- Boxcryptor is Using a Lot of CPU
- Boxcryptor is Slow
- Icons or the Context Menu are Not Shown
- How to Create a Debug Log
- What is a FolderKey.bch?
- I Cannot Connect to the Boxcryptor Servers
- Google Drive Troubleshooting
- iCloud Drive Troubleshooting
- How Do I Uninstall Boxcryptor?
- Where can I download Boxcryptor Classic?
- What happens if Boxcryptor goes out of business?
- Advanced Client Configuration
- Outdated Clients
- Cannot open some files
- Legacy System Extension
This short quickstart guide for company administrators provides you with the best solution on how to set up Boxcryptor. This way you can avoid sync-problems or long waiting times during the encryption.
Our Guides to Download
- Best Practice Guide for Admins: Download PDF
- Quickstart Guide for Company Users: Download PDF
- Quickstart for Windows and Dropbox (for Boxcryptor Admins): Download PDF
Some Tips for the Safety of Your Data
- Make sure that your cloud is accessible.
- For your first test we recommend using some dummy files, to figure out how everything works.
- Be aware that encrypting and migrating your company’s data could take a day or two, depending on how much data you handle.
Now you are ready to get started. Following the next steps in the right order is important because it will make sure that Boxcryptor works as quick as possible and at its general best.
How to Set up Your Company Account
Step 1: Go to boxcryptor.com and set up your company admin account:
- Sign in with your admin account to boxcryptor.com
- Get to know the general functionalities, especially the available Boxcryptor Company policies.
- Set the two most important Boxcryptor Company Policies:
- Disable account reset to avoid data loss and stay in control.
- Master key (only with the Master Key enabled you will be able to reset passwords if someone in the company forgets it, which is unfortunately very likely).
Step 2: Create all necessary groups, but do not add any members yet.
Step 3: Create your folder structure with encrypted folders. Do not share it yet and do not put any data into the folders at this point.
Step 4: Grant all necessary Boxcryptor permissions for these empty folders. Decide now, which groups will be allowed to access which folders. (Please note that all set permissions for encrypted folders will be inherited to its subfolders and files automatically. All files and folders will have the same permissions as their parent folder.)
Step 5: Now it is time to put all your unencrypted data into these folders.
Step 6: Create new accounts or invite your members to your team via boxcryptor.com. Make sure to provide the individually created temporary passwords to each respective Boxcryptor user in your team.
Step 7: Assign all members to their Boxcryptor group or groups.
Step 8: Go to your cloud provider and share the encrypted data there with your team members. This step is necessary, since you only shared the permission to access the encrypted data in Boxcryptor so far. Now, you also have to share the data physically at your cloud provider.
Congratulations, you are all set now.
How to Manage Your Users
With a company account you can have 5, 10, 20, 50 or even 10.000 users. You can manage them on the Users page.
The user status is shown on the top of the page (it indicates the amount of available and used users). Below this section, you will find the user overview where you see a list of your users. Here you can edit users or remove them from your company.
In the middle, you can add new users to your company by entering their email address. If you want to create more than one user, you can enter a comma separated list of email addresses, e.g.:
firstname.lastname@example.org, email@example.com, firstname.lastname@example.org
If the user does not have a Boxcryptor account yet, he will receive an email with the account information and a temporary password. If the user already has a Boxcryptor account, he will receive an email with a verification link to join the company. The user must accept your invitation by clicking the verification link before he is added to your company.
Manage a single user
When you click Edit on a single user, you will see the user detail page, where you can view and edit the follonwing user details.
If the Master Key is enabled for your company, this field indicates whether it is active for the given user. The user must change his password at least once after the Master Key has been enabled, in order to become active for a given user. Only if the Master Key is active for a user, it can be used to access the user’s encrypted files or reset his password. Possible values are:
- Active The user’s files can be accessed using the master key and it can also be used to reset the user's password.
- Inactive The user’s files cannot be accessed and his password cannot be reset. The user must login to Boxcryptor and change his password in order to activate the master key.
If this field is enabled, the user must change his Boxcryptor password at the next login.
If a user is enabled, he can use Boxcryptor regularly. If a user is disabled, he cannot use Boxcryptor anymore and does use a license, i.e. he does not count against your license quota. This can be used to temporarily disable user accounts (e.g. for consultants, interns) without having to remove or delete them.
Reset User Password
If the Master Key is active, the Reset User Password button allows you to reset the user’s password:
- Unlock Master Key
- Copy the new temporary password
- Confirm by entering your own password
- Send the new temporary password to the user using a secure channel (e.g. encrypted email)
Remove or Delete A User
The Remove button gives you two options:
- Delete User The user’s account and associated keys will be permantently deleted. All connected devices and web session will be deleted and the user will not be able to login and decrypt his encrypted files anymore.
- Remove User The user will only be removed from your company. He will be downgraded to Boxcryptor Free and can still continue to use Boxcryptor, i.e. he can sign in and access his encrypted files as before.
Devices and Web Sessions
At the bottom, you see all devices which are connected with this user account and you can unlink them (for example if an employees’ laptop is stolen, you can unlink it to prevent unauthorized access to the encrypted data). When a device or web session has been unlinked, the user will be remotely signed out on the next connection with the Boxcryptor servers.
You can manually sync your Boxcryptor users with an existing Active Directory or LDAP directory. Alternatively, you can also connect Boxcryptor with your Dropbox for Business account to sync your Dropbox users with Boxcryptor. When you sync your users, Boxcryptor accounts will be created, deleted or removed as necessary. You can choose if a Boxcryptor account should be deleted or just removed from your company account if it is not needed anymore.
Active Directory & LDAP
If you manage your users in your organization with an Active Directory or LDAP you can easily import these users to Boxcryptor. Requirements:
- Read access to your directory
- Active Directory or LDAP server which can be reached from our servers
Click here if you need to whitelist our IP’s for your firewall.
If your Active Directory or LDAP server is located behind a firewall, please whitelist our IP ranges so that our servers can query your directory. The IP ranges should be fairly stable, but might change over time. The current IP ranges are:
184.108.40.206/28 220.127.116.11/28 18.104.22.168/28
To configure Boxcryptor with your user directory, click on the Setup LDAP Button. Now you can configure the access to your user directory using common Active Directory / LDAP properties:
- Server Address: Fully qualified URI to your directory server. LDAP and LDAPS protocols are supported. Example: ldap://server.company.com:389/
- User Base: Starting point for the user search. Example: dc=company,dc=com
- User for authentication: User which will be used to connect to your user directory. Must have read access rights. Example: cn=Administrator,cn=Users,dc=company,dc=com
- Password for authentication: Password which will be used to connect to your user directory.
- Search String: Users returned by this search string will synced with Boxcryptor. Example: (objectClass=user)
- Search Base: Base for the search string. Example: cn=users
- Field of Firstname: This user directory field will be mapped to the firstname of Boxcryptor accounts Example: givenname
- Field of Lastname: This user directory field will be mapped to the lastname of Boxcryptor accounts Example: sn
- Field of Email: This user directory field will be mapped to the email of Boxcryptor accounts Example: userprincipalname
- Deletion Procedure: When a Boxcryptor account does not exist in your user directory anymore, it will either be deleted, removed or disabled.
Dropbox for Business
To connect Boxcryptor with your Dropbox for Business account, click on the Setup Dropbox for Business button followed by the Connect button on the next page. If not done yet, you must login to your Dropbox account and grant Boxcryptor access to your Dropbox for Business account.
After setting up your user directory or Dropbox for Business account, you can import your users. It is strongly recommended, to first set the Dry run option which gives you a preview what will happen when you import your users. When performing a dry run, you will see which Boxcryptor accounts would be created, which users would be invited to join your company or which Boxcryptor accounts would be deleted. If you think everything is fine, you can remove the “Dry run” checkbox, and the changes will be written to the database. If you need to resync your users at a later time, simply start the import process again.
A company can define a set of policies (rules) which applies to their users (e.g. minimum password length). A policy can be applied to all users and it is possible to include or exclude specific users.
- Restrict sign in to specific countries A user can only sign in to his account from specific countries. If you do not only want to restrict the sign in, take a look at the "Restrict use to specific countries" policy. Tip: We recommend to exclude your own user from the policy while you are setting the policy up and testing it.
- Restrict sign in to specific IP addresses A user can only sign in to this account from IP addresses which match the regular expression specified in the "Value" field. If you do not only want to restrict the sign in, take a look at the "Restrict use to specific IP addresses" policy. Tip: We recommend to exclude your own user from the policy while you are setting the policy up and testing it. Example Value: ^123.123.123.(1(0-9)|200)$
- Restrict Use to Country of Sign-In A user can use Boxcryptor only in the country where he initially signed in. If the country changes and a user connects from any other country, he will be signed out and will have to sign in again.
- Restrict Use to IP-Address of Sign-In A user can use Boxcryptor only from the IP address where he initially signed in. If the IP address changes and a user connects from any other IP address, he will be signed out and will have to sign in again. Example Value: ^123.123.123.(1(0-9)|200)$
- Restrict use to specific countries A user can use Boxcryptor only in specific countries. If a user is connected from any other country, he will be signed out and will not be able to sign in. If you do not want to restrict signed in users, take a look at the "Restrict sign in to specific countries" policy. Tip: We recommend to exclude your own user from the policy while you are setting the policy up and testing it.
- Restrict use to specific IP addresses A user can use Boxcryptor only from an IP address which matches the regular expression specified in the "Value" field. If a user is connected from any other IP address, he will be signed out and will not be able to sign in. If you do not want to restrict signed in users, take a look at the "Restrict sign in to specific countries" policy. Tip: We recommend to exclude your own user from the policy while you are setting the policy up and testing it. Example Value: ^123.123.123.(1(0-9)|200)$
- Disable auditing Do not store any auditing information. This only applies to new auditing data - existing auditing data will not be deleted.
- Disallow account reset Disallow users to reset their account.
- Disallow key export Disallow your users from exporting their account data.
- Maximum number of devices A user can only be connected to a maximum number of devices at the same time. Please enter the maximum number of devices in the "Value" field. Example Value: 5
- Disallow filename encryption Filename encryption is forbidden and cannot be enabled.
- Require encryption Encryption is obligatory and every new file will automatically be encrypted. Important: This policy only removes the ability to create unencrypted files or to e.g. decrypt files via the context menu. If the user really wants to permanently decrypt a file, he might be able to find ways to do so.
- Require filename encryption Filename encryption is obligatory and cannot be disabled.
- Master key The password key of a user is additionally encrypted with the master key and stored. This grants the company administrator access to the private key of a user and thus all encrypted files to which the user has access. You have to generate and activate the master key in your admin account (under "Security").
- Disallow to create groups A user may not create any new group.
- Disallow to join groups A user may not join any group.
- Disallow to leave groups A user may not leave any group.
Using all three group policies, users can effectively be prevented from modifying groups. If administrators are excluded from the policies, only administrators can manage groups of their company.
- Allow Locations A user may only use the locations which are specified here. Locations can either be provider specific or use a custom path on a selected platform. Note: This policy only works on Windows and macOS devices.
- Maximum number of locations A user can only have a maximum number of locations (Desktop) or providers (Mobile) configured at the same time. Example Value: 2
- Require Locations A user must have the locations which are specified. Locations can either be provider specific or use a custom path on a selected platform. Note: This policy only works on Windows and macOS devices.
- Disallow two-factor authentication using authenticator apps Boxcryptor supports two-factor authentication using the Time-based One-Time Password (TOTP) algorithm. Users are not allowed to setup an authenticator app for their accounts and any existing authenticator app will be disabled.
- Require two-factor authentication using authenticator apps Boxcryptor supports two-factor authentication using the Time-based One-Time Password (TOTP) algorithm. Users are forced to setup an authenticator app for their accounts and enter an additional security code when signing in. Users will not be able to sign in to any Boxcryptor client until they setup an authenticator app.
- Require two-factor authentication using Duo Boxcryptor supports two-factor authentication using Duo. A user is forced to approve his sign in with a second factor, e.g. his mobile device.
- Disallow two-factor authentication using security keys Boxcryptor supports two-factor authentication using security keys based on the WebAuthN standard. Users are not allowed to setup a security key for their accounts and any existing security key will be disabled.
- Require two-factor authentication using authenticator apps Boxcryptor supports two-factor authentication using security keys based on the WebAuthN standard. Users are forced to setup a security key for their accounts and authorize with the key when signing in. Users will not be able to sign in to any Boxcryptor client until they setup asecurity key.
- Disable remember password A user cannot use the "Remember password" feature and has to enter his password every time the Boxcryptor software starts.
- Minimum password length New passwords must have a minimum number of characters. Please enter the minimum number of characters in the "Value" field. Example Value: 12
- Disallow to modify permissions A user may not modify any permission of encrypted files or folders.
Using this policy, users can be prevented from modifying permissions. If administrators are excluded from this policy, only administrators can manage file and folder permissions.
The Master Key is one of the most important Boxcryptor Company and Boxcryptor Enterprise features. If enabled, the Master Key gives you the power to decrypt every file which is accessible by users of your company or resetting your users' passwords - without having to know them. With the Master Key, you are protected against the loss of access to your property (your files) even in complicated situations (e.g. when a user forgets his password or leaves the company).
Set up the Master Key
You will lose access to the Master Key if you forget your Master Key password. We are not able to restore it because Boxcryptor is zero knowledge.
- Go to boxcryptor.com.
- Navigate to Security and start the setup procedure.
After the Master Key has been set up, every user will be forced to change their password the next time they sign in to Boxcryptor in order to activate the Master Key for the user.
Each user has to change his password in order to activate the Master Key for his account. The Master Key is inactive and unusable for a user until he changed his password.
Use the Master Key
When the Master Key is set up and activated, it can be used to reset a user's password or access the user's encrypted files in emergency situations.
Reset a user's password
- Go to boxcryptor.com.
- Navigate to Users and edit a user.
- Verify that the Master Key is active.
- Click on Reset user password.
Access your users' encrypted files
- Use Boxcryptor for Windows or Boxcryptor for macOS.
- Open Settings or Preferences.
- Select the Account tab.
- Click on Unlock.
- Enter your Master Key Password.
- Get physical access to the encrypted files
- Access any encrypted file which can be decrypted by any of your users with an active Master Key.
The Master Key gives you access to the user's private key so that you can decrypt files which also the user can decrypt. If the user cannot decrypt a file because he currently does not have the necessary permission, you also cannot decrypt the file. The Master Key gives you access to all files your users currently have access to, not to any file ever created by your users if they do not have access anymore.
If you delete a user, the user's private key will be deleted and you will permanently lose access to files which can only be access by this user - even if the Master Key is active. If you want the ability to access a user's files in the future, it is recommended to disable a user instead.
Activities allow administrators to monitor user activitites by logging and recording events related to users, devices, groups and policies. You can filter by date and user as well as setting a maximum number of actvitites. An activity contains the following information:
- Date / time
- Activity type
- Short description
- IP address (last digits are anonymized)
Click on the appropriate icon at the top to see instructions for the different platforms.
Besides users being able to install Boxcryptor on their devices with administrator rights, Boxcryptor administrators can also roll-out and deploy Boxcryptor for their users.
The Boxcryptor app can be deployed using various device management systems. Boxcryptor contains a privileged helper which is e.g. responsible to install the kernel extension for the virtual filesystem. By default, the privileged helper is installed on the first app start after the initial installation or after an update if it contains a newer privileged helper. In order to install the privileged helper, administrator rights are required.
For system where users do not have macOS administrator rights, the privileged helper can be installed during the deployment using a custom script which is executed after the Boxcryptor app has been installed or updated. The script must be executed with administrator rights and should contain the following command:
sudo /Applications/Boxcryptor.app/Contents/MacOS/Boxcryptor --install-privileged-helper
Advanced Client Configuration
Some preferences of Boxcryptor are not exposed in the user interface. While it is generally not recommended to modify these preferences, experienced users or administrators might want to do it to better tailor Boxcryptor to their needs.
The hidden preferences are loaded when Boxcryptor is starting. If Boxcryptor is running when you modify a hidden preference, you have to restart Boxcryptor in order for the change to be applied. Also be aware that the key is case-sensitive.
How to manage hidden preferences
Hidden preferences are stored in the standard macOS user defaults system and can be managed using the defaults command in the Terminal application. The user defaults of Boxcryptor for macOS are stored in the domain "com.boxcryptor.osx". To manage the hidden preferences, you can execute the following commands in Terminal. Please read the man pages for the defaults command to learn more about using it.
- defaults read com.boxcryptor.osx KEY Reads the current value of KEY
- defaults write com.boxcryptor.osx KEY VALUE Stores VALUE for KEY
- defaults remove com.boxcryptor.osx KEY Deletes the KEY
List of hidden preferences
- autoDetectRemovableDrives By default, Boxcryptor auto-detects removable drives and automatically adds them as locations. Set this value to "NO" in order to disable the auto-detection of removable drives. Default: YES
- disableAccessControlLists By default, Boxcryptor supports access control lists (ACLs). Set this value to "YES" in order to disable this support if you don't need it. As getting ACLs requires additional file operations, disabling support for ACLs could slightly improve the performance of Boxcryptor. Default: NO
- disableAliases By default, Boxcryptor creates aliases for the Boxcryptor disk in the Finder sidebar and on the Desktop if Finder would not show it otherwise. Set this value to "YES" in order to disable the creation of aliases by Boxcryptor. Default: NO
- disableDesktopAlias By default, Boxcryptor creates an alias for the Boxcryptor disk on the Desktop if Finder would not show it otherwise. Set this value to "YES" in order to disable the creation of the Desktop alias by Boxcryptor. Note: Boxcryptor only creates the alias if Finder does not show connected servers (the Boxcryptor disk is mounted as remote disk). Please disable Finder -> Preferences -> General -> Connected servers in this case. Default: NO
- disableSidebarAlias By default, Boxcryptor creates an alias for the Boxcryptor disk in the Finder sidebar if Finder would not show it otherwise. Set this value to "YES" in order to disable the creation of the Finder sidebar alias by Boxcryptor. Default: NO
- disablePlainTextWarning By default, Boxcryptor will ask if you want to encrypt a file or folder if you create/copy/move it in a plaintext folder. You can disable this behaviour by setting this value to "YES". Boxcryptor will then always create plaintext files/folders in plaintext folders and not ask for encryption. Important: In this case, only files or folders created/copied/moved to already encrypted folders will be encrypted. Default: NO
- hidePlaintextFilesFromSpotlight By default, all files and folders within the Boxcryptor disk will be indexed by Spotlight if it is enabled. By setting this value to "YES", Spotlight will see and index only encrypted files and ignore any plaintext files in the Boxcryptor disk. Default: NO
- revertFileModificationDateOnPermissionChange When modifying permissions of encrypted files or folders, Boxcryptor will add a few seconds to the modification date so that synchronization apps can better detect and sync this change. If you do not want the modification date to change when modifying permissions in Boxcryptor, you can set this value to "YES". Boxcryptor will then revert the modification date to its original value after applying the new permissions. Default: NO
- defaults write com.boxcryptor.osx disableAliases -bool YES Disables the automatic creation of Finder sidebar and Desktop aliases for the Boxcryptor disk.
- defaults remove com.boxcryptor.osx disableAliases Restore the default behaviour of Boxcryptor regarding alias creation.