- New Boxcryptor for macOS Beta
- Boxcryptor is Using a Lot of CPU
- Boxcryptor is Slow
- Icons or the Context Menu are Not Shown
- How to Create a Debug Log
- I Cannot Connect to the Boxcryptor Servers
- How Do I Uninstall Boxcryptor?
- Where can I download Boxcryptor Classic?
- What happens if Boxcryptor goes out of business?
- Advanced Client Configuration
- Outdated Clients
- Cannot open some files
- Legacy System Extension
- Apple Chip-Support
- What is a FolderKey.bch and a .bclink file
- Recover Account Access if Second Factor (2FA) is Lost
FAQ & Troubleshooting
New Boxcryptor for macOS Beta
Which macOS versions are supported?
The new Boxcryptor for macOS Beta only supports the latest macOS 12 Monterey. Versions prior macOS 12 Monterey (e.g. Catalina or Big Sur) are not supported.
Which Macs are supported?
All current Macs, e.g. MacBook Air & Pro, Mac mini & Pro or iMac, with Intel and Apple Silicon (M1) processors are supported.
Where can I get the Beta?
The Beta is available via Testflight. Follow these steps to install the new Boxcryptor for macOS Beta:
- Install Testflight from the Mac App Store: https://apps.apple.com/us/app/testflight/id899247664
- Install Boxcryptor via Testflight (Link only works in Safari): https://testflight.apple.com/join/DA2T1TyF
Are special instructions required for the installation?
No, the new Boxcryptor for macOS Beta is a native “File Provider” app which works “out-of-the-box" on modern macOS operating systems. Because it does not use a kernel extension anymore, it is not required to modify the Mac's Security Policy and the installation does not require rebooting the device. Additionally, the app is now fully utilizing the macOS sandboxing security mechanism.
If you changed your Mac’s Security Policy to Reduced Security due to a previous Boxcryptor for macOS version, you can revert this policy back to Full Security when you exclusively use the new Boxcryptor for macOS Beta by following these steps:
- Reboot your Mac into Recovery Mode
- Open Utilities -> Startup Security Utility
- Select and unlock your system volume and click Security Policy...
- Choose Full Security
- Restart your Mac
Can I use the Beta for production data?
No, we recommend not to use the Beta on production systems or with production data. The Beta is a pre-release software which may contain errors or inaccuracies and may not function as well as a final version. Be sure to have backups of the data you’re using with the new Boxcryptor for macOS Beta.
With the Beta, we want to give interested users and customers early access to the future of Boxcryptor and users can give us early feedback and an opportunity to shape of Boxcryptor for macOS.
Where are files encrypted?
As you expect from Boxcryptor files stored in the cloud are always encrypted and encryption is performed locally on your Mac all the time. Only encrypted files leave your device.
However, in contrast to Boxcryptor for macOS in the past, files stored locally on your Mac are not encrypted by Boxcryptor anymore due to technical limitations by Apple’s File Provider platform. File Provider apps must store files in cleartext on the local filesystem so that their content can get picked up by macOS and presented to the user. This affects file contents and file names.
Here’s the encryption state by location:
- In the cloud: Files are always protected by Boxcryptor’s encryption
- On your Mac with FileVault: Files are protected by FileVault’s encryption
- On your Mac without FileVault: Files are not protected (not recommended)
We strongly recommend the use of local full-disk encryption for every Mac – regardless if you are using a previous version of Boxcryptor for macOS or the new Boxcryptor for macOS Beta or even if you don’t use Boxcryptor at all. Full-disk encryption is an integral part of local device security and can easily be achieved by turning on FileVault on any Mac.
By using FileVault, files available in the new Boxcryptor for macOS Beta are still protected by FileVault’s encryption on the local disk despite appearing as cleartext when your Mac is in use. Learn more about FileVault here: https://support.apple.com/en-us/HT204837
Where can I find Boxcryptor on my Mac?
In previous versions of Boxcryptor for macOS, the Boxcryptor drive was mounted on the path
/Volumes/Secomba/[USERNAME]/Boxcryptor and accessible via shortcuts in Finder’s Favorite section, in the user’s home folder and on the Desktop.
As every File Provider app, Boxcryptor is now available in
~/Library/CloudStorage where a sync folder for each connected cloud provider is created. These folders are also accessible in the Finder’s Location section.
Do I still need my cloud provider’s client on my Mac?
No, the new Boxcryptor for macOS version now includes the full functionality for fast, smooth and secure synchronization of your files and folders. The new Boxcryptor for macOS version is all you need installed on your Mac to work with encrypted files in Dropbox, OneDrive, Google Drive or any other supported cloud provider. When using the new Boxcryptor for macOS Beta, you can remove your cloud provider’s client from your Mac.
Why is everything new?
A main driver for the new Boxcryptor for macOS version is Apple’s strategy to disallow third party kernel extensions in macOS in order to further secure and close down the Mac operating system. Apple started to deprecate third party kernel extensions a few years ago and successively made it more difficult to use them. While a kernel extension could be loaded “on-the-fly" in the past, macOS 10.15 Catalina started to require a system reboot during the loading process.
Nowadays, Macs with Apple Silicon processors additionally require the modification of the Mac’s Security Policy in Recovery Mode to allow third party kernel extension loading. All signs indicate that third party kernel extensions will not work at all in future versions of macOS. Holding on to our existing concept using a virtual Boxcryptor drive based on a kernel extension would not be sustainable anymore.
Due to Apple’s decisions, we have been forced to come up with a new concept how Boxcryptor for macOS works in the years to come. At the same time, we are excited about the new possibilites and experiences this new integration into macOS opens up for Boxcryptor in the future.
Can I use Spotlight again?
Yes, finally! A major advantage of the new File Provider-API over the old virtual drive is that Spotlight works out-of-the-box without requiring special handling by Boxcryptor. This means that Spotlight indexes files and folders in Boxcryptor locations automatically and by default. Spotlight support is not an optional advanced setting anymore, but a first-class default experience for every user.
Spotlight indexes file and folder metadata of all items in Boxcryptor locations. File contents are only searchable for downloaded files which are locally available for indexing due to technical limitations.
In the first version of the new Boxcryptor for macOS Beta, Spotlight can only index contents of folders that you have previously navigated to. In the stable version, all folder contents will be indexed by Spotlight even if they have never been accessed in Finder.
Which limitations are known?
The following limitations are currently known and will be resolved until the final version of the new Boxcryptor for macOS app:
Context menu is not yet supported, including the following features:
- Managing permissions is not yet supported
- Creating Whisply-Link is not yet supported
- Encrypting/Decrypting of existing items is not yet supported
Can the new Beta and a previous version of Boxcryptor for macOS be used at the same time?
Yes and no. You can rename a previous version of Boxcryptor for macOS (e.g. from “Boxcryptor.app” to “Boxcryptor Legacy.app”) and then install the new Beta to have both versions installed on your Mac at the same time. However, it is not possible to start and use both versions at the same time without interferences. Switching between them one at a time might also lead to unexpected problems, e.g. being signed out on the next start.
We recommend to stick to one version for most of the time and only switch if explicitly required, e.g. in order to modify permissions of an encrypted folder using a previous version of Boxcryptor for macOS.
When will the new Boxcryptor for macOS version officially be available?
The Beta will be continuously improved in the coming weeks and is scheduled to be replaced by a stable version in the first half of 2022.
How to create a debug log?
If you encounter any issue, a debug log can provide very helpful insights in order to fix it. You can create a debug log by following these steps:
- Open the Console app.
- Enter com.boxcryptor into the top right search bar and press Enter.
- Select Subsystem as search filter.
- Click Start or Start Streaming.
- Reproduce the issue you have with Boxcryptor for macOS.
- Switch back to the Console app.
- Select and copy all log entries using CMD+A and CMD+C.
- Open TextEdit (or any other text editor of your choice).
- Paste the log entries using CMD+V.
- Save the file as boxcryptor.log and send it to us via email@example.com
Boxcryptor is Using a Lot of CPU
CPU usage is completely dependent on the activity within the Boxcryptor drive. When many operations are executed within the Boxcryptor drive – such as reading and writing files – CPU usage will rise. When there is no activity in the Boxcryptor drive, there should not be any CPU usage.
However, it is possible that those activities are kind of invisible, for example when apps are running operations in the background, without the user’s interaction. A classic example for that is the indexing service of Spotlight.
Boxcryptor is Slow
An App is Slower Than Usual When Used With Boxcryptor
When an app is slower than usual when used in combination with Boxcryptor, the app might have a problem with handling Boxcryptor’s encryption. Boxcryptor simply acts as a filter, taking read and write requests from the operating system, and encrypting them on the way.
Well written apps write their files in blocks. In this case, Boxcryptor only needs to be active a few times during encryption and performance is not affected. Some apps, however, write each byte one by one. This results in many calls to Boxcryptor and leads to slower performance.
If you have trouble with one of your regular apps and performance is your priority, you could try out an alternative, to check if it can deal with Boxcryptor’s encryption better.
A Background Process is Causing High Load
Slow performance of the Boxcryptor drive might be caused by a background process performing a huge amount of file operations on the Boxcryptor drive without the user noticing. As Boxcryptor is then busy handling all the file operations of the background process, Boxcryptor has less time to handle file operations of other application and thus might feel slow. A classic example for a background service causing high load on the Boxcryptor drive is a search indexing service, e.g. Spotlight.
Anti-virus software real-time scanning incompatibilities
The real-time scanning feature of anti-virus software intercepts file operations and scans them for malware behavior. This can lead to incompatibility problems with the virtual Boxcryptor drive when the anti-virus software intercepts file operations on the virtual Boxcryptor drive as well as all file operations performed by Boxcryptor itself. This can lead to serious performance problems or even freeze the whole Boxcryptor drive.
If you encounter any problems with the Boxcryptor drive or its performance and are using an anti-virus software on your Mac, disable the real-time scanning feature or exclude the Boxcryptor drive if possible. You may also contact the support for your anti-virus software vendor and report this incompatibility so that they can fix it.
Icons or the Context Menu are Not Shown
With macOS 10.10 Yosemite Apple introduced new App Extensions to add custom functionality for example to Finder. Since version 2.3.401 (733) Boxcryptor for macOS, the integration of Boxcryptor into Finder is implemented as a Finder Sync extension as recommended by Apple. The Finder integration includes the Boxcryptor context-menu available when right-clicking a file or folder within Boxcryptor in Finder and overlay icons which reflect the encryption status of files and folders in Boxcryptor. Unfortunately, the reliability of Finder extensions in general does not always meet the expected level and it can happen that the Finder integration is missing for obscure reasons which we cannot influence and can only be fixed by Apple. In this article, we will outline some actions you can take if you should be affected by this problem.
Before digging deeper into the problem, we'd recommend to perform the following actions which might already resolve your problem:
- Relaunch Finder: Hold down the option key and right-click the Finder icon the Dock to click Relaunch
- Restart your Mac: Click the Apple icon in the menu bar and choose Restart.
- Reinstall Boxcryptor: Stop Boxcryptor if it is running, download the latest version of Boxcryptor for macOS, open the Boxcryptor Installer image and copy the Boxcryptor app to your Applications folder.
If the Boxcryptor Finder integration is still missing, go to System Preferences → Extensions and verify that Boxcryptor is listed in your Finder extensions. If the Boxcryptor Finder extension is not listed at all, a general problem with Finder extensions on your Mac could be the reason. A strong indicator for this reason is also when there isn't any (Finder) extension listed at all and also Dropbox and other extensions are missing. The best advice in this case is to contact Apple support for help - but if you'd like to troubleshoot the problem yourself, here are a few things you could try:
Manually add the Boxcryptor Finder extension
Normally, macOS should automatically discover and install the Boxcryptor Finder extension when Boxcryptor is being started for the first time. In some rare cases, this is not the case and the extension is not automatically loaded. To fix this, you can try to manually add the extension by following these steps:
- Open the Terminal application.
- Execute the following command:
pluginkit -a /Applications/Boxcryptor.app/Contents/PlugIns/Rednif.appex
Temporary disabling System Integrity Protection
System Integrity Protection (SIP) is an essential and important new protection mechanism introduced with macOS 10.11 El Capitan to prevent malware from tinkering with your operating system. Unfortunately, SIP also seems to sometimes break the extension system of macOS and we have seen reports where temporary disabling SIP, extensions could be loaded again and continue to load after SIP has been re-enabled. You should be really careful when modifying SIP and know the implications of your actions - information about SIP can be found here and here.
How to disable System Integrity Protection
CAUTION: We do generally not recommend to disable any system protection mechanism. Only perform these steps if you know what you do and on your own risk.
- Reboot your Mac and hold down Cmd+R simultaneously in order to boot into Recovery Mode.
- In the macOS Utilities screen, open Utilities and click Terminal.
- Determine the current state of SIP by entering the following command:
- Disable SIP by entering the following command:
- Reboot your Mac and verify that extensions have been loaded
- Reboot your Mac into Recovery Mode again, open the Terminal and re-enable SIP by entering the following command:
We have seen reports where reinstalling macOS fixes the problem and extensions are loaded successfully again after the operating system has been set up freshly. Especially if extensions are missing in general (e.g. also the Dropbox extension is missing although it is installed), a reinstallation of macOS might be the only solution to get the extension subsystem working correctly again.
Ensure that the Boxcryptor Finder extension is enabled
If the Boxcryptor Finder extension has been loaded and is listed in System Preferences → Extensions, verify that it is enabled and that the checkbox is checked.
Avoid extension conflicts
At any given time, only a single extension can be active for a specific folder regardless how many extensions are enabled. If two extensions register for the same folder, only one of them will be available in Finder and other will be ignored depending which extension was loaded first by macOS.
Try to disable other extensions in order to find possible conflicts. We have seen reports where especially the Google Drive and Synology Cloud Station Finder extensions caused problems with other extensions.
If none of these tips help and the Boxcryptor Finder integration still does not work on your Mac, we might be able to help you if you contact us directly. But you can be sure that you are not alone and we hope that Apple will fix extensions in the future.
How to Create a Debug Log
What is a Debug Log?
A debug log captures all internal events while Boxcryptor is running. It can help us to track down issues with Boxcryptor, for example bugs and incompatibilities with other software.
Does a Debug Log Contain Sensitive Data?
When you create a debug log, sensitive user information - like password, encryption keys, or actual file content will not be logged.
Which Information Does a Debug Log Contain?
The debug log captures the following information.
- User interaction such as button clicks and in-app navigation
- File operations (including unencrypted filenames)
- Current Boxcryptor settings
- Communication with our servers and your cloud provider(s)
- System information such as OS version or required frameworks
- running programs
How Do I Create a Debug Log?
- Quit Boxcryptor.
- Open the Terminal app and execute the following command:
- Reproduce all steps that lead to the unexpected behavior.
- Quit Boxcryptor by clicking on the menu bar icon → Quit Boxcryptor.
A debug log (
Boxcryptor-<Timestamp>.rawnsloggerdata) is generated and saved to ~/Library/Logs/Boxcryptor.
How Do I Access the log folder?
- Open Finder and choose Go → Go to Folder... (Cmd+Shift+G).
~/Library/Logs/Boxcryptorand click on go.
What Should I Do With my Debug Log?
As debug logs can grow pretty big pretty fast, we recommend to compress the debug log file in order to reduce its size before sending.
Additional System Information
If your system configuration matters, you can export information about it as follows:
- Open Spotlight → write
System Information→ press Enter. The system information overview opens.
- In the menu bar go to
Saveto export the information and send it to us additionally.
Log filesystem accesses before execution
I Cannot Connect to the Boxcryptor Servers
Depending on your system or network configuration, Boxcryptor may not always be able to communicate with our servers. However, there are some workarounds for the following scenarios.
Error Message: The Internet connection appears to be offline
When this error message shows, make sure that you still have internet access with Safari. Make sure that the Boxcryptor server status here returns the message OK. One possible source of error could be your proxy settings. For example, try adding
api.boxcryptor.com to an exclusion list.
Warning: This is no Secure Connection
If you are in an environment that performs traffic inspection, you might not be able to connect to our servers. Examples, where traffic inspection might interfere with Boxcryptor:
- Anti-virus solutions that protect internet traffic
- Public hotspots
- Company proxy servers
Traffic inspection, techically speaking, is a man-in-the-middle attack. Therefore, it is important to make sure your system or internet connection is not compromised. You can check the certificate information provided, by clicking advanced in the error message.
If you already have signed in to Boxcryptor sucessfully, you can continue offline. All files will be available. However, you will not be able to alter Boxcryptor permissions or use other online features of Boxcryptor.
How Do I Uninstall Boxcryptor?
Since Boxcryptor is deeply integrated into macOS and the system does not provide any uninstall mechanism by default, follow this guide to remove Boxcryptor completly from your system.
- Quit Boxcryptor.
- Open the System Preferences → Extensions → Finder and disable Boxcryptor.
- Delete the following folders:
- ~/Library/Application Support/Boxcryptor
The ~/Library denotes the user library folder and NOT the system library folder.
- Remove application preferences by executing the following command in the Terminal app: defaults remove com.boxcryptor.osx
- Open the Keychain Access app and remove all entries starting with com.boxcryptor.osx.
- Move Boxcryptor.app into trash.
Where can I download Boxcryptor Classic?
Boxcryptor Classic is the predecessor of Boxcryptor which has been discontinued. It is not recommended to use Boxcryptor Classic because it is not supported anymore and does not work on the latest operating system versions.
If you’re an existing user of Boxcryptor Classic you can download it here and we recommend you to upgrade to Boxcryptor as soon as possible.
Download Boxcryptor Classic for Mac OS X here: https://www.boxcryptor.com/download/Boxcryptor_Classic_v1.5.415.252_Installer.dmg Supports Mac OS X 10.7, 10.8, 10.9, 10.10
If you already upgraded to Mac OS X >= 10.11 and need to decrypt your encrypted files with Boxcryptor Classic, you can download this “unofficial” version with read-only support for macOS 10.11 and 10.12: https://www.dropbox.com/s/wbrygn4x2kgzlsp/Boxcryptor_Classic_v1.5.417.253_Installer.dmg?dl=0
What happens if Boxcryptor goes out of business?
Boxcryptor has been designed in such a way that Boxcryptor continues to work even if the Boxcryptor servers are not available and you're still signed into Boxcryptor. If you want to take additional precautions for the event that the Boxcryptor servers would go permanently offline, you must have the following backups:
- Exported key file
- Boxcryptor installer file
When these files are available, you will always be able to access your encrypted files on your own on any supported operating system - without any connection to any server. The exported key file contains all encryption keys associated with your Boxcryptor account. Important: As new keys might be added over time by Boxcryptor's integrated key management (e.g. when sharing files with other Boxcryptor users), it is recommended to regularly export a new key file.
After installing Boxcryptor, you can use the exported key file to access your encrypted files using a local account. Learn more about exporting your keys and local accounts.
Advanced Client Configuration
Some preferences of Boxcryptor are not exposed in the user interface. While it is generally not recommended to modify these preferences, experienced users or administrators might want to do it to better tailor Boxcryptor to their needs.
The hidden preferences are loaded when Boxcryptor is starting. If Boxcryptor is running when you modify a hidden preference, you have to restart Boxcryptor in order for the change to be applied. Also be aware that the key is case-sensitive.
How to Manage Hidden Preferences
Hidden preferences are stored in the standard macOS user defaults system and can be managed using the defaults command in the Terminal application. The user defaults of Boxcryptor for macOS are stored in the domain "com.boxcryptor.osx". To manage the hidden preferences, you can execute the following commands in Terminal. Please read the man pages for the defaults command to learn more about using it.
- defaults read com.boxcryptor.osx KEY Reads the current value of KEY
- defaults write com.boxcryptor.osx KEY VALUE Stores VALUE for KEY
- defaults remove com.boxcryptor.osx KEY Deletes the KEY
List of hidden preferences
- autoDetectRemovableDrives By default, Boxcryptor auto-detects removable drives and automatically adds them as locations. Set this value to "NO" in order to disable the auto-detection of removable drives. Default: YES
- disableAccessControlLists By default, Boxcryptor supports access control lists (ACLs). Set this value to "YES" in order to disable this support if you don't need it. As getting ACLs requires additional file operations, disabling support for ACLs could slightly improve the performance of Boxcryptor. Default: NO
- disableAliases By default, Boxcryptor creates aliases for the Boxcryptor disk in the Finder sidebar and on the Desktop if Finder would not show it otherwise. Set this value to "YES" in order to disable the creation of aliases by Boxcryptor. Default: NO
- disableDesktopAlias By default, Boxcryptor creates an alias for the Boxcryptor disk on the Desktop if Finder would not show it otherwise. Set this value to "YES" in order to disable the creation of the Desktop alias by Boxcryptor. Note: Boxcryptor only creates the alias if Finder does not show connected servers (the Boxcryptor disk is mounted as remote disk). Please disable Finder -> Preferences -> General -> Connected servers in this case. Default: NO
- disableSidebarAlias By default, Boxcryptor creates an alias for the Boxcryptor disk in the Finder sidebar if Finder would not show it otherwise. Set this value to "YES" in order to disable the creation of the Finder sidebar alias by Boxcryptor. Default: NO
- disablePlainTextWarning By default, Boxcryptor will ask if you want to encrypt a file or folder if you create/copy/move it in a plaintext folder. You can disable this behaviour by setting this value to "YES". Boxcryptor will then always create plaintext files/folders in plaintext folders and not ask for encryption. Important: In this case, only files or folders created/copied/moved to already encrypted folders will be encrypted. Default: NO
- hidePlaintextFilesFromSpotlight By default, all files and folders within the Boxcryptor disk will be indexed by Spotlight if it is enabled. By setting this value to "YES", Spotlight will see and index only encrypted files and ignore any plaintext files in the Boxcryptor disk. Default: NO
- revertFileModificationDateOnPermissionChange When modifying permissions of encrypted files or folders, Boxcryptor will add a few seconds to the modification date so that synchronization apps can better detect and sync this change. If you do not want the modification date to change when modifying permissions in Boxcryptor, you can set this value to "YES". Boxcryptor will then revert the modification date to its original value after applying the new permissions. Default: NO
- eagerLogging By default, when logging is enabled, Boxcryptor logs filesystem events after being executed on the virtual Boxcryptor drive. By setting this value to "YES", Boxcryptor will also log the filesystem event prior to execution.
- defaults write com.boxcryptor.osx disableAliases -bool YES Disables the automatic creation of Finder sidebar and Desktop aliases for the Boxcryptor disk.
- defaults remove com.boxcryptor.osx disableAliases Restore the default behaviour of Boxcryptor regarding alias creation.
We regularly release new versions of Boxcryptor with new features, better stability and overall improvements and retire outdated versions over time. On September 30 2018, the following versions have been retired:
- Boxcryptor for Windows 2.22.706 and older
- Boxcryptor for macOS 2.19.907 and older
When you try to use a retired version, you will not be able to use Boxcryptor and receive one of the following error messages:
This client is invalid or outdated. Please upgrade to the latest version.
The client id is invalid!
This is no secure connection
The remote certificate is invalid according to the validation procedure
Boxcryptor can't establish a secure connection to the Boxcryptor server.
Download and install the latest version of Boxcryptor from here. Afterwards you will be able to continue to use Boxcryptor.
If you still see the error message This is no secure connection, the problem lies elsewhere. Check out I Cannot Connect to the Boxcryptor Servers.
I am using Windows XP or Mac OS X 10.14 or earlier
Current versions of Boxcryptor require Windows 7 and later or macOS 10.15 and later. As all earlier operating system versions are not supported by Apple or Microsoft anymore, we recommend affected users to update their operating system to a newer version as soon as possible in order to stay safe.
Using unsupported operation systems poses a huge security risk. You really have to update your operating system for security-related use.
I cannot update to the latest version
Note: If you are using Windows, please look into I Cannot Update or Uninstall Boxcryptor first.
If for any reason you cannot update to the latest version and can't access your encrypted files anymore, you have the following options:
Boxcryptor Portable does not require any installation and can be used to access and decrypt your encrypted files without administrator rights. Download Boxcryptor Portable here.
You can export your keys from our server and use a local account to sign in to your outdated Boxcryptor version without requiring a connection to our servers. Learn more here.
I cannot sign in due to too many connected devices
Cannot open some files
There may be situations where files appear to be inaccessible. This can have multiple reasons:
Boxcryptor Access Issues
On desktop some Applications or the file browser shows a message with
Invalid parameterwhen trying to open a file.
- Boxcryptor is eventually signed-in to a wrong account. → Check the account info in the Boxcryptor settings and compare it with the Boxcryptor permissions.
- The user has no Boxcryptor permissions on the file. → Make sure the user has physical access to the shared file, has Boxcryptor permissions correctly set and the latest permission changes of the file have been synced. Learn how to set permissions here.
Filesystem Permissions Issues
Files are read-only or "permission denied" is displayed. Change files system permissions so your user can (physically) access them.
"Bad padding" issues, empty physical files or inaccessible folders due to an empty
File open shows "Found invalid data while decoding" and the .bc file is empty.
Folder cannot be opened "Found invalid data while decoding." is displayed in the permission settings.
There has been an incompatibility with Dropbox in the past that could create "broken" content for smaller files because Dropbox did not sync the last file change.
- restore an older version of the corrupted file via the file history of your cloud storage provider.
- for folder issues, delete the empty
Folderkey.bchfile and re-encrypt the folder.
Legacy System Extension
System extensions have been used for many years to extend the functionality of macOS. In order to improve security, stability and reliability of macOS, Apple is currently working on modern alternatives to system extensions in future versions of macOS.
Boxcryptor uses a system extension to provide the virtual Boxcryptor drive. Therefore, you may receive a "Legacy System Extension" message when Boxcryptor starts for the first time and periodically when it is running beginning with macOS 10.15.4 (Catalina).
We are aware of this message and Apple's transition away from system extensions in macOS. We will be ready to comply with Apple's future requirements in time.
Until then, you can ignore this message and safely close the window. Boxcryptor will continue working in macOS without any issues. More information can be found here.
On November 10, 2020, Apple revealed new Mac hardware with the revolutionary Apple Silicon M1 processors which are available since November 17. Boxcryptor has been adapted to run natively on the new processor architecture with the maximum performance and battery life.
Boxcryptor natively supports the new Apple Silicon Macs since version 2.39.1119 released on December 18, 2020.
Enable System Extensions
Enabling system extensions is a hard requirement to use Boxcryptor on Apple Silicon Macs and Boxcryptor will not work otherwise.
Apple is further locking down macOS in Apple Silicon Macs where 3rd party kernel extensions are disabled by default. Boxcryptor uses a kernel extension to provide the virtual Boxcryptor disk and integrate in macOS' file system for the best user experience. Only a kernel extension can offer this tight integration into macOS at the moment.
In order to use 3rd party kernel extensions on Apple Silicon Macs, users must enable system extensions by changing their Mac's Security Policy to Reduced Security and allow user management of kernel extensions from identified developers. Despite the dramatic name, Reduced Security still offers best-in-class security for every Mac:
In Full Security, only the latest Apple approved and signed version of macOS can be installed. When (re-)installing macOS, your Mac connects to Apple's servers and checks if the macOS version is allowed to be installed. Apple can remotely prevent the installation of a macOS version.
In Reduced Security, only Apple approved and signed versions of macOS can be installed. In contrast to Full Security this includes not only the latest, but also previous versions of macOS. No connection to Apple's servers is required and Apple cannot remotely prevent the installation of a macOS version.
Similar, allowing user management of kernel extensions from identified developers does not inheritly weaken the security of your Mac. Kernel extensions are still blocked by default and every kernel extension must explicitly be approved by a user with administrator rights before it can be loaded. Additionally, kernel extensions must be signed and notarized by Apple approved and accredited developers.
You will automatically be prompted to enable system extension when running Boxcryptor for the first time on an Apple Silicon Mac if required. In this case open System Preferences -> Security & Privacy and follow the provided instructions.
Alternatively, you can enable system extensions by following these steps as documented by Apple:
- Reboot your Mac into Recovery Mode
- Open Utilities -> Startup Security Utility
- Select and unlock your system volume and click Security Policy...
- Choose Reduced Security
- Enable Allow user management of kernel extensions from identified developers
- Click OK and confirm the action by entering your administrator credentials
- Restart your Mac
Allow Boxcryptor System Extension
Allowing the Boxcryptor system extension is a hard requirement to use Boxcryptor and Boxcryptor will not work otherwise.
The Boxcryptor kernel extension is blocked by default and must be allowed by a user with administrator rights before it can be loaded. You will automatically be prompted to allow the Boxcryptor system extension when running for the first time if required. In this case open System Preferences -> Security & Privacy and follow the provided instructions.
Note: Benjamin Fleischer is the maintainer of the open source kernel extension used by Boxcryptor.
What is a FolderKey.bch and a .bclink file
There is a File Called FolderKey.bch in my Cloud Storage. What is This?
Boxcryptor creates a FolderKey.bch file when a folder is encrypted. It contains encryption metadata for its parent folder and helps Boxcryptor to maintain the encryption hierarchy. This file is not visible within the Boxcryptor drive.
Does it Leak Sensitive Information?
The FolderKey.bch does not contain any sensitive information. Only .bc files contain sensitive information — and these are encrypted.
What Happens When I Lose it?
Dont't worry, you will not loose any data or access to files. All crypto-required information is stored directly within your encrypted *.bc files.
The downside of losing that file is that Boxcryptor no longer perceives the parent folder as encrypted. As a consequence, new files in this folder will not inherit the encryption setting.
There is a File Called .bclink in my Cloud Storage. What is This?
The file helps to verify the account when linking accounts to use features like Whisply.
If the file doesn't exist, the user either used a different account for linking or the sync client is not turned on/syncing.
Does it Leak Sensitive Information? Can I delete it?
The file does not contain any sensitive information. It is not necessary and can also be deleted. However, it may be generated again automatically.
Recover Account Access if Second Factor (2FA) is Lost
In the case of a lost second factor for the two-factor authentication (2FA) such as an authenticator app, your mobile device in total, your security key or other hardware, you will no longer be able to sign in to your Boxcryptor account.
Ways to recover access to your account:
Re-apply the secret key from your initial setup
If you still have your secret key from the initial Authenticator App setup, you can just re-add it to your authenticator app of choice. Next to the QR Code scan method these apps usually provide a "manual" way to add a Time-based One-time Password (TOTP) account.
For reference, the secret key looks similar to:
mzwe wocd mj3d qr3f njjw g2cm grqw cvli
Use a device code
If you are still recently signed-in in Boxcryptor for Windows or Boxcryptor for macOS, You can use these devices as a second factor instead.
The second factor authentication screen will then provide you with the extra option "Use Device Code". Upon clicking on it, our apps will provide you with a temporary 8-digit pin, that will be valid for 5 minutes.
Make sure the Boxcryptor client is started and unlocked before requesting a device code.
Use a backup code
Once you set up your second factor, backup codes will be generated and presented to you. You can use these one-time codes instead of your second factor.
If you run out of one-time codes, you can regenerate new codes here.
None of the above methods apply
If you are still unable to access your account, you can also contact us to disable the two-factor authentication.
However, we need clear evidence that you are the legitimate owner of this account.
The identification will be done via video live chat, you will need the following things:
- A device with a browser installed and a working camera.
- An identification of your person (ID card, passport or driver's license).
- The valid e-mail address of your Boxcryptor account.
To pick an appointment, please go to:
Please provide a valid e-mail address, since it will be used for a calendar invite, further instructions and a meeting join link.
As a video chat platform, we use Microsoft Teams. You do not need a user account there. On desktop computers, a modern browser (Chrome, Edge or Safari) is sufficient. For other browsers or mobile devices, you might have to download the Microsoft Teams App:
iPhone & iPad: https://apps.apple.com/app/microsoft-teams/id1113153706 Android: https://play.google.com/store/apps/details?id=com.microsoft.teams Desktop: https://www.microsoft.com/en-us/microsoft-teams/download-app
Invalid Authenticator App Codes
If you are unable to generate a valid code despite the authenticator app working, this is most likely due to a different time on one of the systems involved.
Since these TOTP codes are only valid for 30 seconds, deviations from real time of just a few seconds can lead to registration problems.
You can check the synchronization on all participating devices by visiting the following website: https://time.is
If the time difference is more than a few seconds, we recommend that you set up the automatic time synchronization of your devices or, if necessary, perform a new one.