nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Encrypt Quicken File

Craig Vorwald

It is my understanding the actual Quicken file is NOT encrypted. If I am wrong, then disregard this request and advise.

I realize a password can be required to open a Quicken file, but that is not encryption. Attachments to accounts or transactions can be easily accessed without this password. Those more skilled than I would have a field day...

Ransomware schemes these days are getting worse, with the files being downloaded by the bad actor before invoking the ransom request. If the ransom is not paid (or hey, even if it IS paid), the intruder sells the files they have obtained. Without encryption, you and your family's future financial well being are potentially in jeopardy.

Thus this request. Time to make it harder for malicious actors to gain access to personal information stored in Quicken. I would actually pay MORE for a version of Quicken that supported this feature.

If people have come up with other ways to secure their Quicken files, I would like to hear it.

Thanks!

Find more posts tagged with

Reviewed

Status: Reviewed

Comments

Chris_QPW

For what it is worth the attachments are encrypted. There use to be an option to decide if one wanted them encrypted or not, but that was removed a few years ago and they are now always encrypted.

Chris_QPW

P.S. I should mention though, encrypting something isn't enough. One has to ask were is the key, and how can it be accessed?

If you open a QDF file with 7-Zip you will be able to get to the attachments, but like I said they are encrypted.

But if I open that QDF file in Quicken (which may or may not have a file password on it) I now can open any attachment. Clearly the encryption key is in the Quicken data file, ...

Chris_QPW

One other note. I think the main reason that "true encryption" isn't used for the data file is because to do so would mean that if the user loses their password there would be nothing Quicken Inc could do for the user to recover their data. And that isn't a position they want to be in given how people feel about their financial data.

Craig Vorwald

Thanks Chris. If just anyone can open the attachments (which they can using the process you described), then I really don't think that meets the definition of encryption for purposes of security. I can pick up that file, drop it on any other PC without Quicken software and open the attachments. As far as why there is no true encryption due to fear of password loss... the question becomes "lose your data, or lose all your money". Pick one. I chose data. At least I am in control in that situation, and I personally have it covered.

Perhaps this encryption I have proposed can be optional... like the password to the Quicken file is optional.

Chris_QPW

I think you misunderstood what I said about the attachments, they are encrypted from "external access" (but the key to decrypt them is in the Quicken data file). What I was getting at is given that you can get a Quicken data file open then you have access to descript/read them in Quicken.

And given that the data file can either have no password or one that Quicken Inc can remove, that isn't "true encryption" that only you can control the access to.

Note I'm pretty sure that the Quicken data file is "encrypted" or "scrambled" in some way. You can't just binary edit it to see transactions for instance. But with "true encryption" only you would have a key to unlock it, and besides that if you have ever used real encryption when you change the password it needs to encrypt the data again. There is no such thing happening for when you add a password or remove it.

Most people that are concerned with keep their data files in an encrypted folder.

Craig Vorwald

Hi Chris. No I'm not confused. If you "Extract" just the attachment folder using 7-ZIP and move the attachment folder to a PC that does NOT have an image of Quicken or an actual Quicken file, you can still open the attachments. It is my opinion there is no "key" in the actual Quicken file and that the attachments are not encrypted in any fashion. Maybe we can get the Quicken software folks to chime in.

Any suggestions on which software to use to setup an encrypted folder?

Chris_QPW

So I just tested again and:

Image: https://us.v-cdn.net/6031128/uploads/editor/4b/rzxqjkdqdqa9.png

And after extracting this file from the QDF.

Image: https://us.v-cdn.net/6031128/uploads/editor/cy/654iiibwuvkt.png

Craig Vorwald

Hey Chris. OK, this is weird, because I am able to extract PDF files from the 7-ZIP ATTACH folder to a thumb drive and they are totally readable valid PDF's on a separate PC that does not have Quicken installed on it. Not sure how to explain at this point. Maybe it has something to do with the age of the files??

Chris_QPW

Craig Vorwald said:

Maybe it has something to do with the age of the files??

How new is the PDF attachment?

One possible idea is that if it is really old it was attached unencrypted when that was an option. And when they switched over to not giving a choice/forced encryption the old attachments weren't touched.

I suppose it could also be a bug where your data file somehow got locked into "non encrypted".

Try it in a new data file.

Craig Vorwald

Bingo. Older attachments will open without difficulty outside of Quicken. Newer attachments (both jpg and pdf) will *not* open outside of Quicken (application states the file is "corrupt"). I don't have a clean way of determining the cutover date in my file, as the Attachment folder is over 1 TB is size, and 7-zip shows everything as having the same date.
Thanks!

Craig Vorwald

I took a different approach to this. I upgraded from Windows Home to Windows Professional. With that, you get the ability to encrypt particular folders. So I have encrypted my backup and live Quicken file folders. Windows encrypts and decrypts on the fly with no noticeable lag and no action required by the user.

Doing this however, it is important to extract the "key" to an external device (USB memory stick) such that should things go south, you can get things readable again on a different system.

Quicken Anja

Hello All,

The Community Support team regularly reviews long-standing posts and Ideas for relevancy and current interest. This Idea seems to have stalled and we would like to gauge the current interest in this request.

If you would like to see this idea implemented, please add your vote and a comment explaining how this idea would be beneficial for you. More information, including steps to vote and how to submit your own Ideas for future product features/improvements, is also available here.

Thank you,

Quicken Community Support Team

Andy Brace

My request would be for encryption of the backup. I would like to have it back up to the iCloud but am hesitant due to the lack of encryption.

DSVance

I would very much like to see the data file encrypted with some industry standard strong encryption (AES would be ideal), and not have the encryption password or key embedded in the data file anywhere. Yes - I recognize that if I loose my encryption/decryption password my data file would be unrecoverable and there is nothing Quicken could do to help - that's fine. As Craig Vorwald said - I would rather loose my data than loose all my money to a hacker. I'm not going to loose my password. Like many people these days I use a good password manager application to help me keep up with passwords, and I keep multiple copies of the password manager data file (itself encrypted) in multiple locations so that I CANT loose it.

Why would I want an encrypted data file? My financial data is important to me, critical in fact, and I would like to keep multiple copies of my Quicken file, in multiple different locations, to be sure that I don't completely loose the file to a hardware or software error somehow. I would likely keep at least three copies 1) home file server, 2) portable back-up drive 3) cloud back-up service ... However, I'm not comfortable doing that if the data file is not encrypted. More files means more exposure and more avenues for compromise. If the file is encrypted with something like AES (and not just obfuscated), then I don't have to be concerned. Even if an attacker gets their hands on the file there is nothing they can do with it.

Please elevate/escalate the issue of providing a data file encryption mechanism.

canoe32

I have never been able to determine how Quicken protects my data file due to their lack of transparency regarding what type, if any, of encryption is used. Therefore, I have to store my data file and backups on encrypted virtual drives along with other sensitive information. Having to decrypt my files before starting Quicken is a step I wouldn't need to take if I had confidence in the way Quicken stores my files. It's also the reason I don't use Quicken Mobile & Web.

billeye10

I too would like to see the data file encrypted (also). Give the user the option to encrypt and like most encrypting, the user accepts responsibility for passwords. I have decades of data in my Quicken for MAC. If I absolutely had to, I prefer rebuilding my Quicken from scratch rather than have it fall in to someone else’s hands.

Colldus

Quicken data files SHOULD be encrypted (using at least AES-128)!

For years, I've incorrectly assumed that Quicken data files were properly encrypted. Honestly, I feel deceived.

All aspects of Quicken software should meet or exceed industry standards for the security of financial data.

But, let's not go overboard. Requiring 2 Factor Authentication or causing Quicken to lock out after 5 minutes of inactivity would be taking things a little too far. Some people might actually like those options, which would be fine as long as they are optional. Quicken still needs to remain usable.

If file encryption were available, I'd certainly take advantage of it.

leishirsute

I think Quicken files should be encrypted, and like most other encrypted data performed by other programs, it is up to the user to worry about recovery of the encrypted data. I don't even trust cloud data management and encrypt any data before sending it to the cloud, like google cloud for example. Google and other cloud services make no promises of remedial compensation if cloud data was compromised by a bad actor on their side.

I can perform a Unix "strings" command on a quicken datafile and the first readable string that appears is the Quicken user online account login. Security names and the filenames also appear. Old email addresses and login id's for other websites also appear, which I suspect are from the Quicken address book. It is pretty hard to decipher the contents of a Quicken datafile.