Can I encrypt data in a way that it can be read normally but can't be copied or edited?



I want to share my 500 GB hard drive with a friend but I want to encrypt it in a way that all data can be read normally but cannot be copied or edited in any way.

Is that possible?


112Hollywood would kill for such a feature - and no, despite millions of investments, they haven't found a solution either. – MSalters – 2012-02-20T09:20:54.287

You would be able to know if he has modified the data but not whether he has copied it. – Ranhiru Jude Cooray – 2012-02-20T09:22:53.600

4What should "reading normally" without the ability to copy be? And what good should it make? – Nikodemus RIP – 2012-02-20T11:09:04.980

10Many, if not most, answers here ask the implicit or even explicit question "What do you really mean?". You might want to clarify your question, especially what you mean by "can be read normally" and "cannot be copied". – Zano – 2012-02-20T13:23:08.867

111Nice try, RIAA/MPAA! – Narayan – 2012-02-20T13:46:25.253

Out of interest, will quantum computing one day make this possible? – Rich – 2012-02-20T14:08:12.653

1@Rich Probably not. Copying a file is the same thing as reading it. Quantum computing can stop you from reading it twice, though. Also it can stop the wrong people from reading it. – Manishearth – 2012-02-20T14:35:47.707

2quantum computing will let everyone copy simultaneously regardless of location, think instant bittorrent. – None – 2012-02-20T15:45:12.893

7@JarrodRoberson: I hope you aren't serious. To the OP: can't you just supervise him/her? Why is it so important that they should be able to read so much data, but not copy it? What would they be able to do with a copy of the data that wouldn't be possible with the original? – James – 2012-02-20T16:09:20.067


We get conversations on this quite often over at Security Stack Exchange Have a read of this question and answers: Are there DRM techniques to effectively prevent pirating? for some useful information. The top scoring answer is by one of the mods over on Crypto Stack Exchange - but we have viewpoints from the cryptographic to the purely practical.

5You can stop him editing it. You can stop him copying to same medea; You can stop him writing anything to your disk. You do not need encryption for this, just remove write permissions. But to read is to copy, A copy is made from disk to ram, ram to network, network to ram (on other computer), ram to screen, screen to eye, eye to brain. – ctrl-alt-delor – 2012-02-21T14:28:36.620


No, but there are workarounds, although they tend to be expensive, take a long time and are likely to fail. For an example, see

2@AoeAoe: "Nobody with little brain could mean this serious." I think what you mean is "nobody with a basic understanding of digital systems could seriously think this." There are plenty of smart people out there that just don't know much of anything about computers and digital media. – None – 2012-02-24T07:02:11.847



If you can read it, you can copy it. A concept the RIAA or MPAA have yet to grasp.

What about special devices? /dev/null for example. – Michael – 2012-02-20T13:36:56.810

5@Michael There’s nothing special about special devices in this regard, the same applies. If you can read it, you can copy it. – Konrad Rudolph – 2012-02-20T13:40:53.890

@KonradRudolph If you try to copy for example /dev/zero your complete system will crash. It delivers an endless stream of zero-bytes. – Michael – 2012-02-20T13:52:36.853

There is really nothing to read at /dev/null or /dev/random. Its just random noise or zero's. You could just ask the friend not to copy the data. – Barfieldmv – 2012-02-20T14:11:38.860

3@Michael: And you can certainly "read" as much data from /dev/null and write it to another location. Once you've read data, the source can't control what you do with what's in memory. – Adam Robinson – 2012-02-20T15:01:27.617

10@Michael That depends on what you mean by “copy”. You can certainly copy from /dev/zero in a normal way (the normal way = dd, cat or whatever tickles your fancy). You can also copy from /dev/null, but it will copy zero bytes, simply because it’s empty: there’s nothing to copy. You are probably trying (and failing) to copy the device as a file. That of course fails, because it’s not a file. The same were to happen if you tried copying any other device, treating it as a file. – Konrad Rudolph – 2012-02-20T15:09:36.153

1@Michael That said, on my system at least you can even copy /dev/null and /dev/zero as files. I’m not sure what POSIX has to say about this but it definitely works. Oh, and yes, /dev/zero is endless which may cause problems if you copy to a space-limited target volume. So what? – Konrad Rudolph – 2012-02-20T15:13:00.033

2reading is nothing more than copying to memory and when in memory it is compromised at that point. – None – 2012-02-20T15:46:03.360

1cat /dev/zero > /dev/null – mariotomo – 2012-02-20T15:58:13.033

15I think it would be good to expand this answer a little. It stands at 136 upvotes and in essence isn't longer than a sentence, which isn't really an example of a "good" answer – at least in Stack Exchange terms. – slhck – 2012-02-21T14:07:12.667

9I'd considered doing that, but really I couldn't think of anything more that would need to be said. It's a really fundamental problem which demands a concise description, in my opinion anyhow. – Sirex – 2012-02-21T14:44:35.700

6@slhck: It's a pretty simple answer to a pretty simple question: Q:"Can I encrypt (or transform in any way) a piece of data so it cannot be copied?" answer: No. If you are able to read it, then what you are reading can then be written somewhere else. – KeithS – 2012-02-21T16:58:28.593

3@KeithS As you can see though, there's much more to this than a "No". One can give a concise description (a TL;DR) and still explain more. The other answers show some aspects that you could summarize, maybe. No obligation of course. – slhck – 2012-02-21T18:13:11.313

@slhck: All right then - see my answer to what is, essentially, the same question: ; I fancy to think that one is detailed enough. Although the OP was asking about digital video data there, the distinction makes no difference here.

– Piskvor left the building – 2012-02-21T19:36:12.063


A "copy" is defined as reading data and then writing the same data to another location. Since he's read your data into his computer, the data will be under his control at the time. He can then do whatever he likes with it.

The one thing that may be barely possible is to protect your data against unauthorized modification. You'd need an NTFS or similar filesystem. But even in that case, he'd be able to read all data, format your disk, clear any permissions, and write all files back - possibly modified.

[edit] 500 GB is just billions of numbers. Let me boil it down to a simple example: 5. That's one number. You can read it, and nothing I can do will prevent you from writing down that number. Nor can I prevent you from writing the number 6.


18+1 for explanation of copying. Also, your second point illustrates another well-known principle in computer security: physical access means "game over." If someone has physical control of your drive, they can do whatever they want with it. The only thing you might be able to do is prevent them from reading its contents by using strong encryption. – Nathan Long – 2012-02-20T14:00:27.827

17What you can do is cryptographically sign the original data, and then check afterward whether the data still matches that signature. If it does, you know it's not been modified. That's mathematically sound protection. But math cannot prevent another set of data based on the original (and optionally, subtly altered) from being created in the first place. – None – 2012-02-20T17:21:52.777

2500 GB is also one really really really large number – Anne Nonimus – 2012-02-21T23:32:51.327


Nope, it is definitively not possible.


23Well, you could stand behind the friend with a gun telling him not to copy the information. Not practical but definitely feasible. – Barfieldmv – 2012-02-20T14:12:55.877

3Barfieldmv: Your friend could set up the computer beforehand to automatically copy all information as it was read. – Skip Head – 2012-02-20T18:54:37.503



– orlp – 2012-02-20T20:34:24.503

4@SkipHead He might have even already copied the data when you weren't around. You should just shoot him and be done with it :D – Barfieldmv – 2012-02-21T10:56:36.987


Let's try to ask a little bit, do you want him not to modify files without your notice? If so, you could checksum all files and reverify.

Another way is a hardware write blocker, you may look here:


3I always wondered if cutting the pin n°23 on a PATA cable would do the trick, if so you just got a ~$800 boxcutter ^^ – Shadok – 2012-02-20T12:06:19.000

@Shadok: The price tag doesn't reflect the technical part - blocking writes for most modern drives is indeed technically simple (blocking changes to e.g. SMART attributes, now that's a different story). It's the "certification" business - see that "NIST Ver. 2 accepted" blurb? That's the whole point: you don't need to prove to a court that the device actually and reliably blocks writes (which can get, uh, somewhat expensive, even several orders of magnitude beyond that $800). – Piskvor left the building – 2012-02-20T22:59:17.140


Encryption is just math. Think about this for a bit and you will understand its capabilities and limitations better:

  • You can use math to verify a message is the right message, and was copied properly, without copying the entire message twice (simple checksums, you will run into them sometimes when downloading software).
  • You can use math to verify that someone who knows the magic number approved the message. (cryptographic signatures).
  • You can use math to scramble a message until someone with the right numbers comes along to un-scramble a message (encryption).

But you can't use math to stop people from copying a message down. That's just not something math can do. (Copying data is less 'math' and more 'physics'. :)

The closest that you can come is to use math to encrypt some data, use math to verify that a computer is only running the software that you want it to be running, and only then give the computer the magic number to decrypt the data, meanwhile making extra extra sure that software doesn't end up letting the magic number out or let anyone copy the data. This is trusted computing and is more or less what things like DVD players and video game consoles try to do. It is less than practical for most setups, and tends to end up being broken one way or another (e.g. 09 f9).


As far as I'm aware, there are ways to reduce the risk of data being altered on your hard disk, via software and hardware. However, once your friend has your hard disk, they could probably circumvent or override any write-protect methods, if they put enough effort into it. For example:

  • Write protect via jumper on the hard disk; jumper can be removed or changed (even if you solder the jumper in, solder can be removed)
  • Write protect via clipping or changing the hard drive internals; internals could be mended, or the disks themselves could probably be moved into a clean hard drive (possibly involving a lot of effort...)
  • Write protect via software; the data on the drive is just 1s and 0s at the end of the day - any block can be altered. If your friend is not worried about preserving the data, he could just melt the drive in a furnace. That would definitely alter the data...

As others have said, it's impossible to prevent copying, because if it can be read, it can be copied.

You could try asking your friend not to copy or change anything. Presumably, if they're your friend, they'd be happy to comply...


Prevent edits by copying

Although you can't let someone read your data and simultaneously prevent copying, there's a very simple way that you can easily prevent them from editing it: don't give them the original.

If you copy your data to a separate hard drive and keep the original, clearly the recipient of the copy can't modify your original.

This defeats your "can't copy" request immediately, but that's impossible to satisfy anyway.

Stream all drive content into a secure app that only allows viewing the data should be enough. A remote desktop to a secure machine can view everything but do nothing you disallowed. – Barfieldmv – 2012-02-20T14:15:51.753

@Barfieldmv - maybe true, but 1) streaming into a viewer app is a form of copying, 2) the remote desktop solution assumes there are no security holes there, 3) both of these are more difficult and more open to error than making a simple copy. If my hard drive is physically unavailable to you, I can guarantee you can't modify it. If you have some kind of network access, there's always a chance you know about a hack that I haven't guarded against. – Nathan Long – 2012-02-20T14:25:35.033

Streaming 100gig of movies in reduced quality might make it very impractical to 'copy' the actual data but might just be enough for the orignal poster. Decent network protection is offcourse a basic for the requested security and should be a given. – Barfieldmv – 2012-02-20T15:31:38.867


The No-cloning theorem may help you, if you had a quantum computer. However, imperfect cloning would still be possible:

The no-cloning theorem is a result of quantum mechanics that forbids the creation of identical copies of an arbitrary unknown quantum state. [...] Cloning is a process whose end result is a separable state with identical factors.

3However, that's data that you cannot read either. You can only destructively use such data. The question presumed data which was readable. – MSalters – 2012-02-21T08:51:16.827


As many others have pointed out, under normal circumstances "share and read normally" implies "can be copied", and the answer to your question is "no".

The only way to get to "yes" is to redefine "read normally" by changing the circumstances:

Lock your friend into a room, hand over a device on which you have entered a key, ensure the device has no I/O or network that could let copying happen, ensure your friend does not possess a camera or a photographic memory (with which to copy the display), retrieve the device and return it to a unreadable state, remove the device, then free your friend from the room. (Note, if they can examine the device in depth they may still find private or ephemeral keys, so "no I/O" means lack of physical access to the internals.)

Does that sound like "read normally" to you? If so, you're all set. I wouldn't count on making it a habit or building a business plan around the process, though.

1This happens with some larger bands' new albums - iPods locked in cabinets with security guards there. The idea being that reviewers can hear the album before its official release without the risk of a leak. It definitely happend with a Coldplay album. – Rich – 2012-02-21T12:30:16.773

@Rich: What stops them from implanting a recorder in a tooth? You can make copying harder when you grant read access, but you can never make it impossible. – Emilio M Bumachar – 2012-02-22T18:09:00.863

@EmilioMBumachar very true, but whether anyone's mad enough to go as far as that for Coldplay's next album is beyond the scope of this discussion :) – Rich – 2012-02-22T20:27:56.600


Reading IS copying.

Any data you access on any computer is a copy of the data on the hard drive, that has been copied into the computer's RAM (memory), not the actual data on the hard drive itself. If you really want to get deep, there are more intermediate copies throughout the hard drive controller and various subsets of computer memory, but that's just interesting for the technogeeks. When you visit a website, that website's server's hard drive information is copied to your computer's hard drive, and then to its memory, so it's an extra step deeper again. And I didn't even include the server's memory, or the data packets sending across the internet, among many other copy steps.

You are asking to allow something to take place and then not allow it to. It is possible, perhaps, in an extreme case of a Draconian society where everyone obeys government ruling against "copying". Read about Sony's attempt to do this here and how ugly it can get:


What you can do:

  1. Digitally sign each file (or, alternatively, a filesystem) so that any modifications will fail the signature and be invalid.
  2. Encrypt the filesystem so that nobody but you and your friend can view it.
  3. Provide your friend with a computer over which you have full control, to make it much more difficult for him/her to copy the data.

What you cannot do:

  1. Prevent your friend, if s/he can read a file on his/her own computer, from copying that file.
  2. Prevent your friend from digitally signing his own filesystem, unless you use a trusted third party to manage your authentication certificates.

What you should not do:

  1. Give sensitive information to someone you do not trust with it.


If a file can be read, it can be copied. After all, copying is the same as telling your computer to read your file and copy whatever it sees. When you read a file, its contents are loaded into the RAM. When you copy a file, the contents are loaded into RAM and written from RAM to HDD. Since the RAM isn't under your control, you can't stop the second step.

If there's only one (or a few) types of files you want to share (eg text, videos, ppts, etc), follow these steps (programming capabilities required):

  1. Prepend a bit of garbage data to the beginning of each file (use a program). The data should be easily removable in a predictable manner, and, if you want, make it derivable from the filename. For example, you can prepend the md5 hash of the filename to the file. To remove it, you just have to remove the hash. This step will make all files useless for your friend to copy, as they will not work normally.
  2. Use an API to write a simple (video|image|text|whatever other filetype you need)-viewer. Java would be nice (enough APIs out there).
  3. Program your fileviewer to remove the garbage data from each file before opening (note that it shouldn't remove it from the file permanently, just remove it from the copy it loads into RAM)
  4. Program your fileviewer to work only on the external hard drive. You can do this by interspersing system files in the HDD (use attrib +s +h on the Windows command line), and require these in your program startup. You can also make it not work if it is on the C: Drive (look at the current drivepath with File.getCanonicalNamespace)

    5.There you go! Your friend can view all files using the viewer, but the files themselves are next to useless.

The method won't work for text documents, but your garbage-creating algorithm can be made more sophisticated to garble the entire file in a reversible manner (rot13 is a simple example).

Neither would this method be advised if you have only one copy of the stuff. The garbling should be reversible, but, things can go wrong.

A bit of a bother to do all this, but the only way I can think of. It's exactly how Netflix and all make their online movies unstealable. They use their own formats (probably a lot more sophisticated than this), and they have their own viewer.

Write protecting can be done, but its easily crackable (whoever has the physical device has everything).

If you have a separate copy of these files, then using the above copy-protect method will automatically write-protect the files, as the user won't be able to edit the files subtly. He can delete them.

If you don't have a separate copy, then NTFS file systems have a read only option; but this is easily bypassed.


1Note that this program would still be hackable. Java.lang.reflect lets one lay a program wide open. Hopefully your friend won't go to that extent. – Manishearth – 2012-02-20T14:37:48.390


I would say no, just like everyone else above, but I can give a brief idea on how it can be done.

If every file on the hard drive was encrypted with a key, the data obviously could not be copied because it would not contain the unencrypted data. But if you somehow made the computer decrypt the data every time a read function is called from the computer, and encrypt the data every time a write function is called from the computer, I think it would work.

I also am pretty sure that speed would be a very big problem if a hard drive worked this way, but who knows, maybe we will see it in the future. Also, the thing about this is that anyone who really wanted to get the data on this hard drive could if they knew what they were doing, by just removing the encryption call every time a write function is called, leading to an unencrypted hard drive.

Anyway, that is just an idea, and I really don't see that being a very good solution in the near future.


Everyone...bear with me, this is an exercise in being naive.

I think the OP was asking for something simple. I also thing that if you propose such a profound question to a bunch of people, many will over think it.

The goal here isn't to prevent or guarantee them from doing anything. It's actually to make it so much work to get around what they want to do - that they'd rather give up or obtain it "the easier way" purchasing or whatever.

So the real question is: "How do I make things difficult for a friend of mine if he tries to copy these files."

IF we assume that your friend is the average person and not capable of reading memory and we assume they aren't going to read this post... :-)

As suggested above an API could work.
Remember anything read into memory is "obtainable".
Same can be said for the file system, obviously.

Off the top of my head, one could build an interpreter.
It's a loose concept, but one I think it would work fine.

If you don't want to write stuff yourself, then proceed no further.

Nerd Stuff

So encrypt your harddrive.
There are plenty of other threads on how to do that so I won't cover that here.
When you encrypt it, it only makes sense to be able to decrypt it.

You can use keys here. If you wrote a binary file, that contained the private key + a salt key that was unique (or really close to unique) to the hardware you were sharing - like the serial number of the device. The binary file would decrypt the files and read them in a wrapper.

So if the files and the binary were moved to another would just fail. Because the keys don't match up as expected.

Now - granted that a truly skilled person would probably still be able to get around this in a number of ways.

BUT - your average person, probably won't want to invest the time/effort/money.

Some light reading:

Some software (so you can play around with encryption):

The easiest kind of "wrapper" you could build is an Adobe Air app...

This will work across platforms (in theory).
The barrier to entry into this kind of programming relatively low.

I hope this helped in some small way.

The real question is: "How do I make things difficult for a friend of mine if he tries to copy these files?" The sort of answer the OP might be looking for is, for example, convert all your text documents to PDFs (or go medieval on his a** and convert them to JPEGs or TIFFs). While these files can be copied, recovering the original text in a usable form requires a little bit of effort. – Scott – 2014-08-06T15:56:03.987


Not trivial with digital data, thanks to great open source tools around. However you can create your own encrypted format which is hard to break for copying purposes. Think DRM protected content.


The best you could do is to use some kind of checksum, MD5 hash, or similar, to be able to at least detect if something was changed on your hard drive. You can't stop anyone from modifying data on the drive if they have physical access, but you can make them promise not to do so, and explain to them that you will be able to detect if they did.


No. You can use a write protected medium to prevent editing, but if data is readable, one can always store the read stream someplace else to reproduce it.

You can of course go some extra miles by requiring an online-connection enforcing decryption routine, but even then the user can simply log the servers response and fake the internet.

You can go quantum and try to apply the no-cloning theorem, but since the read data will still be accessed in a classical way, the output can once again be copied.

In short: Don't waste time trying to protect readable data from copying and invest it in something useful instead. Going to the cinema, for example.

You can share your harddrive via LAN. That way he'll be not having physical access to harddrive. You don't need to encrypt it at all for this. Just set the permissions right and you are on your way.

You can setup SSH. Google on how to setup SSH in your platform. There are many software packages available to share data between computers.


1so what? He can simply log the network stream to reproduce the data – Tobias Kienzler – 2012-02-22T12:49:51.343