Boxcryptor Review – safer cloud storage?

With the demise of Safe Harbour rulings, your online life has become a little less secure – is Boxcryptor the answer to the security needs of Cloud based storage?

With cloud storage, files are easily available to you where ever you may be and at any time of day.  They are backed up, replicated and made highly available by servers and services all around the world.  But in this one of the key problems of ownership of information is surfaced.  If the US has your data, it can see read and profile it.

Of course, many other countries do this too, but the vast investment from the US government in profiling and the location of many of the technology companies within the US puts the conspiracy theorists on high alert.

I much prefer a world where information has little value, shared to the point of openness and respected for the betterment of us all.  But this is not a shared view at the moment and for those on that journey, they want to keep parts of their digital lives as secure as they can.  For business too, information may be critical to the money needed to fund and sustain the business.

So for this group there is technology that helps to keep personal information secure.  In this review, I am looking at how to secure files stored in the cloud.  This could be as simple as payslips or as personal as a journal, either way putting them into the could opens them to a higher risk of compromise or personal profiling.

boxcryptor review

Of the cloud storage providers, some say they are more secure (such as Box) and others security at rest and in transit; none of which protects you from the loss of Safe Harbour and the potential for the US to just take your data.

So if the cloud storage providers can’t help, where else can you turn?  There are a newer generation of ‘on disk’ encryption products that aim to provide an additional level of security on-top of the files shared in the cloud.  Boxcryptor is one of these and thankfully is based within the EU.

Quite simply, the product takes files stored in cloud locations and encrypts them (and optionally their file name) to stop general snooping of sensitive files.  It uses AES-256 and RSA encryption algorithms and offers ‘personal’ and ‘enterprise’ versions.

Term Description
File key AES encryption key used to encrypt or decrypt a file. Every file has its own unique and random file key.
User keys Every user has its own pair of RSA-4096 keys (private and public) and additional AES-256 keys.
Password key An AES encryption key derived from a password using the key stretching and strengthening function PBKDF2 with HMACSHA512, 10.000 iterations and a 24 byte salt.
Group key Similar to users, every group has also its own pair of RSA-4096 keys (private and public) and additional AES-256 keys. Furthermore every group has its own unique and randomly generated membership key.
Company keys A company can have its own pair of RSA-4096 keys (private and public) in case the master key policy is used.

For the enterprise version there is centralised master key and password change facilities, for personal and company versions there are no routes to recover lost keys and passwords (which is a very good thing).  Impressive is what Boxcryptor claim to keep on their key server:

  • General information (email, first name, last name, country, etc.)
  • Private RSA key (encrypted with the user’s password)
  • Public RSA key
  • AES keys (encrypted with the user’s password / wrapping key)
  • Hash of the password hash
  • Number of KDF iterations used in the key derivation functions
  • Salt
  • If a company uses the master key: Password Key (encrypted with the company’s public RSA key)

There are client apps for just about every platform, starting from Windows and Mac OSX, to iOS, Android, Chrome, Blackberry and even Windows Mobile (now that is showing commitment).  I’ve tried all but the Blackberry client and they all offer the same, simple interface with little fuss and little complexity.

First time set up is simple, install, select the cloud platforms to encrypt and depending on the version turn on filename encryption (something not available to the free version). New files stored on the Boxcryptor drive are automatically encrypted and existing files can be encrypted by right clicking on the files in Explorer or Finder.

boxcryptor review - encrypt filenames

Boxcryptor supports just about every cloud storage provider I can think of:  Google Drive, One Drive, One Drive Business, Dropbox, Box, Amazon S3, CloudMe, iCloud, SugarSync, Yandex to mention just the obvious names.

Whilst the standard encryption makes the contents more secure, the additional filename encryption scrambles the file names making it impossible to see the original names.  Viewing through a normal finder window shows the following:

boxcryptor review - encrypted filenames

Viewing through the Boxcryptor drive or app however looks completely normal.

This is perhaps the easiest and most convenient security app I have ever used.  If there is a single thing you do to secure your digital world, it should be to buy this app or use the free version and see how easy it is to provide a good level of security for your personal or sensitive files.

My recommendation:  this is the must have security app for cloud storage.  If you have not tried it download Boxcryptor (affiliate link) now.

8 Responses

  1. It would be courteous to mention that you are using a referrer link to boxcryptor which gives you benefits as more people sign up.

  2. Is it a good idea to have Boxcryptor keep both the public key and the private key on their server?

    1. Given the general consumer nature of the product, it makes sense that it is simple and easy to use with little or no complexity of configuration (and potential for error or poor setup). It appears that the key is generated locally and encrypted with your local password before being uploaded to the Boxcryptor servers. The password itself is not stored or passed to Boxcryptor (a hash of the password is used), so assuming a good quality of password is used, it would be a right pain to try to break it. Not likely to be good value route to obtaining the data. As a step above doing nothing, it’s amazing, is it for the LUGA type organisations – no.

      1. Yes, exactly as you wrote. Even the Boxcryptor staff cannot get your password. In Germany there are strong laws to protect privacy, if they were intimated by justice to hand over an user’s data, they would be giving the encrypted information which is a problem for an investigation. As long as you have no obligation to make proofs against yourself, you can deny giving your password to police (depending on the situation).

    2. There is no problem because your private key is encrypted, without your password it’s useless. The public key does not need to be encrypted once it’s used to encrypt only.

Want to say something interesting?