Key Management at Boxcryptor
Boxcryptor Key Management explained
Private Key and Public Key – Asymmetric Encryption
Cryptography is the science of information security. This refers to the design, definition and construction of information systems that are resistant to manipulation and protected against unauthorized access. An important aspect of this is encryption.
This text is concerned with symmetric encryption using AES-, and asymmetric encryption using the RSA algorithm. At Boxcryptor, AES is the encryption algorithm that encrypts the information (file), while RSA is used for managing the keys. There are two different keys being managed: the (1) public key and the (2) private key. This principle of managing keys is also referred to as public-key infrastructure.
Encryption Method Used at Boxcryptor
After a file has been encrypted using the AES algorithm, the AES key for decryption is itself encrypted using the RSA public key. The encrypted AES key is then attached to the encrypted file.
By making use of the public-key infrastructure for encryption, it becomes possible for different users to open the same file: Each user receives his own key, which is attached to the file (by means of access authorization). The keys of each individual user work independently of each other.
Using two keys in the asymmetric encryption method (instead of one, as in the symmetric method), eliminates the need to transfer the file-key (i.e. AES key necessary to decrypt the file) in plain text. The public key is not secret and can be requested (usually via a central instance). The encrypted file-key is safely attached to the file, because it may only be decrypted by using the corresponding private key, which only a user with permission to access the file holds. The central instance for public key assignment is the server of Boxcryptor. Public and private keys of each user are stored in encrypted form on this server – encrypted with the respective private key, once more. Hence, access by the Boxcryptor team is not possible, at any time.
But Why Do Public and Private Key Match?
Private key and public key match because they were calculated as a pair by a key-generation algorithm. Boxcryptor uses the RSA key-generation algorithm. This cryptographic technique was developed by the three mathematicians Rivest, Shamir and Adleman at MIT.
Key Management at Boxcryptor
The keys of a Boxcryptor user are encrypted with the user’s own private key, which in turn is encrypted with the users password - Therefore, since Boxcryptor does not know the user’s password (not saved anywhere and never sent to a server - the login is performed with a hash of the password) there is no possibility to access a user’s private key==> It is not possible to decrypt any file of a user: Zero Knowledge
Users may export the keys to a local key file. This key file can be used in combination with a local account. To use a local account, no connection to the Boxcrytor servers is necessary. Even if the service would be interrupted for a long period of time or completely shut down, users could always access their files with Boxcryptor. The instructions for exporting keys to Boxcryptor can be found here.
Key Management for Organizations – The Master Key
The Master Key is one of the most important Boxcryptor Company and Boxcryptor Enterprise features. If enabled, the Master Key gives company admins the ability to decrypt every file which is accessible by users of the respective company, or resetting the users' passwords - without having to know the password.
The Master Key protects against the loss of access to property (company files) even in complicated situations (e.g. when a user forgets his password or leaves the company). For more information click here.
Join our Free Webinar
Get to know the features of our plans Boxcryptor Company, Boxcryptor Enterprise, and Boxcryptor for Microsoft Teams in a free webinar. We also provide insights on how to set up Boxcryptor in your company, and are happy to answer any of your questions. Find out when our next webinar takes place.