Top Nav

BoxCryptor: A TrueCrypt Alternative Designed for Dropbox Security

BoxCryptor - Fast and easy encryption for your data

Here at groovyPost we like keeping our data safe. From basic methods of protection, like a password, key, or a hidden directory, to heavy encryption methods and professional solutions to keep our data away from the wrong hands. Today we’ll review an incredibly easy to use encryption software, called BoxCryptor.

Note from groovinJackman: This groovyReview has been in our hopper for some time, but I thought I’d push it up in the queue in light of the recent major Dropbox security SNAFU, where accounts were left wide open for as long as four hours due to an authentication bug. Dropbox and the blogosphere is now recommending adding an additional layer of security to Dropbox and other cloud services by using TrueCrypt, a groovy open source encryption software that we reviewed earlier (). But if there’s one major drag about TrueCrypt, it’s that you have to keep everything in volumes/containers that have to be mounted in order to get at your stuff. If that bugs you, then you should check out this TrueCrypter alternative: BoxCryptor, which uses file-by-file encryption.

Downloading, Versions, Prices and Information:

You can quickly grab a copy of BoxCryptor from the official BoxCryptor download page and check out this amazing software for yourself. It offers three different versions for you to pick from – a Free version, with up to 2 GB of encrypted directory size and limitations to one computer. The Unlimited Personal and Unlimited Business, however, offer Unlimited encryption directory size and up to 4 installs on different computers. The only difference between Personal and Business is the fact that Business allows commercial usage, but personal doesn’t.

BoxCyptor free vs. business

 

BoxCryptor Setup and Installation

As you know, our entire groovyPost team uses Dropbox for whatever files, documents, spreadsheets and video tutorials we need to share and host on the cloud. Well no doubts in saying that we were nicely surprised by the first message BoxCryptor gave us after the install:

BoxCryptor + Dropbox Integration

Do we? Of course we do! The nice integration with Dropbox in BoxCryptor definitely saved us some time that we would have otherwise had to dedicate to configuring. Anyway, after pressing yes on the dialog you are left with the following window, from which you can also pick your BoxCryptor drive letter. I decided to use K – kind of like a groovy Internet slang – Kryptor. Open-mouthed smile

 password protect dropbox folders

You can also reach some more advanced settings, by checking Advanced Mode. When you enable it, you’ll get a brief warning:

advanced boxcryptor options

Nicely said. Well, anyway, we’re pretty confident that we know what we’re doing so we’ll go ahead and Enable Advanced Mode with a big Yes. With advanced mode, you can enable or disable key and write validation, disable automatic updating and change the label for your BoxCryptor drive. Not that much additional options, but just enough to give us a bit more customization flexibility.

boxcryptor setup

After choosing your desired location and configuring any additional preferences, you can move on. BoxCryptor will have you choose a password which you will use to access your encrypted documents. Do not lose your password—currently, there’s no way to recover your BoxCryptor password.

If you want to, you can choose an encryption algorithm, block size and whether or not you  want to encrypt filenames as well.  If you don’t know what this means, leave the first two options at their default settings. You may want to disable filename encryption, as it makes it a bit easier to keep track of individual files when sharing them publically or with another Dropbox user.

boxcryptor dropbox password protectioin

 

Encrypting Your Dropbox Folder with BoxCryptor

If you are using Dropbox, BoxCryptor will create a folder in your Dropbox folder where the encrypted data is stored. To add encrypted files to this folder, simply move them to your mounted BoxCryptor drive (not the BoxCryptor folder in your Dropbox folder).

adding boxcryptor encrypted files to dropbox

When you put files in the mounted BoxCryptor volume (K:\), the encrypted version will automatically be placed in your Dropbox folder. Resultant filenames will look like this:encrypted dropbox files from boxcryptor

And the contents will look like this:

 aes encryption on dropbox

And here is a side-by-side comparison of what files look like when encrypted (left) and what they would normally look like to you (right):

\public encrypted sharing

Sharing Encrypted Files Across Computers

If you want to work with a BoxCryptor encrypted Dropbox folder on two machines that you use regularly (e.g. a work computer and a home computer), simply install BoxCryptor on both machines. When you install BoxCryptor on the second machine and tell it to use the existing BoxCryptor location on your Dropbox folder, it’ll prompt you to enter the password that you set up earlier. Now, you’ll have the unencrypted K:\ drive on both computers.

sharing boxcryptor files

If you want to access your encrypted files on a guest machine or another infrequently used computer, you can use the BoxCryptor Portable version. It’s a simple .exe that you can run on your desktop to load encrypted directories without installing the full version of BoxCryptor. This is also handy if you want to share encrypted files via email or public links—just give them the password separately, e.g. over phone or in person and then feel free to send them the encrypted files, which they can decrypt on-the-fly.

The best way to do this is to send entire zipped directories, because BoxCryptor gets a little finicky if you take an encrypted file out of its original folder. Because of this limitation, I guess it’s not a whole lot different from mounting volumes.

 boxcryptor portable

You can also save BoxCryptor Portable onto a thumbdrive or in your Dropbox folder so you’ll always have it with you. Just remember to keep your password secure!

If you want to share encrypted files with Mac or Linux users, have them set up EncFS, which can decrypt BoxCryptor folders.

There’s also a BoxCryptor Android app in the works, which will be the first of its kind. Can’t wait to check it out.

 

The Verdict:

truecrypt vs boxcryptor - groovypost approves both!

While TrueCrypt is probably the cloud encryption tool of choice for most users, it’s not exactly optimized for things like Dropbox and SugarSync. BoxCryptor gives a nice variation on the theme by attempting to offer a more file-by-file approach. There’s room for improvement, but so far, the software is slick and promising. It’s integration with Dropbox is already smooth and it’s great to know that the developer is placing a priority on cloud-based encryption. Definitely worth a download.

, ,

21 Responses to BoxCryptor: A TrueCrypt Alternative Designed for Dropbox Security

  1. Symes July 4, 2011 at 4:27 am #

    Have tried this out. Works great in terms of beefing up security on dropbox and all seemed perfect until I tried to download a simple Word file from dropbox website that had been encrypted with Boxcryptor and to then decrypt it. I tried to decrypt it using the portable version of boxcryptor and also tried moving the downloaded version into the boxcryptor drive. Unfortunately it either failed to decrypt or the file was otherwise corrupt – in any event I could not open that file on Word. It’s quite possible that I am doing something stupid but until I ccan see that it is possible to actually download and decrypt your files from dropbox in the event of a data loss on your hard drive, this seems of little use. If anyone knows what I am possibly doing wrong then please tell me!

  2. Robert F. July 4, 2011 at 10:23 am #

    Hi Symes,

    Robert from BoxCryptor here. When you download an encrypted file from Dropbox’ web interface, you have to place the downloaded file into the source folder (e.g. Dropbox\BoxCryptor) and NOT in the BoxCryptor drive. Always remember: source folder = encrypted, drive = plaintext

    Note: BoxCryptor (and also EncFS) uses a configuration file (.encfs6.xml) in the root of your source folder. This file contains all the information required for encrypting or decrypting your files. You always need that file! So if you’re on a foreign computer and use BoxCryptor Portable, you also have to download the .encfs6.xml file to the root of your source folder.

    • John July 4, 2011 at 1:38 pm #

      Hi Robert,

      Isn’t the fact the the .encfs6.xml file is stored in the dropbox a security problem? If your dropbox is hacked, the hacker gets this file. Can you explain in detail why this isn’t a problem?

      • Robert F. July 5, 2011 at 12:31 am #

        Hi John,

        no, this is not a security problem, because the important part (the volume key) of the .encfs6.xml is encrypted itself. BoxCryptor uses two keys for file encryption: a master key which is derived from a user supplied password and a volume key.

        All files are encrypted with a volume key which is generated when a new encrypted directory is created. The volume key is stored encrypted by the master key in the .encfs6.xml file. When BoxCryptor mounts an encrypted directory you have to enter the password. The password is used to derive the master key and the master key is used to decrypt the volume key which is then used for file encryption.

        • John July 5, 2011 at 9:19 am #

          Thanks for the response, Robert. So isn’t it safe to say that when the .encfs6.xml file is stored in the dropbox, the only thing protecting your data from decryption in the event of a hack or government subpoena is the user supplied password?

          • Robert F. July 5, 2011 at 11:26 am #

            Yes, the user supplied password is the only thing protecting your data, just as for most other encryption tools. It’s always good to use “good” passwords (many characters, no dictionary words, etc.)

            We use PBKDF2 (see http://en.wikipedia.org/wiki/PBKDF2) with HMAC-SHA1, a salt and 5000 iterations to derive the master key from your password. This can be considered to be secure nowadays. (e.g. TrueCrypt uses only 1000 resp. 2000 iterations)

    • MrGroove August 6, 2011 at 7:51 pm #

      @Robert – I’ll tell you what I’m looking for…. I’m looking for a dropbox encryption application which will encrypt my data as it’s moved up into the cloud using a KEY I create. Even a passphrase would be fine.

      I would then like to be able to install an iPhone App so I can still sync that encrypted data and access it on my iPhone.

      Right now if I can’t get to my dropbox data on my iPhone, I don’t have a reason for dropbox…. That’s my primary use case that I love about dropbox!

      Help!

  3. Symes July 5, 2011 at 12:58 am #

    Thank you for the clarification, Robert, I have tested your instructions for decrypting files recovered from dropbox and can confirm that it works!

  4. Ray July 6, 2011 at 7:00 am #

    Just to make sure I understand some of the limitations, if I encrypt a file through Boxcrypt through Dropbox and that file is remotely accessed on Dropbox (without Boxcrypt programing), can it be deleted? I can see that the file is encrypted, but I’m wondering if the encrypted file can be deleted. If so, then the encf file can also be deleted. Not sure of the ramifications of that file being deleted.

    • Robert F. July 6, 2011 at 9:31 am #

      Hi Ray, yes, someone with access to your Dropbox can delete the encrypted files and also the .encfs6.xml configuration file. BoxCryptor and other encryption tools only prevents unauthorized read access, we can do nothing to prevent someone from overwriting or even deleting your (encrypted) files if they have write access.

      If the .encfs6.xml is deleted (either by accident or with intent), you loose complete access to your encrypted data, because the key for en-/decryption is stored in this file (as explained above). As with all important data, I recommend having a good backup strategy.

  5. Ray July 6, 2011 at 10:28 am #

    Thanks for the reply. As always a good “backup” strategy is the best.

  6. Christoph October 12, 2011 at 1:22 pm #

    Hi!
    Can someone say something about how using boxcrptor affects the vatious other functions of dropbox, especially the recovery function, which allows me to restore any version of a file that I stored during the last 30 days? This is very useful when you are editing a document and saving versions every couple of minutes so that you can always go back to a previous one. Does his work with boxencryptor?

  7. Robert F. October 13, 2011 at 2:57 am #

    Hi Christoph,
    as BoxCryptor operates on individual files, the advanced features of Dropbox (like version history, undeleting files, etc.) can still be used without any problem. But you have to choose if you want to use filename encryption or not. In order for the best experience regarding these features you can disable filename encryption.
    –Robert

  8. Eldadh October 15, 2011 at 10:20 am #

    Hello,
    I would like to ask, is there any Dropbox encryption who have an Android App as well?
    For computer and mobile use?

    • Robert F. October 18, 2011 at 2:23 am #

      Hi Eldadh,
      BoxCryptor has an Android app which allows you to access your encrypted documents also on your Android device.
      –Robert

  9. Josh November 15, 2011 at 8:14 pm #

    Hi Robert,

    I’m curious, you indicate that the .xml file contains the actual key used to encrypt the data, and that your password encrypts the .xml file. Is this a correct understanding?

    My main question is, if my assumptions are correct (which they may not be,) if the .xml file contains a key that is never changed (and is protected with the user password,) and then you change the password (say to a more secure password,) if someone obtained an old copy of the .xml file and the password, they would still be able to decrypt the data?

    Just curious, as I’m likely to change my password soon once I remember a stronger one.

    Josh.

    • Robert F. November 16, 2011 at 12:22 am #

      Hi Josh,

      Yes, this is correct. Your password encrypts the volume key in the .xml file.

      And yes, your assumption is correct. If you have an old copy of the .xml file, you can still decrypt the files using the old password, because the volume key is not changed (it is just re-encrypted with the new password).

      In the latest version of BoxCryptor we introduced a command line switch where you can specify an alternate location of the .xml file. You could then store the .xml file outside of the encrypted folder so that it is not synced by Dropbox and transfer it by-hand to the other computers. (But this breaks compatibility with our mobile apps right now.) You can find more info here:

      http://blog.boxcryptor.com/boxcryptor-for-windows-v11-is-available

      –Robert

  10. Mouse April 21, 2012 at 10:07 pm #

    Are we likely to see a version of BoxCryptor running on iOS and/or Android devices? Please?

  11. Mouse April 22, 2012 at 6:01 am #

    Actually – silly me, I should’ve checked first. There are BoxCryptor versions for both Android and iOS. I’ve tested them on iOS v5.1 and Android Gingerbread (2.3.5), successfully exchanging files with Mac OS X (using EncFS there).

    Would be nice if BoxCryptor supported the later EncFS features, particularly IV chaining and such. But to begin with, I’m very happy there is such a solution that allows me to securely exchange files through Dropbox between multiple platforms.

    Thank you, BoxCryptor creator!

  12. Rob June 22, 2012 at 8:26 am #

    Hi there,
    I’d appreciate guidance here, I recently brought BoxCryptor into my Dropbox life and I used to be able to access and free up space by the cache on my Mac. Now I can’t access my Dropbox cache, I’d like to know where has it gone and is it protected and can I get into to it for maintain it?

    Thanks!

Leave a Reply

 

×

Subscribe to our free newsletter and have our tips delivered to your inbox. Free Signup