Boxcryptor’s unexpected sale raises many questions.
I was shocked to learn this week that Boxcryptor had been sold to Dropbox. (Boxcryptor is a program and adds a layer of security to data you store in the cloud by encrypting files locally on your device.)
The messaging was poor and raised many questions.
Let me speculate a little and recommend a course of action: a course I’ve already embarked on.
Become a Patron of Ask Leo! and go ad-free!
The future of Boxcryptor
- Boxcryptor will continue to work for those who already use it, but it’s unclear for how long and with what file sharing services.
- No new Boxcryptor accounts can be created.
- It would be prudent to plan a transition from Boxcryptor to alternatives like Cryptomator.
Boxcryptor still works
I want to be clear that Boxcryptor’s technology is not being called into question.1 The company continues to work, and their press release includes the following:
If you’re an existing customer, you can keep using Boxcryptor as you do today.
New accounts are disabled, so if you’re not using Boxcryptor, you’re not only unaffected, you can’t start using it.
They promised an email to all existing users with more information and steps, but as I write this a week later, I have not seen such an email.
It’s very confusing.
But the good news is that if you’re an existing customer, there’s not any urgency. It’ll keep working. For now.
The muddy future
There are two things that concern me about the sale.
First, how long will existing Boxcryptor accounts keep working? Since it’s no longer a product that’s available to new users, at some point it seems inevitable that the plug will be pulled or some technological change (say a Windows or MacOS operating system change2) will break Boxcryptor. Will anyone be around to fix and/or update it? What if there’s a security issue or vulnerability discovered?
I don’t like “what if” speculation, but it’s an important consideration for the future of Boxcryptor.
Similarly, having been purchased by Dropbox, does this imply a reduced emphasis on competing services like OneDrive, Google Drive, or others? Dropbox is almost guaranteed to have a solution — be it continued use of or some evolution of Boxcryptor — but it seems unlikely they’d provide this same solution for their competitors.
With so many unknowns and what one would expect to be changes coming someday, perhaps it’s time to make alternate plans.
Switching to Cryptomator
Within hours of learning of Boxcryptor’s sale, I switched to Cryptomator.
I did it quickly, but not because I believe there’s some kind of imminent disaster. I do not. You don’t have to be in a rush.
I did it mostly because I know questions are coming.
I used Cryptomator many years ago and have continued to recommend it alongside Boxcryptor ever since. I stopped using it because of some technical incompatibility I can no longer recall. Apparently that issue has been resolved, because it’s working well for me so far.
I’ll be revising my Cryptomator recommendation in the coming weeks, but the bottom line is that it’s free with the exception of the smartphone app. And while it differs somewhat in the implementation details, it’s a fine alternative to Boxcryptor.
Do this
If you use Boxcryptor, plan for change.
That could mean using it until you can’t use it anymore and changing then. It could mean moving to whatever the technology looks like when it’s integrated with Dropbox. It could mean moving to an alternative solution today. Or it could mean something in between.
My recommendation is “in between”. As I said above, there’s no rush, but it would make sense to switch in the coming weeks or months when there’s a convenient opportunity to do so.
Stay on top of an ever-changing tech landscape. Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Footnotes & References
1: If anything, it got a vote of confidence, since obviously it’s of enough value that DropBox would purchase it.
2: Something I’ve experienced myself. A recent MacOS change caused a fundamental change in the way BoxCryptor works on that platform, breaking some of my backup scripts.
What Happens to Boxcryptor Users?
Boxcryptor Free users have a cancellation period of one month to the end of the month according to our terms and conditions. These users will soon receive the cancellation of their free license via email. All free licenses will be cancelled by 01/31/2023.
This might also be a time to consider switching from Dropbox to OneDrive. Dropbox, itself is OK, but you can’t be sure they won’t do something else as counterproductive.
I’ve been using Cryptomator for a few years now and can highly recommend it. Its a great (albeit better) alternative to Boxcryptor and the responsiveness of tech support and the community is fantastic. I’ve established a “vault” for every cloud service I use (about 4).
I tried Boxcryptor several months ago but I could not get it to work properly. I used it to encrypt a folder and files with the folder. I was a database administrator (Oracle) for about 20 years before retiring in April 2022, so maybe my techno knowledge got in the way of successfully using Boxcryptor.
When I left Boxcryptor, I decided to partition my hard drive and use Bit Locker. I have a Windows 10 Pro. My sensitive documents are on the partitioned hard drive. Bit locker works great for me, although I had to do some digging on what to put into two small batch files to unlock (with a keyboard entered password) and re-lock the encrypted drive.
Question for Leo – With Cryptomator (and possibly Bit Locker too), when files or a drive are de-encrypted and “in use”, can the files be read by malicious software or by other snoops?
Unfortunately, yes. Any malware on the system would see and operate on the opened drive as unencrypted.
Malware can do anything. :-(
Leo – That’s what I was afraid of. Even though I have anti-this and anti-that on my PC (and a firewall on my PC and a firewall between our router and all our wired PC’s in our house)… nothing in life is guaranteed. There COULD be malware sleeping “in the wings” just waiting for me to open an encrypted drive. Like a former work Supervisor of mine use to say 30 years ago, “It’s not IF something happens; it’s WHEN something happens”. That had more to do with our old 5.25 inch floppy disks and the gold platter on our DEC PDP-11/70, but I feel the same logic holds true today. Glad I have multiple backups.
The only way malware would be on an encrypted drive is if you let it on your computer before encrypting the files. You would have a much greater chance of unencrypted malware on your machine. That makes encrypted malware nearly a non-issue.
Even if the malware can’t see or read your information, it can delete/alter/corrupt the underlying files if it can access them. A Cryptomator container is as secure as the underlying drive it rests on. One trick I use to protect my files, is I duplicate all my OneDrive files on GoogleDrive. (Which includes my underlying Cryptomator files.) I then turn off Google Drive sync except once a month I turn it on just long enough to get it caught up with my changes. Sometimes I do this again, if I am making many changes to files. (Big project, lots of letters, Christmas cards, etc.) But then I turn the sync off. So even if my files are compromised with my OneDrive, I can go to Google and get it all back. Doesn’t matter if the compromise is because of some hardware failure, malware, malicious actor with physical access to the computer, etc. (Or, just 5 year olds with poor supervision. It’s happened!)
There’s an important distinction, though: corrupting the encrypted files is not the same as accessing their contents. Most files are encrypted because the contents are sensitive for some reason. (Example: I just downloaded bank statements into my Cryptomator-encrypted section of cloud storage.) Keeping the contents secure is why I encrypt.
DATA LOSS can happen whether the files are encrypted or not. This is why we back up. I generally recommend backing up the UNencrypted contents of any encrypted storage and then storing those backups in some other secure way.
Team Leo- I didn’t mean malware on an encrypted drive. I meant malware on the un-encrypted drive. Malware does not have to steal or alter data the moment the malware is installed. It can wait to do its dirty work based on a future date or event… like opening an encrypted drive or folder. Keeping anti-malware up to date helps to prevent an infection or, if you have a good anti-malware product, remove an infection.
It would be wonderful if someone would publish a step-by-step migration guide from the now-discontinued Boxcryptor to Cryptomator!
In a nutshell:
Don’t skip the step about backing up.
Leo, I’ve just sent this to Boxcryptor. It is self explanitory.
“I am very disappointed with the business behaviour of Boxcryptor.
As a subscriber, I had a reasonable right to expect ongoing use and support of this system critical software.
In my opinion, Boxcryptor’s unilateral action to cease supply is unethical. Other options to capitalise on your software asset developed with our help should have been discussed with users or a representative panel. You appear to have only considers yourselves in the decision.
With regard to mitigation, it is completely unacceptable and of no value to say you “recommend that they look for an alternative”. You should have arranged and supported a clear transition path. Your communication of the situation was (until your reply below) very difficult to comprehend, at least in part due to the surprising action.
At the very least you should make a tangible apology to those who supported you and helped create the value you have now capitalised at our (new) expense. It would also be appropriate if you identified those making this decision and any enterprise they are, or will be, associated with, so those businesses can be avoided in future.”
The blame lies with Dropbox. They bought BoxCryptor to use their encryption engine for end-to-end encryption of Dropbox content, and then they killed BoxCryptor.
While I agree with your sentiments, I think expecting any kind of statement or apology from BoxCryptor at this point is unrealistic.
Hi Leo, Many thanks for trying to add some clarity regarding the imminent withdrawal of BoxCryptor in light of the current situation; it’s really appreciated.
I’ve had a good look around and I really can’t see anything that “quite” performs the same as BoxCryptor in the way I use it. I’ll be happy to explain that in detail if you like.
The only one that comes close is Cryptomator, and it really is pretty close, so I was intending to use it, but the BIG issue is that for me, OneDrive identified Cryptomator encrypted files as ransomware attacks and created all kinds of issues for me. Just thought I’d let you know.
I’m still hoping that DropBox will continue to provide the BoxCryptor functionality as stand-alone, but as you say, they’re unlikely to (even indirectly) support their competition… but I’m ever hopeful…
Kind regards, Marco
“OneDrive identified Cryptomator encrypted files as ransomware attacks and created all kinds of issues for me. Just thought I’d let you know.” -> It SHOULDN’T have created problems.
When you encrypt a folder OneDrive is just seeing everything in a folder become encrypted. It may warn you, since that’s what ransomware looks like, but otherwise it should be fine.