It’s that time. We all are doing our taxes online now. Some of us need some help and that usually ends up with digitally sending tax documents.
Do not ever, under any circumstance, email a document that has your SSN, home address, phone number, bank information, etc. unencrypted. That is a good way to lose all of your money and even your identity.
I use two free services to send my encrypted documents out: AESCrypt and Dropbox. You can use any online file sharing service for this for this step such as Google Drive, OneDrive, sync, etc.
Get AESCrypt installed on your computer. Go here and install for your platform.
You want to send one encrypted blob of data. Put all of your files into a single folder and zip that up. On the Mac, select the file and go to File >> Compress “Sensitive Docs”.
Follow the directions for your platform to encrypt your zip file. On the Mac, drag the file onto the dock icon and enter a strong password when prompted.
I suggest using a secure password generator like the one over at GRC.com. You can also use Lastpass or whatever you use (even the commandline) to manage your passwords. Make a note of that password though. You can keep a copy of the password in TextEdit or NVAlt – the documents are already on your computer.
Steve Gibson recommended, on the Security Now Podcast, to use a long string of numbers that can easily be read over the phone such as, “32 67 89 14 75 12 99”, etc.
You can send them the file directly through the Dropbox website or get the link and send it separately.
If you send an email with a link to your encrypted document, it doesn’t make sense to put the password into that email. Additionally, you might not want to send the password from your account to that same account. Try to send the password over iMessage, Signal, or another instant messenger, or to a secondary email address the person has.
This would be a good time to send them the decryption instructions if they need some help.
Once the recipient has confirmed that they have the documents and have decrypted them on their own machine you will remove the encrypted documents from Dropbox. Sure they are safe, but there is no reason to keep that online.
You can use any temporary online storage solution you have access to in order to send the file, but sending via email attachment will ensure that your encrypted file is available permanently for offline attacks
*Use openssl from the cli:
openssl rand -base64 12