Review: Boxcryptor
Storing your data in the cloud comes with both positive and negative aspects. Boxcryptor is a solution that helps with this by encrypting your data on your device before it gets synchronized to the cloud storage provider of your choice.
Zero-knowledge encryption
Boxcryptor is a zero-knowledge service provider, as all the private and sensitive information is always stored in an encrypted form and protected by the user’s password, which is never sent to the company servers.
From the technical specifications, it is clear that passwords, password keys and file keys never leave the user’s devices. The user keys, group keys and company keys are always encrypted and are stored on the Boxcryptor Key Server.
When it comes to the decryption process, the password is used to unlock the private key, as well as the wrapping key which is used to unlock all other keys in the system. The only types of keys stored in plain text on the Boxcryptor Key Server are public keys.
Boxcryptor currently supports two-factor authentication through Duo Security integration. This is only available for Duo Enterprise users, so if you are on a free or paid Duo Security Business plan, you won’t be able to use the feature – for now. The team at Boxcryptor told me they are working on moving on from Duo and expanding the two-factor authentication feature in the near future.
Encryption “Made in Germany”
Boxcryptor isn’t a secure cloud service, but an added security layer for one of the supported cloud providers. They currently support 24 providers.
The software is available for Windows, Mac OS X, as well as all the most common mobile platforms (iOS, Android, Windows Mobile). There’s also a beta version for Chrome, but due to the complex nature of running this type of a service inside a browser, it’s currently a bit buggy.
As Boxcryptor boosts security for the data stored with other providers, you’ll need to have the client app of the provider installed on your computer. In the newly created Boxcryptor folder, you’ll find sub-folders for each detected cloud storage provider. Right-clicking any of the files will open the Boxcryptor menu. After encrypting a file, it will take a second or two for the cloud provider client application to detect the change and perform the sync.
An important feature of Boxcryptor is the ability to share files with users and groups. You can select a specific user or create a group that will include selected users. I had some slight issues with sharing files over Google Drive, but everything worked OK when I tested Box.
The company account administrators can use the web interface to do perform customization. Through the interface they can manage and view users and groups, analyze their activity, set up notifications for failed attempts, and tighten up security by setting up different security policy elements.
Key export
When assessing whether to use an online service that will manage your data, you need to evaluate risks, such as the provider going out of business, and be confortable with the level of trust. Most users don’t read the endless Terms of Service documents, but the service you are using can shut down tomorrow and you can lose data.
By the way, our editor-in-chief is one of those guys who reads the fine print, so for more info check out his 2013 analysis titled Can you trust your online backup service?. The 2016 update to the article will be coming soon.
The Boxcryptor team is well aware of the high level of integrity they need to provide to their users. They even thought about the worst case scenario: what if the company ceases to exist? I assume that, in this day and age, any web service that is shutting down would notify users in advance in order to minimize problems, but I like that Boxcryptor immediately provides a “Key export” function.
When using the service, the keys are securely stored on their servers, but you can also download the key and feed it to the Boxcryptor application manually. This means that in case of some major crisis, if you’ve exported the key you will be able encrypt and decrypt your data at any time. For the most paranoid of you who just read that and though about “Why shouldn’t I use a local key by default?”, have in mind that you would miss all other features discussed in this article.
Boxcryptor for iOS
The iOS application provides the option of reading encrypted documents on your mobile device. Through the app, you need to authenticate with the cloud provider of your choice and this will enable you to decrypt and view your secure files by “calling” the Boxcryptor app. The app looks nice and worked perfectly.
Privacy
The zero-knowledge relationship between the user and the company behind Boxcryptor stands on high ground. While not directly connected to the security aspects of Boxcryptor, one privacy-related issue bothered me a bit. In the “Updates” section of the settings screen, there is selected by default checkbox that says “Automatically send Diagnostics and Usage Data”.
From the privacy policy linked from that screen, and the feedback I got from the developers, this data is collected only to get insights on how the software is used and what are the things that could be improved. I know that many software providers are keen to get this type of data, but I don’t like when a hardcore security product does this by default.
Documentation
When you trust a company to build a security layer over your data, you want to know as much as possible about the inner working of the service. I’m glad to see that Boxcryptor documentation is rather extensive. Besides the usual PDF manual that depicts product installation and usage, there’s a technical overview of the service, as well as an extensive support section that covers a large number of topics.
Boxcryptor plans and pricing
Boxcryptor uses three paid tiers for their product:
- Unlimited Personal (36 EUR per year) works on unlimited cloud storage providers and supports unlimited number of devices.
- Unlimited Business improves on the previous tier with support for group management and sharing. The price is 72 EUR per year per user.
- The top tier, called the Company Package, enables Boxcryptor as the data encryption solution for your entire team, and you can enjoy the following options: Active Directory support, usage of company Master Key, compliance guidelines customization, centralized user management, auditing and encrypting network shares. Company tier pricing starts at 6.40 EUR per user per month.
If you want to test the solution, there is a free single user licence that works with one cloud storage provider and can be used simultaneously on two devices.
Final thoughts
Some will find Boxcryptor a terrific solution because it can work with their current cloud storage provider and others, interested in a more integrated solution, will see the Boxcryptor’s “add-on” approach as a minus. Putting aside your preferences, Boxcryptor is a very good system that is easy to use and offers some strong possibilities related to locking down access to your encrypted data.