A lack of zero-knowledge encryption is the main problem that’s kept Dropbox from rising higher in our best cloud storage rankings. Evidently, Dropbox agrees that it’s a problem, since it’s taken steps to correct the issue by acquiring German security firm Boxcryptor. In this article, we’ll explain how you can expect Dropbox encryption to change.
- Dropbox has acquired “key assets” from Boxcryptor to add zero-knowledge encryption into its own product.
- Effective immediately, no new Boxcryptor subscriptions can be purchased, but current license-holders can finish out the remainder of their contracts.
- We don’t yet know what zero-knowledge encryption will look like in Dropbox, but it appears it will only be available on Dropbox Business.
As we wrote in our Dropbox review, Dropbox already encrypts files with the industry-standard AES-256 cipher. However, until recently, that encryption only applied to third parties — Dropbox held the necessary keys to view files stored on customer drives. There’s no evidence that it did so, but the potential was there.
The Boxcryptor acquisition is meant to remove that possibility. Dropbox says it’s acquiring assets from Boxcryptor that will finally let it provide true “zero-knowledge” encryption (though only for business users); that is, nobody but the user has all the keys needed to decrypt their data, rendering Dropbox secure.
Acquiring Boxcryptor is a solid move on paper. It’ll address Dropbox security issues while putting users’ minds at ease. However, will Boxcryptor really add zero-knowledge encryption to Dropbox? When and how will it be implemented, and what does this mean for current Dropbox and Boxcryptor customers? This article shares everything we know so far.
The Boxcryptor Acquisition and Dropbox Encryption
Both Dropbox and Boxcryptor seem reluctant to describe the deal as an acquisition. Instead, they both say Dropbox is acquiring Boxcryptor’s “key assets.” To understand what both companies are thinking, it might help to understand more about what each of them provides.
Dropbox is a cloud storage service, and probably the most popular service that isn’t associated with a tech titan like Google or Microsoft. Its users can store files in the cloud and retrieve them from other devices. If you’ve ever emailed a file to yourself so you can open it at work, Dropbox is basically that with more features.
One of Dropbox’s key selling points is its speed, partly enabled by its use of block-level copying to sync files between devices and the cloud. “Block-level” means that Dropbox servers only sync the parts of the file that changed, as opposed to “file-level” copying, which syncs the entire file every time (the practice used by Box, Google Drive and others).
However, block-level copying isn’t the only thing that makes Dropbox one of the fastest cloud storage options. It also boosts speeds by forgoing zero-knowledge encryption, keeping a copy of every user’s encryption key for faster access. That makes Dropbox more convenient, but less secure. With the acquisition of Boxcryptor, that might change.
Can Boxcryptor Encrypt Dropbox?
Boxcryptor is one of the few companies that provides end-to-end encryption software directly to consumers. It’s a zero-knowledge service that lets you encrypt your Dropbox files (and works with over 30 other cloud storage platforms, including Google Drive and OneDrive). As you can read in our Boxcryptor review, we really like the service it provides.
If you encrypt your files before uploading them to the cloud, Dropbox can’t read them. This also means you’ll miss out on the brisk speeds of block-level sync, but if you like Dropbox for its interface, pricing and features, Boxcryptor can offer you peace of mind.
That is, at least it could have done that. The acquisition changes everything. Before, users could independently encrypt their files with Boxcryptor and shop around for cloud storage. Now that Boxcryptor is part of Dropbox, new users can only subscribe through Dropbox.
One thing that’s not clear is exactly how Dropbox will integrate Boxcryptor’s assets into its service. All encryption comes with a speed cost (that’s why virtual private networks slow down your internet). Buying Boxcryptor may save Dropbox some development time, but it’s uncertain whether it will slow down customers when they sync or share files.
Why Does Zero-Knowledge Encryption Matter?
We tend to recommend zero-knowledge cloud services because data security often comes down to simplicity. Fewer opportunities to leak equals fewer leaks altogether.
When you use a cloud storage service without zero-knowledge encryption, the company holds the keys needed to access your encrypted files. In effect, you’re trusting the company not to use that power for its own purposes, or to let a third-party do so (for example, it’s entirely possible for the government to subpoena data from the cloud).
It gets worse. The keys to your data have to be saved somewhere. Unless the cloud company’s operational security is utterly airtight, it’s possible for hackers to access your private documents. If the company suffers a major data breach, your files could be sold on the dark web along with the relevant encryption keys.
In short, so many things can fail that it’s almost always easier and safer to encrypt your files from the moment they arrive in the cloud, or even earlier. Zero-knowledge encryption makes it nearly impossible to decrypt a file that isn’t yours. We understand why Dropbox is so eager to add it to the product.
What This Means for Boxcryptor Users
Boxcryptor announced the acquisition in a November 2022 blog post. In the post, the founders state that Boxcryptor will become “native” to the Dropbox platform. There’s a lot of jargon, but the core argument is that joining Dropbox will help Boxcryptor scale faster and further than it could have on its own.
If you’re a current user of Boxcryptor, the company will honor the duration of your current subscription. However, as of November 2022, it’s impossible to create a new Boxcryptor account. The blog post promises that Boxcryptor will “be in touch with more details” for what current customers can do when their contracts run out.
Boxcryptor further promises that Dropbox won’t acquire any existing customer data, which will remain property of Boxcryptor’s parent company, Secomba GmbH. This will presumably still apply even if Boxcryptor offers its current customers a discounted Dropbox subscription or some similar perk.
If you used Boxcryptor with any cloud storage platform other than Dropbox, this is very bad news: You won’t be able to continue after your current license runs out. You’ll either need to switch to a platform with native zero-knowledge encryption, or find another third-party app. Cryptomator is our favorite alternative — see our Cryptomator review to learn more.
What This Means for Dropbox Users
Unfortunately, Dropbox’s post announcing the acquisition is even lighter on information than Boxcryptor’s. It awkwardly dances around the fact that it’s adding a feature to protect users in the event Dropbox makes a serious error, instead calling it a tool to “ensure customers can protect their content however they choose.”
Even so, we gleaned a few pieces of information. The most important is that the new zero-knowledge encryption only applies to Dropbox Business users. Dropbox Business is the side of Dropbox that’s more about sharing than storage, providing advanced access controls and other collaboration features.
A fully encrypted Dropbox Business is certainly nice, but it doesn’t cover all the use cases of Boxcryptor. Anyone who just uses a Dropbox account for private storage, or sharing among friends, will have to accept that the company has access to their private files (or use Cryptomator, the best Boxcryptor alternative).
We can’t say exactly what implementation features Dropbox Business users will see, since it’s not yet clear what “key assets” Dropbox has purchased from Boxcryptor. Dropbox’s support staff was evasive when we asked for details.
How to Use a Private Encryption Key on Your Dropbox Account
We don’t yet know how Dropbox plans to make zero-knowledge encryption work on Business accounts. However, by looking at other encrypted cloud storage software, we can speculate on what the final implementation might look like.
For example, there’s Sync.com, our current favorite provider. All Sync.com plans come with full end-to-end encryption, which applies to all files on an account, both those stored and those in transit. Dropbox may use this opt-out system, where your files are encrypted automatically with a private key.
It may also go the way of pCloud, the fastest-downloading provider according to our tests. pCloud makes zero-knowledge encryption available as a separate perk called pCloud Crypto. For an extra fee, pCloud gives you access to a “crypto” folder where you can put your sensitive files, so only you can gain access and decrypt them.
If we had to guess, we’d say the crypto folder route is more likely, since end-to-end encryption may harm classic Dropbox perks like the ability to preview files. Since Boxcryptor already costs extra, it’s not unreasonable to expect an additional charge, either. In the end, though, this is all speculation — we’ll update this section when we have more concrete details.
The Best Third-Party Encryption for Dropbox
Dropbox doesn’t let customers create their own private keys. However, this doesn’t mean you can’t take zero-knowledge encryption into your own hands. Even before acquiring Boxcryptor, Dropbox allowed third-party encryption apps. These apps will remain available after Boxcryptor fully integrates with Dropbox Business. We’ve gathered a few of the best examples here.
Cryptomator is a free, open-source encryption agent for all of your files, including those stored on the cloud. It lets you create an encrypted vault on your computer, which you can store anywhere, including inside your Dropbox folder. Any files in the Cryptomator folder will be inaccessible to Dropbox — only you can read them.
Sookasa is an app dedicated to adding zero-knowledge encryption to cloud storage that doesn’t provide it natively. Currently, it only works on Dropbox and Google Drive, but it makes securing those two services easy. When you store files in the Sookasa folder within your Dropbox folder, they remain encrypted until you decrypt them manually with the Sookasa app.
Encrypto lets you encrypt files before sharing them in the cloud. You have to encrypt each file manually and set a password and hint. Once you do, that file will stay encrypted no matter what you do with it — put it on a flash drive, email it or upload it to your Dropbox account. Individually locking each file can be a hassle, but it works well and is free to boot.
This app places all cloud sync folders on your system inside a superfolder managed by e-share. You can then look through the folder to manually encrypt any files you want to secure. It’s free for personal use, and comes with a few other features, like an online cloud portal that lets you see your activity on any browser.
Dropbox’s acquisition of Boxcryptor took much of the cybersecurity world by surprise. There are still a lot of uncertainties about what the combined product will ultimately look like. Right now, however, it seems fairly clear that Boxcryptor functionality is no longer accessible to anyone except Dropbox Business users.
Although this is a frustrating setback for those who relied on Boxcryptor, there are other options. You can use your favorite cloud storage with another app that guarantees zero-knowledge encryption, like Cryptomator or nCrypted Cloud. Alternatively, you can switch to a secure cloud storage service with native encryption, like Sync.com or another Dropbox alternative.
In the end, it can’t be wholly bad if one of the world’s most popular cloud storage apps is taking security more seriously. We’d love to know if you agree or disagree, or if you have any favorite encryption solutions we didn’t mention. Sound off in the comments, and thanks for reading!
Dropbox encrypts files you store on its servers, but the security isn’t zero-knowledge. Dropbox holds the keys to decrypt them, presenting a small but serious vulnerability.
No. Your Dropbox folder encrypts files so no third parties can view them, but Dropbox itself can see and decrypt them.
Files at rest in your Dropbox folder are encrypted with AES-256, and files in transit with SSL/TLS.