- How to Create a Debug Log
- I Cannot Move a File to an Encrypted Folder
- This Application Requires a Java Runtime Environment
- USB Flash Drive Support
- Where can I download Boxcryptor Classic?
- What happens if Boxcryptor goes out of business?
- Outdated Clients
- Cannot open some files
- Known Limitations
- What is a FolderKey.bch and a .bclink file
This short quickstart guide for company administrators provides you with the best solution on how to set up Boxcryptor. This way you can avoid sync-problems or long waiting times during the encryption.
Our Guides to Download
- Best Practice Guide for Admins: Download PDF
- Quickstart Guide for Company Users: Download PDF
- Quickstart for Windows and Dropbox (for Boxcryptor Admins): Download PDF
Some Tips for the Safety of Your Data
- Make sure that your cloud is accessible.
- For your first test we recommend using some dummy files, to figure out how everything works.
- Be aware that encrypting and migrating your company’s data could take a day or two, depending on how much data you handle.
Now you are ready to get started. Following the next steps in the right order is important because it will make sure that Boxcryptor works as quick as possible and at its general best.
How to Set up Your Company Account
Step 1: Go to boxcryptor.com and set up your company admin account:
- Sign in with your admin account to boxcryptor.com
- Get to know the general functionalities, especially the available Boxcryptor Company policies.
- Set the two most important Boxcryptor Company Policies:
- Disable account reset to avoid data loss and stay in control.
- Master key (only with the Master Key enabled you will be able to reset passwords if someone in the company forgets it, which is unfortunately very likely).
Step 2: Create all necessary groups, but do not add any members yet.
Step 3: Create your folder structure with encrypted folders. Do not share it yet and do not put any data into the folders at this point.
Step 4: Grant all necessary Boxcryptor permissions for these empty folders. Decide now, which groups will be allowed to access which folders. (Please note that all set permissions for encrypted folders will be inherited to its subfolders and files automatically. All files and folders will have the same permissions as their parent folder.)
Step 5: Now it is time to put all your unencrypted data into these folders.
Step 6: Create new accounts or invite your members to your team via boxcryptor.com. Make sure to provide the individually created temporary passwords to each respective Boxcryptor user in your team.
Step 7: Assign all members to their Boxcryptor group or groups.
Step 8: Go to your cloud provider and share the encrypted data there with your team members. This step is necessary, since you only shared the permission to access the encrypted data in Boxcryptor so far. Now, you also have to share the data physically at your cloud provider.
Congratulations, you are all set now.
How to Manage Your Users
With a company account you can have 5, 10, 20, 50 or even 10.000 users. You can manage them on the Users page.
The user status is shown on the top of the page (it indicates the amount of available and used users). Below this section, you will find the user overview where you see a list of your users. Here you can edit users or remove them from your company.
In the middle, you can add new users to your company by entering their email address. If you want to create more than one user, you can enter a comma separated list of email addresses, e.g.:
email@example.com, firstname.lastname@example.org, email@example.com
If the user does not have a Boxcryptor account yet, he will receive an email with the account information and a temporary password. If the user already has a Boxcryptor account, he will receive an email with a verification link to join the company. The user must accept your invitation by clicking the verification link before he is added to your company.
Manage a single user
When you click Edit on a single user, you will see the user detail page, where you can view and edit the follonwing user details.
If the Master Key is enabled for your company, this field indicates whether it is active for the given user. The user must change his password at least once after the Master Key has been enabled, in order to become active for a given user. Only if the Master Key is active for a user, it can be used to access the user’s encrypted files or reset his password. Possible values are:
- Active The user’s files can be accessed using the master key and it can also be used to reset the user's password.
- Inactive The user’s files cannot be accessed and his password cannot be reset. The user must login to Boxcryptor and change his password in order to activate the master key.
If this field is enabled, the user must change his Boxcryptor password at the next login.
If a user is enabled, he can use Boxcryptor regularly. If a user is disabled, he cannot use Boxcryptor anymore and does use a license, i.e. he does not count against your license quota. This can be used to temporarily disable user accounts (e.g. for consultants, interns) without having to remove or delete them.
Reset User Password
If the Master Key is active, the Reset User Password button allows you to reset the user’s password:
- Unlock Master Key
- Copy the new temporary password
- Confirm by entering your own password
- Send the new temporary password to the user using a secure channel (e.g. encrypted email)
Remove or Delete A User
The Remove button gives you two options:
- Delete User The user’s account and associated keys will be permantently deleted. All connected devices and web session will be deleted and the user will not be able to login and decrypt his encrypted files anymore.
- Remove User The user will only be removed from your company. He will be downgraded to Boxcryptor Free and can still continue to use Boxcryptor, i.e. he can sign in and access his encrypted files as before.
Devices and Web Sessions
At the bottom, you see all devices which are connected with this user account and you can unlink them (for example if an employees’ laptop is stolen, you can unlink it to prevent unauthorized access to the encrypted data). When a device or web session has been unlinked, the user will be remotely signed out on the next connection with the Boxcryptor servers.
You can manually sync your Boxcryptor users with an existing Active Directory or LDAP directory. Alternatively, you can also connect Boxcryptor with your Dropbox for Business account to sync your Dropbox users with Boxcryptor. When you sync your users, Boxcryptor accounts will be created, deleted or removed as necessary. You can choose if a Boxcryptor account should be deleted or just removed from your company account if it is not needed anymore.
Active Directory & LDAP
If you manage your users in your organization with an Active Directory or LDAP you can easily import these users and groups to Boxcryptor. Requirements:
- Read access to your directory
- Active Directory or LDAP server which can be reached from our servers
- Groups Sync: LDAP admin need to set a unique never changing id per group
Click here if you need to whitelist our IP’s for your firewall.
If your Active Directory or LDAP server is located behind a firewall, please whitelist our IP ranges so that our servers can query your directory. The IP ranges should be fairly stable, but might change over time. The current IP ranges are:
188.8.131.52/28 184.108.40.206/28 220.127.116.11/28
To configure Boxcryptor with your user directory, click on the Setup LDAP Button. Now you can configure the access to your user directory using common Active Directory / LDAP properties:
- Server Address: Fully qualified URI to your directory server. LDAP and LDAPS protocols are supported. Example: ldap://server.company.com:389/
- User Base: Starting point for the user search. Example: dc=company,dc=com
- User for authentication: User which will be used to connect to your user directory. Must have read access rights. Example: cn=Administrator,cn=Users,dc=company,dc=com
- Password for authentication: Password which will be used to connect to your user directory.
- Search String: Users returned by this search string will synced with Boxcryptor. Example: (objectClass=user)
- Search Base: Base for the search string. Example: cn=users
- Field of Firstname: This user directory field will be mapped to the firstname of Boxcryptor accounts Example: givenname
- Field of Lastname: This user directory field will be mapped to the lastname of Boxcryptor accounts Example: sn
- Field of Email: This user directory field will be mapped to the email of Boxcryptor accounts Example: userprincipalname
- Deletion Procedure: When a Boxcryptor account does not exist in your user directory anymore, it will either be deleted, removed or disabled.
Dropbox for Business
To connect Boxcryptor with your Dropbox for Business account, click on the Setup Dropbox for Business button followed by the Connect button on the next page. If not done yet, you must login to your Dropbox account and grant Boxcryptor access to your Dropbox for Business account.
After setting up your user directory or Dropbox for Business account, you can import your users. You will see which Boxcryptor accountsand groups would be created, which users would be invited to join your company or which Boxcryptor accounts would be deleted. If you think everything is fine, unlock the "Synchronize" button, and the changes will be written to the database. If you need to resync your users at a later time, simply start the import process again.
A company can define a set of policies (rules) which applies to their users (e.g. minimum password length). A policy can be applied to all users and it is possible to include or exclude specific users.
- Restrict sign in to specific countries A user can only sign in to his account from specific countries. If you do not only want to restrict the sign in, take a look at the "Restrict use to specific countries" policy. Tip: We recommend to exclude your own user from the policy while you are setting the policy up and testing it.
- Restrict sign in to specific IP addresses A user can only sign in to this account from IP addresses which match the regular expression specified in the "Value" field. If you do not only want to restrict the sign in, take a look at the "Restrict use to specific IP addresses" policy. Tip: We recommend to exclude your own user from the policy while you are setting the policy up and testing it. Example Value: ^123.123.123.(1(0-9)|200)$
- Restrict Use to Country of Sign-In A user can use Boxcryptor only in the country where he initially signed in. If the country changes and a user connects from any other country, he will be signed out and will have to sign in again.
- Restrict Use to IP-Address of Sign-In A user can use Boxcryptor only from the IP address where he initially signed in. If the IP address changes and a user connects from any other IP address, he will be signed out and will have to sign in again. Example Value: ^123.123.123.(1(0-9)|200)$
- Restrict use to specific countries A user can use Boxcryptor only in specific countries. If a user is connected from any other country, he will be signed out and will not be able to sign in. If you do not want to restrict signed in users, take a look at the "Restrict sign in to specific countries" policy. Tip: We recommend to exclude your own user from the policy while you are setting the policy up and testing it.
- Restrict use to specific IP addresses A user can use Boxcryptor only from an IP address which matches the regular expression specified in the "Value" field. If a user is connected from any other IP address, he will be signed out and will not be able to sign in. If you do not want to restrict signed in users, take a look at the "Restrict sign in to specific countries" policy. Tip: We recommend to exclude your own user from the policy while you are setting the policy up and testing it. Example Value: ^123.123.123.(1(0-9)|200)$
- Disable auditing Do not store any auditing information. This only applies to new auditing data - existing auditing data will not be deleted.
- Disallow account reset Disallow users to reset their account.
- Disallow key export Disallow your users from exporting their account data.
- Maximum number of devices A user can only be connected to a maximum number of devices at the same time. Please enter the maximum number of devices in the "Value" field. Example Value: 5
- Disallow filename encryption Filename encryption is forbidden and cannot be enabled.
- Require encryption Encryption is obligatory and every new file will automatically be encrypted. Important: This policy only removes the ability to create unencrypted files or to e.g. decrypt files via the context menu. If the user really wants to permanently decrypt a file, he might be able to find ways to do so.
- Require filename encryption Filename encryption is obligatory and cannot be disabled.
- Disable Whisply A user cannot share encrypted files via Whisply.
- Disallow to create groups A user may not create any new group.
- Disallow to join groups A user may not join any group.
- Disallow to leave groups A user may not leave any group.
Using all three group policies, users can effectively be prevented from modifying groups. If administrators are excluded from the policies, only administrators can manage groups of their company.
- Allow Locations A user may only use the locations which are specified here. Locations can either be provider specific or use a custom path on a selected platform. Note: This policy only works on Windows and macOS devices.
- Maximum number of locations A user can only have a maximum number of locations (Desktop) or providers (Mobile) configured at the same time. Example Value: 2
- Require Locations A user must have the locations which are specified. Locations can either be provider specific or use a custom path on a selected platform. Note: This policy only works on Windows and macOS devices.
- Disallow two-factor authentication using authenticator apps Boxcryptor supports two-factor authentication using the Time-based One-Time Password (TOTP) algorithm. Users are not allowed to setup an authenticator app for their accounts and any existing authenticator app will be disabled.
- Require two-factor authentication using authenticator apps Boxcryptor supports two-factor authentication using the Time-based One-Time Password (TOTP) algorithm. Users are forced to setup an authenticator app for their accounts and enter an additional security code when signing in. Users will not be able to sign in to any Boxcryptor client until they setup an authenticator app.
- Require two-factor authentication using Duo Boxcryptor supports two-factor authentication using Duo. A user is forced to approve his sign in with a second factor, e.g. his mobile device.
- Disallow two-factor authentication using security keys Boxcryptor supports two-factor authentication using security keys based on the WebAuthN standard. Users are not allowed to setup a security key for their accounts and any existing security key will be disabled.
- Require two-factor authentication using security keys Boxcryptor supports two-factor authentication using security keys based on the WebAuthN standard. Users are forced to setup a security key for their accounts and authorize with the key when signing in. Users will not be able to sign in to any Boxcryptor client until they setup a security key.
- Disable remember password A user cannot use the "Remember password" feature and has to enter his password every time the Boxcryptor software starts.
- Minimum password length New passwords must have a minimum number of characters. Please enter the minimum number of characters in the "Value" field. Example Value: 12
- Disallow to modify permissions A user may not modify any permission of encrypted files or folders.
Using this policy, users can be prevented from modifying permissions. If administrators are excluded from this policy, only administrators can manage file and folder permissions.
The Master Key is one of the most important Boxcryptor Company and Boxcryptor Enterprise features. If enabled, the Master Key gives you the power to decrypt every file which is accessible by users of your company or resetting your users' passwords - without having to know them. With the Master Key, you are protected against the loss of access to your property (your files) even in complicated situations (e.g. when a user forgets his password or leaves the company).
Set up the Master Key
You will lose access to the Master Key if you forget your Master Key password. We are not able to restore it because Boxcryptor is zero knowledge.
- Go to boxcryptor.com.
- Navigate to Security and start the setup procedure.
After the Master Key has been set up, every user will be forced to change their password the next time they sign in to Boxcryptor in order to activate the Master Key for the user.
Each user has to change his password in order to activate the Master Key for his account. The Master Key is inactive and unusable for a user until he changed his password.
Use the Master Key
When the Master Key is set up and activated, it can be used to reset a user's password or access the user's encrypted files in emergency situations.
Reset a user's password
- Go to boxcryptor.com.
- Navigate to Users and edit a user.
- Verify that the Master Key is active.
- Click on Reset password.
Access your users' encrypted files
- Use Boxcryptor for Windows or Boxcryptor for macOS.
- Open Settings or Preferences.
- Select the Account tab.
- Click on Unlock.
- Enter your Master Key Password.
- Get physical access to the encrypted files
- Access any encrypted file which can be decrypted by any of your users with an active Master Key.
The Master Key gives you access to the user's private key so that you can decrypt files which also the user can decrypt. If the user cannot decrypt a file because he currently does not have the necessary permission, you also cannot decrypt the file. The Master Key gives you access to all files your users currently have access to, not to any file ever created by your users if they do not have access anymore.
If you delete a user, the user's private key will be deleted and you will permanently lose access to files which can only be access by this user - even if the Master Key is active. If you want the ability to access a user's files in the future, it is recommended to disable a user instead.
Activities allow administrators to monitor user activitites by logging and recording events related to users, devices, groups and policies. You can filter by date and user as well as setting a maximum number of actvitites. An activity contains the following information:
- Date / time
- Activity type
- Short description
- IP address (last digits are anonymized)
Who can use Boxcryptor for Microsoft Teams?
Boxcryptor for Microsoft Teams is available for all Boxcryptor Company and Boxcryptor Enterprise customers. It is not available for individual users on Boxcryptor Free, Personal or Business plans. If you are interested to use Boxcryptor for Microsoft Teams in your organization, you can start a free 14-day Boxcryptor Company trial or reach out to our sales team for more information. Boxcryptor Company is already available for 5 users and more.
How to setup Boxcryptor for Microsoft Teams?
Setting up Boxcryptor for Microsoft Teams requires two steps:
Step 1: Add the Boxcryptor for Microsoft Teams App
Required role: Microsoft Teams tenant administrator.
The Boxcryptor for Microsoft Teams App must be added to the Microsoft Teams tenant app catalog. To do so, download the Boxcryptor app package and then upload it to your Microsoft Teams tenant. Instructions how to upload the app package can be found here.
Step 2: Connect Boxcryptor and Microsoft Teams
Required role: Boxcryptor administrator.
When the Boxcryptor app is available in your Microsoft Teams tenant, a Boxcryptor administrator must sign in to Boxcryptor in Microsoft Teams once, so that your Boxcryptor organization can be connected to your Microsoft Teams tenant. After at least one Boxcryptor administrator successfully signed in to Boxcryptor in Microsoft Teams, Boxcryptor for Microsoft Teams is available for users.
Where can I use Boxcryptor in Microsoft Teams?
Boxcryptor is available in three locations in Microsoft Teams:
- As a personal app in the left navigation bar. The personal app connects with your own OneDrive so that you can access your own encrypted files.
- As a channel app in a channel's tab bar. The channel app connects with the channel's SharePoint folder so that all channel members can access encrypted files in the channel.
- As a message extension app in channel's message compose box. The message extension app allows you to post and view encrypted files for other channel members in the channel chat. Encrypted files uploaded in the channel chat are stored in the channel's encrypted files root folder.
All three apps are included in the app package you need for the installation and are installed as a complete package.
How can encrypted files be stored in a channel?
Add the Boxcryptor tab to the channel and all channel members will be able to store and access encrypted files in the Boxcryptor tab.
How can I upload an encrypted file in the Boxcryptor personal app or channel app?
To upload a file, drag and drop the file to the file browser in Boxcryptor or click on the "Upload" icon in the upper right corner. You can also upload multiple files at once. Files are automatically encrypted on your computer before sent to Microsoft.
How can I upload and post an encrypted file in a channel chat?
Locate the Boxcryptor app in the message compose box. Make sure to also check the "three dots menu" if you can't find it right away. Then, open the Boxcryptor app and drag and drop or select the files to upload them. After the upload finished, a Boxcryptor card will be added to your message which you can send in the chat.
Note: Don't forget to send your message after the files have been uploaded. Only then the Boxcryptor card will be posted in the chat so that other channel members can see it.
Can I encrypt already existing files in Microsoft Teams?
No, it is not possible to encrypt already existing files in Microsoft Teams. If you already have files in Microsoft Teams which you want to encrypt, follow these steps:
- Download the existing files in Microsoft Teams to your computer.
- Delete the files in Microsoft Teams.
- Upload the files in Boxcryptor for Microsoft Teams.
Which files can be preview in Boxcryptor?
In the initial release, Boxcryptor for Microsoft Teams can preview image files (e.g. JPG or PNG) and PDF documents. You can view those files directly in Microsoft Teams without having to download them. If you want to view other files, you must download them and open the downloaded files on your computer. We plan to add preview support for additional file types in the near future.
Can I edit Microsoft Office (Word, Excel, etc.) documents in Boxcryptor?
Unfortunately, no. Microsoft Teams uses Office Online to directly create, view and edit Office documents. Office Online is provided and run by Microsoft and requires Office documents to be sent to Microsoft's servers in order to work with them. For obvious reasons, Boxcryptor cannot send plaintext data to Microsoft and thus does not support Office Online for document editing.
The recommended workflow to edit Office documents in Boxcryptor for Microsoft Teams is to download the document, edit it locally on your device and re-upload the edited document in Boxcryptor for Microsoft Teams. If a file with the same name already exists, you will be asked if you want to overwrite or skip it.
Where are files stored when I downloaded them?
Microsoft Teams stores downloaded files in your default Downloads folder on your computer.
Can I move or copy files and folders?
No, Boxcryptor currently does not offer these file operations. We plan to add them in the future. Sign up to our newsletter) to stay informed about updates.
Can I select multiple files or folders?
No, Boxcryptor currently does not support bulk operations. We plan to add them in the future.
Are all files in Microsoft Teams encrypted by Boxcryptor?
No, even if you install Boxcryptor not all files in Microsoft Teams will or can be encrypted. If you upload files in the channel Files tab, you upload them directly to Microsoft without any chance for Boxcryptor to encrypt them before the upload. This applies when you use the paper clip icon or drag and drop a file when composing a chat message.
To encrypt files in Microsoft Teams, always ensure that you are using the Boxcryptor app, e.g. via the Boxcryptor Personal app, channel app or Boxcryptor in the message compose box. Every file you upload via Boxcryptor for Microsoft Teams will be automatically encrypted.
Can I access the encrypted channel files in the Boxcryptor clients?
Not yet. We are currently working on support for encrypted channel files in the Boxcryptor clients and doing our best to deliver this functionality as soon as possible. Until then, you can access encrypted channel files only in Boxcryptor for Microsoft Teams.
Can I use Boxcryptor for Microsoft Teams on my mobile device, e.g. iPhone or iPad?
Not yet. Microsoft Teams does not yet support third-party apps in the mobile clients and there is nothing we can do about it. However, Microsoft is working on mobile support for apps and it is already available in a developer preview version. Once it is generally available, you will also be able to access your encrypted files in Microsoft Teams on your mobile device.
Can I use Boxcryptor in the Microsoft Teams web app?
Currently, Boxcryptor for Microsoft Teams cannot be used in a regular browser and supports the Microsoft Teams desktop apps for Windows, macOS and Linux. We plan to support the Microsoft Teams web app in the near future.
Can I use Boxcryptor in private channels?
Currently, Boxcryptor for Microsoft Teams supports public channels and cannot be used in private channels. We plan to support private channels in the near future.
Does Boxcryptor for Microsoft Teams have a maximum file size limit?
Boxcryptor for Microsoft Teams is subject to Microsoft's file size limitations but does not impose any additional limit.
How can I enable filename encryption in the Boxcryptor personal app?
By default, filename encryption is disabled for Microsoft Teams. If you want filenames in OneDrive to be encrypted, enable filename encryption in the Boxcryptor settings:
- Open the Boxcryptor personal app in the left navigation bar
- Open the Settings tab
- Enable Filename Encryption
Note: This setting only applies to your Boxcryptor personal app and encrypted files stored in your own OneDrive. It does not apply to encrypted files in your Boxcryptor channel tabs.
How can I enable filename encryption in Boxcryptor channel tabs?
By default, filename encryption is disabled for Microsoft Teams and users cannot enable it in channels. If filenames should be encrypted in channels, Boxcryptor administrators can enable the "Require Filename Encryption" policy. If you need a different way to manage filename encryption in channels, drop us a line with your feedback.
Where are the encrypted channel files stored?
Boxcryptor for Microsoft Teams stores the encrypted files of a channel in a special folder within the channel's folder in the SharePoint team site document library. The special folder is located at
/App Data/b32f3a5e-53f3-4fc7-b387-8aa72d66c95e. If this folder is renamed, moved or deleted, encrypted files can no longer be accessed in Boxcryptor for Microsoft Teams.
How can I prevent the upload of unencrypted files in a channel?
As all files uploaded in a channel are stored in the SharePoint team site, SharePoint permissions can be used to enforce usage of the Boxcryptor app and prevent the upload of unencrypted files in a channel.
- Make sure that the Boxcryptor tab is installed in the channel.
- Open the channel's Files tab and click on Open in SharePoint.
- In SharePoint, on the Details pane by clicking on the Information icon in the upper right corner.
- Click on Manage access and change the members' permissions from Can Edit to Can View.
- Navigate to the Boxcryptor special folder at
- Click on Manage access and change the members' permissions from Can View to Can Edit.
By restricting edit permissions to the Boxcryptor special folder, team members cannot upload files outside of this folder and are prevented from uploading unencrypted files in the Files tab or in the channel's chat.
What happens if the Boxcryptor tab is removed?
Encrypted files stored in the channel's folder in SharePoint are not deleted if the tab is removed. If you change your mind, any user with access to the encrypted files can always add the tab back in and access to encrypted files will be immediately restored. If you do not yet have access to the encrypted files, ask a team member with access to add the Boxcryptor tab again. If you want to delete the encrypted files, you must delete the Boxcryptor App Data folder in SharePoint.
What happens if a channel is deleted?
Encrypted files stored in a channel's folder in SharePoint are not deleted if a channel is deleted. If you change your mind and restore a channel, you will be able to access the encrypted files again after the Boxcryptor tab has been added. If you want to delete the encrypted files, you must delete the Boxcryptor App Data folder in SharePoint.
How can I manage permissions for encrypted files in a channel?
Good news: You don't have to. Boxcryptor automatically takes care of key and permission management so that all channel members have access to encrypted files in the channel. Manual permission management is not required.
When Boxcryptor has been added to a channel, the user who added the tab has access to the encrypted files. If other members open the Boxcryptor tab and do not yet have access, they can request access from other channel members. Once their request has been granted, they can access the encrypted channel files.
How can I sign out from my Boxcryptor account?
- Open the Boxcryptor personal app in the left navigation bar
- Open the Settings tab
- Click on Sign Out
Click on the appropriate icon at the top to see instructions for the different platforms.
Besides users being able to install Boxcryptor on their devices with administrator rights, Boxcryptor administrators can also roll-out and deploy Boxcryptor for their users.