padlock on their icon. When you drag a file out of this folder, it will automatically decrypt, since you are logged in to your local decrypt account.

Although this version of Boxcryptor is free, there are a few drawbacks. One, you can't share these files with other people unless they have your decryption password, which is generally not something that you want to share. Everything that you encrypt with Boxcryptor uses the same password to decrypt it. So someone who can open one of your files could open all of them. The other main disadvantage is that the company can't reset your password. If you want those two features, you'll need to sign up for a premium Boxcryptor account, which is $48 per year (which works out to $4 a month).

Beefing up your Google account password

Even if you pre-encrypt all your Google Drive files with third-party software, a low-quality Google account password can still give the bad guys access to your Gmail, Google calendar, Google Docs, and possibly your credit card, if you've set it up with Google Wallet. You can create your own password, but the more complicated it gets -- because you want to make it difficult to guess -- the harder it is to remember. So we strongly recommend using a password manager like Dashlane, Blur (Chrome, Firefox), or LastPass (Windows, Mac). These can generate tough passwords that you paste into place, rather than typing. That means that they can be really long and complicated, making them difficult to crack or guess. If you're making your own password, make it at least 16 characters and mix in uppercase and lowercase letters, numbers, and special characters.

You can also add a second layer of protection with two-factor authentication (2FA), sometimes called two-step verification. With 2FA enabled, you log in to your Google account, and Google sends a text or voice message containing a short code to a phone number that you've certified is yours (or you can receive the code via email, or use Google's authentication app (Android, iOS). Enter the code on the Google website to complete login. Go to Google's two-step verification page to set it up.

With 2FA on your account, a password cracker would needs access to your phone, email, or Google account to reach your Gmail. Since your phone is the most difficult to access, we recommend the text message option. If your phone gets lost, stolen, or damaged, you can't use it to verify yourself, but you can print out authentication codes ahead of time and store them in your wallet. We recommend making additional copies of that printout and storing them in another safe place, in your home or even a safe deposit box, in case you lose your wallet as well.

More resources

Tom is the senior editor covering Windows at Download.com.