June 1, 2016
When you use AxCrypt 2, first you have to “sign in” – after the first time, that’s just entering your password. Since AxCrypt is a password based file encryption application, that makes sense. Even if the password is really the only thing that’s required to decrypt a file, we decided to use the “sign in” metaphor for a number of reasons, among others to make it harder to make a fatal mistake that sometimes happened with AxCrypt 1, which was to mistype the password twice when encrypting a new file. This would sometimes lead to data loss, and that’s bad.
Once you are signed in to AxCrypt 2, it’ll stay signed in until you sign out, or the screen saver goes active, or the device goes to sleep, or you sign out of your user account, or you power down the device.
This is done by careful design to make AxCrypt 2 as convenient as possible to use, i.e. reduce the number of times the password must be entered. This, we believe, will make it used more and thus protect more files. If it’s inconvenient, you won’t use it as much.
However, now and then we get feedback from users stating “But what if someone walks up to my computer? Then all my files are unprotected.“.
Yes, that’s true. But it almost makes no difference if AxCrypt is signed in or not, if you leave your device unprotected so anyone can walk up to it and access it with your user sign in permissions.
It’s that simple. Security is about a chain of measures, and it’s the weakest one that controls the strength of the system.
If you let anyone walk up to your device and it’s signed in with your user, you should consider that computer compromised and re-install from original media.
AxCrypt has always been an opinionated application. This means we have opinions about how it should be used, opinions we base on the fact that encryption is all we do. We eat, drink, think and dream about encryption 24 hours a day. We think our opinions are fairly valid. Of course we’re not infallible, but we’re seldom far off the mark.
AxCrypt has always been about real, definable, security. It’s not about making you feel secure. It is about making you actually secure within well defined bounds and limitations. Making you feel more secure by having you pointlessly re-enter a password a zillion times is not our thing.
It should also be noted that AxCrypt is not really 100% about local device security, there are too many things outside our control for that. For local device security, we recommend using hard disk or device encryption such as BitLocker, FileVault or mobile device encryption as an excellent complement to AxCrypt.
To summarize, we do not think think that the “what if someone walks up to my computer” argument against having AxCrypt stay signed in is valid.
We think you should activate your screen saver if you walk away from a device with information on it confidential enough to warrant encryption in the first place.
Svante, Developer and Co-Founder AxCrypt AB.