NordLocker is a new encryption tool from the highly respected VPN company NordVPN. We found it to be a powerful and easy-to-use product, albeit one that will face stiff competition from the wealth of free and open-source alternatives that are available. In this NordLocker review, we take an in-depth look at pricing, features, how secure it is and more.
A free version of NordLocker is available which limits users to 5 GB of encrypted data. Free users can, however, decrypt files of any size sent to them.
Premium users can encrypt unlimited amounts of data. Pricing is rather high for a month-by-month plan, although it does get more affordable if you buy longer-term packages.
As with the NordVPN service, you can try 30 days of NordLocker Premium out for free with a no-quibble money-back guarantee.
It should be noted that a subscription model for the kind of thing which is normally offered as a stand-alone app did raise eyebrows here in the ProPrivacy office, although, there may be good reasons for it.
- Easy drag-and-drop file and folder encryption
- Client-side (e2e) encryption
- Secure files stored in almost any otherwise insecure cloud service
- Share encrypted files with other NordLocker users
- Master password reset
- File names and directory structure encrypted
- 24/7 live chat support
NordLocker is not open-source but is based on the excellent open-source gocryptfs per-file encryption app. This means that each file in a volume is encrypted and stored individually, so a change to one file does not mean re-uploading an entire encrypted container when stored online.
The beauty of this system is that if, for example, you open a Word document stored in a NordLocker container, edit and save it, then the changes are seamlessly saved in the encrypted document.
This makes NordLocker a great choice for storing files securely on otherwise insecure cloud storage services such as Dropbox or Google Drive.
Master password reset
When you create a new account, you also choose a master password which is used to encrypt your files (see technical security below). NordLocker also generates a recovery key that's only available to you and is best kept offline for added security. This can be used to reset your master password but exercise caution. If you lose both your master password and the recovery key, then you won’t be able to open your files.
Privacy and security
NordVPN is legally based in the Republic of Panama and the NordLocker Terms of Service make it clear that all legal disputes will be resolved in that jurisdiction. Panama has an uncensored Internet and no domestic surveillance we are aware of.
It is also outside any direct sphere of influence of the United States and its Five Eyes spying partners, although a strong economic presence might allow the US to exert indirect pressure on the Panama government should it wish to.
NordVPN has admitted to having close links with Lithuanian infrastructure provider Tesonet, but the exact nature of this relationship remains unclear.
NordLocker provides client-side encryption, so its developers have no access to your encrypted data, although some aggregated and pseudo-anonymized diagnostics and usage data are sent from its apps to Tefincom. The Windows client has an option to turn such sharing off, although this is sadly not present in macOS just yet.
All data which is collected may be shared with third-party service providers, affiliated companies, and officials in accordance with valid legal demands. European customers’ data is, of course, protected by GDPR.
The first thing to note is that NordLocker is a closed-source proprietary software. This means we just have to trust its developers that it is what they say it is, and that it’s not doing anything it shouldn’t. Such is the nature of all closed-source software.
All files are encrypted client-side, meaning that NordLocker provides end-to-end encryption. You encrypt your files, and only you or other NordLocker users you have chosen to share them with can decrypt them.
So even if you store them somewhere wildly insecure, such as Dropbox or Google Drive, they are secure.
Data is secured using AES-256-GCM and the encryption keys hashed using Argon2. Both of which are tried and tested cryptographic primitives. Public key cryptography for the generation and authentication of asymmetric key pairs, however, is via Elliptic-curve cryptography (ECC) instead of the more common RSA.
Locker keys never leave your desktop without being encrypted using your secret key and the XChaCha20 cipher with Poly1305 authentication. Your secret key is derived from your master password, which is hashed and salted using the Argon2 key derivation function.
Concerns about ECC cryptography
Elliptic curve cryptography has the big advantage of requiring much smaller key sizes, but its use is highly controversial.
Its existing known vulnerability to side-channel attacks and its theoretical known vulnerability to quantum computing attacks are worrying enough, but even more worrying is how easy it is to insert backdoors into the algorithm.
Despite such concerns, “the algorithm, as a whole, remains fairly secure” if properly implemented, which is a known problem. As an IASCA report on Elliptic Curve Cryptography notes.
“In a nutshell, a lot of things can go wrong while ECC is being implemented. There are numerous examples of how the failed implementation of ECC algorithms resulted in significant vulnerabilities in the cryptographic software.”
And being closed-source, there is simply no way to know how well ECC cryptography has been implemented in the NordLocker software. In fairness to NordLocker, though, the kind of attacks that ECC is vulnerable are unlikely to be part of most of its customers’ threat models.
Lockers, folders and individual files (which are converted into Lockers) can be shared with other NordLocker users via almost any means – by email, via a shared Dropbox folder, on a USB stick and various other methods.
Thanks to asymmetric public-key cryptography (ECC), only the intended recipient, identified by their email address, can unlock the Locker using his or her own private key.
Due to this, we assume that it requires some form of centralization in order to distribute customers’ public keys to senders.
If this is the case, then it explains why NordLocker works on a subscription model rather than being sold as a stand-alone product. But it also raises questions about whether NordLocker can keep a record regarding who sends files to who.
The website features a fairly simple FAQ and some troubleshooting guides. 24/7 live chat support is promised but was not available when this review was written. Instead, early adopters will have to rely on email support, which is already in place.
Ease of use
NordLocker is available for Windows and macOS. The Windows app requires the .Net Framework 4.8, which must be installed during setup if it is not already present on your system.
Once opened with your master password, a NordLocker container acts just like a regular folder. Files will be opened by their usual programs and seamlessly re-encrypted when changes are saved.
To encrypt files, just drag and drop them into an open Locker window. You will be asked if you want to keep the original or move it to the Locker-only. You can add user access for other NordLocker customers, which is particularly useful for sharing Lockers that are stored online.
To store a Locker online, simply upload it to your cloud service of choice. If you store a Locker in your cloud folder, then any changes made to files to it will be immediately mirrored in your cloud storage.
You can also share files and folders by converting them into new Lockers and then sharing them by whichever means you prefer. As already noted, this feature is still in the works at the time of writing.
In Windows, shared Lockers are simply saved so that you have to share them yourself manually, such as by adding one as an email attachment. The macOS app has slightly better OS integration, allowing to share Lockers using the built-in macOS sharing function automatically.
NordLocker is a very polished product. It looks great and provides arguably the easiest way we have seen to encrypt files locally or in the cloud and to share them with others securely.
We are not convinced that the use of Elliptic curve cryptography is the best choice, but the technical security used to protect your data is otherwise very robust. It’s just a shame that the app is closed-source, so we can’t really see what is going on or how well the security has been implemented.
Our other big concern is pricing. The encryption app space is already crowded, with plenty of excellent and fully open-source options available. We will say that none of these is as polished or versatile as NordLocker, but they are free and open-source.
NordLocker is not cheap (especially compared to free), and even as a commercial product its subscription model is a little jarring for what many would think of as a stand-alone product deserving a one-off price tag. But as we have already speculated, there may be reasons for this.
It would be nice to be able to access encrypted files from mobile devices, but we would be very surprised if iOS and Android apps are not in the works.
Overall, we think NordLocker is a very good product that offers a unique take on encrypting files locally and in the cloud. But it’s neither free nor open-source.