Teams

Quickstart

This short quickstart guide for company administrators provides you with the best solution on how to set up Boxcryptor. This way you can avoid sync-problems or long waiting times during the encryption. You can download the guide here:

But first, some tips for the safety of your data:

  • Make sure that your cloud is accessible.
  • For your first test we recommend using some dummy files, to figure out how everything works.
  • Be aware that encrypting and migrating your company’s data could take a day or two, depending on how much data you handle.

Now you are ready to get started. Following the next steps in the right order is important because it will make sure that Boxcryptor works as quick as possible and at its general best.

Step 1: Go to boxcryptor.com and set up your company admin account:

  • Sign in with your admin account to boxcryptor.com
  • Get to know the general functionalities, especially the available Boxcryptor Company policies.
  • Set the two most important Boxcryptor Company Policies:
    • Disable account reset to avoid data loss and stay in control.
    • Master key (only with the Master Key enabled you will be able to reset passwords if someone in the company forgets it, which is unfortunately very likely).

Step 2: Use the Boxcryptor Desktop client (the Boxcryptor software downloaded to your device) and create all necessary groups there, but do not add any members yet.

Step 3: Create your folder structure with encrypted folders. Do not share it yet and do not put any data into the folders at this point.

Step 4: Grant all necessary Boxcryptor permissions for these empty folders. Decide now, which groups will be allowed to access which folders.
(Please note that all set permissions for encrypted folders will be inherited to its subfolders and files automatically. All files and folders will have the same permissions as their parent folder.)

Step 5: Now it is time to put all your unencrypted data into these folders.

Step 6: Create new accounts or invite your members to your team via boxcryptor.com. (Make sure to provide the individually created temporary passwords to each respective Boxcryptor user in your team.)

Step 7: Assign all members to their Boxcryptor group or groups.

Step 8: Go to your cloud provider and share the encrypted data there with your team members. This step is necessary, since you only shared the permission to access the encrypted data in Boxcryptor so far. Now, you also have to share the data physically at your cloud provider.

Congratulations, you are all set now.

Users

Manage users

With a company account you can have 5, 10, 20, 50 or even 10.000 users. You can manage them on the Users page.

The user status is shown on the top of the page (it indicates the amount of available and used users). Below this section, you will find the user overview where you see a list of your users. Here you can edit users or remove them from your company.

In the middle, you can add new users to your company by entering their email address. If you want to create more than one user, you can enter a comma separated list of email addresses, e.g.:

john.doe@awesome-company.com, max.mustermann@awesome-company.com, jayne.doe@awesome-company.com

If the user does not have a Boxcryptor account yet, he will receive an email with the account information and a temporary password. If the user already has a Boxcryptor account, he will receive an email with a verification link to join the company. The user must accept your invitation by clicking the verification link before he is added to your company.

Manage a single user

When you click Edit on a single user, you will see the user detail page where you can view and edit the user details.

Properties

Master Key

If the master key is enabled for your company, this field indicates whether the master key is active for the given user. The user must change his password at least once after the master key has been enabled in order to become active for a given user. Only if the master key is active for a user, it can be used to access the user's encrypted files or reset his password. Possible values are:

  • Active
    The user's files can be accessed using the master key and it can also be used to reset the user's password.
  • Inactive
    The user's files cannot be accessed and his password cannot be reset. The user must login to Boxcryptor and change his password in order to activate the master key.
Password expired

If this field is enabled, the user must change his Boxcryptor password at the next login.

Enabled

If a user is enabled, he can use Boxcryptor regularly. If a user is disabled, he cannot use Boxcryptor anymore and does use a license, i.e. he does not count against your license quota. This can be used to temporarily disable user accounts (e.g. for consultants, interns) without having to remove or delete them.

Reset user password

If the master key is active, the Reset User Password button allows you to reset the user's password:

  1. Unlock the master key
  2. Copy the new temporary password
  3. Confirm by entering your own password
  4. Send the new temporary password to the user using a secure channel (e.g. encrypted email)

Remove or delete the user

The Remove button gives you two options:

  • Delete User
    The user's account and associated keys will be permantently deleted. All connected devices and web session will be deleted and the user will not be able to login and decrypt his encrypted files anymore.
  • Remove User
    The user will only be removed from your company. He will be downgraded to Boxcryptor Free and can still continue to use Boxcryptor, i.e. he can sign in and access his encrypted files as before.

Devices and web sessions

At the bottom, you see all devices which are connected with this user account and you can unlink them (for example if an employees' laptop is stolen, you can unlink it to prevent unauthorized access to the encrypted data). When a device or web session has been unlinked, the user will be remotely signed out on the next connection with the Boxcryptor servers.

User Directory

You can manually sync your Boxcryptor users with an existing Active Directory or LDAP directory. Alternatively, you can also connect Boxcryptor with your Dropbox for Business account to sync your Dropbox users with Boxcryptor. When you sync your users, Boxcryptor accounts will be created, deleted or removed as necessary. You can choose if a Boxcryptor account should be deleted or just removed from your company account if it is not needed anymore.

Active Directory & LDAP

If you manage your users in your organization with an Active Directory or LDAP you can easily import these users to Boxcryptor. Requirements:

  • Read access to your directory
  • Active Directory or LDAP server which can be reached from our servers

Click here if you need or want to whitelist our ips...

If your Active Directory or LDAP server is located behind a firewall, please whitelist our ip ranges so that our servers can query your directory. The ip ranges should be fairly stable, but might change over time. The current ip ranges are:

136.243.125.192/28
148.251.224.96/28
188.40.161.192/28

To configure Boxcryptor with your user directory, click on the Setup LDAP Button. Now you can configure the access to your user directory using common Active Directory / LDAP properties:

  • Server Address: Fully qualified URI to your directory server. LDAP and LDAPS protocols are supported.
    Example: ldap://server.company.com:389/
  • User Base: Starting point for the user search.
    Example: dc=company,dc=com
  • User for authentication: User which will be used to connect to your user directory. Must have read access rights.
    Example: cn=Administrator,cn=Users,dc=company,dc=com
  • Password for authentication: Password which will be used to connect to your user directory.
  • Search String: Users returned by this search string will synced with Boxcryptor.
    Example: (objectClass=user)
  • Search Base: Base for the search string.
    Example: cn=users
  • Field of Firstname: This user directory field will be mapped to the firstname of Boxcryptor accounts
    Example: givenname
  • Field of Lastname: This user directory field will be mapped to the lastname of Boxcryptor accounts
    Example: sn
  • Field of Email: This user directory field will be mapped to the email of Boxcryptor accounts
    Example: userprincipalname
  • Deletion Procedure: When a Boxcryptor account does not exist in your user directory anymore, it will either be deleted, removed or disabled.

Dropbox for Business

To connect Boxcryptor with your Dropbox for Business account, click on the Setup Dropbox for Business button followed by the Connect button on the next page. If not done yet, you must login to your Dropbox account and grant Boxcryptor access to your Dropbox for Business account.

Import users

After setting up your user directory or Dropbox for Business account, you can import your users. It is strongly recommended, to first set the Dry run option which gives you a preview what will happen when you import your users. When performing a dry run, you will see, which Boxcryptor accounts would be created, which users would be invited to join your company or which Boxcryptor accounts would be deleted. If you think everything is fine, you can remove the "Dry run" checkbox, and the changes will be written to the database. If you need to resync your users at a later time, simply start the import process again.

Policies

A company can define a set of policies (rules) which applies to their users (e.g. minimum password length). A policy can be applied to all users and it is possible to include or exclude specific users.

Available Policies

Access

  • Restrict sign in to specific countries
    A user can only sign in to his account from specific countries. Enter the two-letter country codes (ISO 3166-1 alpha-2) of allowed countries separated by white space in the "Value" field. E.g. "US CA GB", to allow access for users from within the United States, Canada or United Kingdom. If you do not only want to restrict the sign in, take a look at the "Restrict use to specific countries" policy. Tip: We recommend to exclude your own user from the policy while you are setting the policy up and testing it.
    Example Value: US UK DE
  • Restrict sign in to specific ip addresses
    A user can only sign in to this account from IP addresses which match the regular expression specified in the "Value" field. If you do not only want to restrict the sign in, take a look at the "Restrict use to specific ip addresses" policy. Tip: We recommend to exclude your own user from the policy while you are setting the policy up and testing it.
    Example Value: ^123.123.123.(1([0-9][0-9])|200)$
  • Restrict use to specific countries
    A user can use Boxcryptor only in specific countries. If a user is connected from any other country, he will be signed out and will not be able to sign in. Enter the two-letter country codes (ISO 3166-1 alpha-2) of allowed countries separated by white space in the "Value" field. E.g. "US CA GB", to allow access for users from within the United States, Canada or United Kingdom. If you do not want to restrict signed in users, take a look at the "Restrict sign in to specific countries" policy. Tip: We recommend to exclude your own user from the policy while you are setting the policy up and testing it.
    Example Value: US UK DE
  • Restrict use to specific ip addresses
    A user can use Boxcryptor only from an IP address which matches the regular expression specified in the "Value" field. If a user is connected from any other IP address, he will be signed out and will not be able to sign in. If you do not want to restrict signed in users, take a look at the "Restrict sign in to specific ip countries" policy. Tip: We recommend to exclude your own user from the policy while you are setting the policy up and testing it.
    Example Value: ^123.123.123.(1([0-9][0-9])|200)$

Account

  • Disable auditing
    Do not store any auditing information. This only applies to new auditing data - existing auditing data will not be deleted.
  • Disallow account reset
    Disallow users to reset their account.
  • Disallow key export
    Disallow your users from exporting their account data.

Devices

  • Maximum number of devices
    A user can only be connected to a maximum number of devices at the same time. Please enter the maximum number of devices in the "Value" field.
    Example Value: 5

Encryption

  • Disallow filename encryption
    Filename encryption is forbidden and cannot be enabled.
  • Require encryption
    Encryption is obligatory and every new file will automatically be encrypted.
    Important: This policy only removes the ability to create unencrypted files or to e.g. decrypt files via the context menu. If the user really wants to permanently decrypt a file, he might be able to find ways to do so.
  • Require filename encryption
    Filename encryption is obligatory and cannot be disabled.

Features

  • Master key
    The password key of a user is additionally encrypted with the master key and stored. This grants the company administrator access to the private key of a user and thus all encrypted files to which the user has access. You have to generate the master key in Boxcryptor for Windows or Boxcryptor for Mac and paste it into the "Value" field.

Groups

  • Disallow to create groups
    A user may not create any new group.
  • Disallow to join groups
    A user may not join any group.
  • Disallow to leave groups
    A user may not leave any group.

Using all three group policies, users can effectively be prevented from modifying groups. If administrators are excluded from the policies, only administrators can manage groups of their company.

Locations

  • Maximum number of locations
    A user can only have a maximum number of locations (Desktop) or providers (Mobile) configured at the same time.
    Example Value: 2

Multifactor

  • Disallow two-factor authentication using authenticator apps
    Boxcryptor supports two-factor authentication using the Time-based One-Time Password (TOTP) algorithm. Users are not allowed to setup an authenticator app for their accounts and any existing authenticator app will be disabled.
  • Require two-factor authentication using authenticator apps
    Boxcryptor supports two-factor authentication using the Time-based One-Time Password (TOTP) algorithm. Users are forced to setup an authenticator app for their accounts and enter an additional security code when signing in. Users will not be able to sign in to any Boxcryptor client until they setup an authenticator app.
  • Require two-factor authentication using Duo
    Boxcryptor supports two-factor authentication using Duo. A user is forced to approve his sign in with a second factor, e.g. his mobile device.

Password

  • Disable remember password
    A user cannot use the "Remember password" feature and has to enter his password every time the Boxcryptor software starts.
  • Minimum password length
    New passwords must have a minimum number of characters. Please enter the minimum number of characters in the "Value" field.
    Example Value: 12

Permissions

  • Disallow to modify permissions
    A user may not modify any permission of encrypted files or folders.

Using this policy, users can be prevented from modifying permissions. If administrators are excluded from this policy, only administrators can manage file and folder permissions.

Master Key

The Master Key is one of the most important Boxcryptor Company and Boxcryptor Enterprise features. If enabled, the Master Key gives you the power to decrypt every file which is accessible by users of your company or resetting your users' passwords - without having to know them. With the Master Key, you are protected against the loss of access to your property (your files) even in complicated situations (e.g. when a user forgets his password or leaves the company).

Set up the Master Key

Step 1: Generate the Master Key

You will lose access to the Master Key if you forget your Master Key password. We are not able to restore it because Boxcryptor is zero knowledge.

The Master Key generation takes place on your local machine and your Master Key password never leaves your computer. Boxcryptor is zero-knowledge and any sensitive information that leaves your local computer will always be encrypted.

  1. Use Boxcryptor for Windows or Boxcryptor for macOS.
  2. Open Settings or Preferences.
  3. Select the Account tab.
  4. Click on Generate.
  5. Enter a secure Master Key Password and store it in a safe place.
  6. Click on Generate.

Step 2: Add the Master Key Policy

  1. Go to boxcryptor.com.
  2. Navigate to Policies.
  3. Add a new Master Key policy.
  4. Copy & Paste the Master Key which you generated in step 1 to the Value field.

After the Master Key policy has been added, all affected users will be forced to change their password the next time they sign in to Boxcryptor in order to activate the Master Key for each user.

Each user has to change his password in order to activate the Master Key for his account. The Master Key is inactive and unusable for a user until he changed his password.

Use the Master Key

When the Master Key is set up and activated, it can be used to reset a user's password or access the user's encrypted files in emergency situations.

Reset a user's password

  1. Go to boxcryptor.com.
  2. Navigate to Users and edit a user.
  3. Verify that the Master Key is active.
  4. Click on Reset user password.

Access your users' encrypted files

  1. Use Boxcryptor for Windows or Boxcryptor for macOS.
  2. Open Settings or Preferences.
  3. Select the Account tab.
  4. Click on Unlock.
  5. Enter your Master Key Password.
  6. Get physical access to the encrypted files
  7. Access any encrypted file which can be decrypted by any of your users with an active Master Key.

The Master Key gives you access to the user's private key so that you can decrypt files which also the user can decrypt. If the user cannot decrypt a file because he currently does not have the necessary permission, you also cannot decrypt the file. The Master Key gives you access to all files your users currently have access to, not to any file ever created by your users if they do not have access anymore.

If you delete a user, the user's private key will be deleted and you will permanently lose access to files which can only be access by this user - even if the Master Key is active. If you want the ability to access a user's files in the future, it is recommended to disable a user instead.

Activities

Activities allow administrators to monitor user activitites by logging and recording events related to users, devices, groups and policies. You can filter by date and user as well as setting a maximum number of actvitites. An activity contains the following information:

  • Date / time
  • Activity type
  • Short description
  • Country

Deployment

Click on the appropriate icon at the top to see instructions for the different platforms.

Besides users being able to install Boxcryptor on their devices with administrator rights, Boxcryptor administrators can also roll-out and deploy Boxcryptor for their users.

Deployment through GPO

Boxcryptor can be deployed comfortably within a company network by means of group policies. The basic steps for this process are described in this tutoral.

There are, however, a couple of necessary modifications of the process described in the tutorial. This is due to the fact that the Boxcryptor installer is multi-language, and cannot be deployed over group policy without modification.

Prerequisites:
Microsoft Orca is required to modify the Boxcryptor installer. It is a tool that allows modification of existing MSI package files and can be downloaded here. Unpack it with a tool such as WinRar and use the embedded orca.msi to install Microsoft Orca.

  1. Download the current version of Boxcryptor from here.
  2. Open Microsoft Orca and open the Boxcryptor Setup MSI package.
  3. Select View -> Summary Information….
  4. Remove all entries in Language except 1033.
  5. Click OK.
  6. Save the installer using File -> Save.

The installation might still fail due to different language settings on your client. In this case, make sure to ignore languages during installation:

  1. Open the Group Policy Management Editor.
  2. Navigate to the Boxcryptor deployment package.
  3. Right-click it -> Properties.
  4. Navigate to Deployment -> Advanced.
  5. Make sure that Ignore language when deploying this package is checked.

If the installation still fails, try the following steps:

  • Open the Group Policy Management Editor, navigate to Computer Configuration -> Policies -> Administrative Templates -> System -> Group Policy and increase the Startup policy processing wait time.
  • Open the Group Policy Management Editor and make sure that Make this 32-bit X86 application available on Win64 machines is checked (next to the Ignore language when deploying this package setting).

Custom Installer Flags

The Installer can be started with following flags:

  • CREATE_AUTOSTART_ENTRIES (default: "True"), set to "False" to avoid creating autostart entries for Boxcryptor.
  • CREATE_DESKTOP_SHORTCUT (default: "True"), set to "False" to avoid creating a desktop shortcut for Boxcryptor.
  • SHELLEXTLOGS (default: "False"), set to "True" to enable logging for the Explorer integration.

Use the flags like so:

msiexec /i <PATH\TO\INSTALLER.msi> [<FLAG>=<VALUE> [<FLAG>=<VALUE>]... ]
    VALUE :: "True"|"False"

Custom Settings location

Boxryptor will by default store it's user settings at %localappdata%\Boxcryptor

The destination can also be set using following methods:

  • Boxcryptor.exe.config (in the Boxcryptor installation directory): change CustomSettingsPath value.
  • HKLM Registry: Create a string value SettingsPath under HKEY_LOCAL_MACHINE\SOFTWARE\Secomba GmbH\Boxcryptor
  • HKCU Registry: Create a string value SettingsPath under HKEY_CURRENT_USER\Software\Secomba GmbH\Boxcryptor

Settings Priorization:

Boxcryptor.exe.config > HKLM > HKCU > default path at %localappdata%\Boxcryptor

We recommend to use environment variables such as %appdata% or %userprofile% so the settings are distinct between user profiles.

Sharing the same settings folder among multiple windows user profiles is not supported.