- New Boxcryptor for macOS App
- Documentation for Boxcryptor 2.x (Legacy)
- How to Create a Debug Log
- I Cannot Connect to the Boxcryptor Servers
- Use self-signed Certificates for Cloud Provider
- I Cannot Move a File to an Encrypted Folder
- Where can I download Boxcryptor Classic?
- What happens if Boxcryptor goes out of business?
- Outdated Clients
- Cannot open some files
- Apple Chip-Support
- What is a FolderKey.bch and a .bclink file
- Recover Account Access if Second Factor (2FA) is Lost
FAQ & Troubleshooting
New Boxcryptor for macOS App
With the use of Apple's File Provider framework introduced in macOS 12, we can finally provide an all new Boxcryptor for macOS app that seamlessly integrates into Apple's Mac ecosystem, similar to Boxcryptor for iOS app.
Are special instructions required for the installation?
No, the new Boxcryptor for macOS is a native “File Provider” app which works “out-of-the-box” on modern macOS operating systems. Because it does not use a kernel extension anymore, it is not required to modify the Mac's Security Policy and the installation does not require rebooting the device. Additionally, the app is now fully utilizing the macOS sandboxing security mechanism.
If you changed your Mac’s Security Policy to Reduced Security due to a previous Boxcryptor for macOS version, you can revert this policy back to Full Security when you exclusively use the new Boxcryptor for macOS by following these steps:
- Reboot your Mac into Recovery Mode
- Open Utilities → Startup Security Utility
- Select and unlock your system volume and click Security Policy…
- Choose Full Security
- Restart your Mac
Where are files encrypted?
As you expect from Boxcryptor, files stored in the cloud are always encrypted and encryption is performed locally on your Mac all the time. Only encrypted files leave your device.
However, in contrast to Boxcryptor for macOS in the past, files stored locally on your Mac are not encrypted by Boxcryptor anymore due to technical limitations by Apple’s File Provider platform. File Provider apps must store files in clear text on the local file system so that their content can get picked up by macOS and presented to the user. This affects file contents and file names.
Here’s the encryption state by location:
- In the cloud: Files are always protected by Boxcryptor’s encryption
- On your Mac with FileVault: Files are protected by FileVault’s encryption
- On your Mac without FileVault: Files are not protected (not recommended)
We strongly recommend the use of local full-disk encryption for every Mac – regardless if you are using a previous version of Boxcryptor for macOS or the new Boxcryptor for macOS, or even if you don’t use Boxcryptor at all. Full-disk encryption is an integral part of local device security and can easily be achieved by turning on FileVault on any Mac.
By using FileVault, files available in the new Boxcryptor for macOS are still protected by FileVault’s encryption on the local disk despite appearing as cleartext when your Mac is in use. Learn more about FileVault here: https://support.apple.com/en-us/HT204837
Where can I find Boxcryptor on my Mac?
In previous versions of Boxcryptor for macOS, the Boxcryptor drive was mounted on the path
/Volumes/Secomba/[USERNAME]/Boxcryptor and accessible via shortcuts in Finder’s Favorite section, in the user’s home folder and on the Desktop.
As every File Provider app, Boxcryptor is now available in
~/Library/CloudStorage where a sync folder for each connected cloud provider is created. These folders are also accessible in the Finder’s Location section.
Do I still need my cloud provider’s client on my Mac?
No, the new Boxcryptor for macOS version now includes the full functionality for fast, smooth and secure synchronization of your files and folders. The new Boxcryptor for macOS version is all you require installed on your Mac to work with encrypted files in Dropbox, OneDrive, Google Drive or any other supported cloud provider. When using the new Boxcryptor for macOS, you can remove your cloud provider’s client from your Mac.
Why is everything new?
A main driver for the new Boxcryptor for macOS version is Apple’s strategy to disallow third-party kernel extensions on macOS to further secure and close down the Mac operating system. Apple started to deprecate third-party kernel extensions a few years ago and successively made it more difficult to use them. While a kernel extension could be loaded “on-the-fly” in the past, macOS 10.15 Catalina started to require a system reboot during the loading process.
Nowadays, Macs with Apple Silicon processors additionally require the modification of the Mac’s Security Policy in Recovery Mode to allow third-party kernel extension loading. All signs indicate that third-party kernel extensions will not work at all in future versions of macOS. Holding on to our existing concept using a virtual Boxcryptor drive based on a kernel extension would not be sustainable anymore.
Due to Apple’s decisions, we have been forced to come up with a new concept how Boxcryptor for macOS works in the years to come. At the same time, we are excited about the new possibilities and experiences this new integration into macOS opens up for Boxcryptor in the future.
Can I use Spotlight again?
Yes, finally! A major advantage of the new File Provider-API over the old virtual drive is that Spotlight works out-of-the-box without requiring special handling by Boxcryptor. This means that Spotlight indexes files and folders in Boxcryptor locations automatically and by default. Spotlight support is not an optional advanced setting anymore, but a first-class default experience for every user.
Spotlight indexes file and folder metadata of all items in Boxcryptor locations. File contents are only searchable for downloaded files which are locally available for indexing due to technical limitations.
Are there any file name or type restrictions?
Due to technical reasons, the following file types cannot be stored in Boxcryptor:
- App Bundles (.app)
- Frameworks (.framework)
- XIP (.xip)
- Crash Files (.xccrashpoint)
- Boxcryptor Files (.bc, .bch, .bclink)
If required, this file type restriction can be bypassed by zipping the files.
Additionally, file name or type restrictions by used cloud providers apply.
Can I install the new app on my older macOS device (Big Sur and below)?
No. Although the File Provider framework was already introduced in macOS 10.15, the technology that we are relying on in our new app was first shipped in macOS 12.0. However, you can always install the legacy Boxcryptor macOS app from our website, which we will continue to support until the end-of-life of macOS 11.
Can the new and Legacy version of Boxcryptor for macOS be used at the same time?
Yes and no. You can rename a previous version of Boxcryptor for macOS (e.g., from “Boxcryptor.app” to “Boxcryptor Legacy.app”) and then install the new Version to have both versions installed on your Mac at the same time. However, it is not possible to start and use both versions at the same time without interferences. Switching between them one at a time might also lead to unexpected problems, e.g., being signed out on the next start.
We recommend to stick to one version for most of the time and only switch if explicitly required, e.g., to modify permissions of an encrypted folder using a previous version of Boxcryptor for macOS.
Documentation for Boxcryptor 2.x (Legacy)
This documentation covers our new Boxcryptor for macOS app that requires macOS >= 12. If you need assistance to our old Boxcryptor app, you can download the legacy documentation here.
How to Create a Debug Log
What is a Debug Log?
A debug log captures all internal events while Boxcryptor is running. It can help us to track down issues with Boxcryptor, for example bugs and incompatibilities with other software.
Does a Debug Log Contain Sensitive Data?
When you create a debug log, sensitive user information - like password, encryption keys, or actual file content will not be logged.
Which Information Does a Debug Log Contain?
The debug log captures the following information.
- User interaction such as button clicks and in-app navigation
- File operations (including unencrypted filenames)
- Current Boxcryptor settings
- Communication with our servers and your cloud provider(s)
- System information such as OS version or required frameworks
- Running programs
How Do I Create a Debug Log?
- Open the Console app.
com.boxcryptor.into the top right search bar and press Enter.
- Click Start.
- Reproduce the issue you have with Boxcryptor for macOS (if you have synchronization issues, please give it some time to hypothetically finish).
- Switch back to the Console app.
- Click Pause.
- Select and copy all log entries using CMD+A and CMD+C.
- Open TextEdit (or any other text editor of your choice).
- Paste the log entries using CMD+V.
- Save the file as boxcryptor.log.
What Should I Do With my Debug Information?
I Cannot Connect to the Boxcryptor Servers
Depending on your system or network configuration, Boxcryptor may not always be able to communicate with our servers. However, there are some workarounds for the following scenarios.
Error Message like “No Connection” or “Sync Keys failed”:
When this error message shows, make sure that you still have internet access with Safari. Make sure that the Boxcryptor server status here returns the message OK. One possible source of error could be your proxy settings. For example, try adding
api.boxcryptor.com to an exclusion list.
Warning: This is no Secure Connection
If you are in an environment that performs traffic inspection, you might not be able to connect to our servers. Examples, where traffic inspection might interfere with Boxcryptor:
- Anti-virus solutions that protect internet traffic
- Public hotspots
- Company proxy servers
Traffic inspection, techically speaking, is a man-in-the-middle attack. Therefore, it is important to make sure your system or internet connection is not compromised. You can check the certificate information provided, by clicking advanced in the error message.
If you already have signed in to Boxcryptor sucessfully, you can continue to work on your already opened or downloaded files offline. However, you will not be able to alter Boxcryptor permissions or use other online features of Boxcryptor.
Use self-signed Certificates for Cloud Provider
Connecting to self hosted WebDAV or Owncloud / NextCloud instances with self-signed certificates does not always work out-of-the-box.
For Boxcryptor to connect to your server, you must install your self-signed certificate on your device. For more information how to install it, please see here.
For more information on certificate requirements, check apple's specification here.
If you own the domain, you can instead create a free and trusted certificate. For more information, see Authorities such as Let's Encrypt.
I Cannot Move a File to an Encrypted Folder
Moving files between differently encrypted folders or into a new encrypted folder always requires encrypting the files with the new folder key. Hence, Boxcryptor has to download the item, decrypt, encrypt, and upload the item again. Due to the complexity, we decided to disable the option to move and copy between encrypted folders.
Alternatively, you can simply copy files to the desired folder and finally delete the original items.
Where can I download Boxcryptor Classic?
Boxcryptor Classic is the predecessor of Boxcryptor which has been discontinued. It is not recommended to use Boxcryptor Classic because it is not supported anymore and does not work on the latest operating system versions.
If you’re an existing user of Boxcryptor Classic you can download it here and we recommend you to upgrade to Boxcryptor as soon as possible.
Download Boxcryptor Classic for Mac OS X here: https://www.boxcryptor.com/download/Boxcryptor_Classic_v1.5.415.252_Installer.dmg Supports Mac OS X 10.7, 10.8, 10.9, 10.10
If you already upgraded to Mac OS X >= 10.11 and need to decrypt your encrypted files with Boxcryptor Classic, you can download this “unofficial” version with read-only support for macOS 10.11 and 10.12: https://www.dropbox.com/s/wbrygn4x2kgzlsp/Boxcryptor_Classic_v1.5.417.253_Installer.dmg?dl=0
What happens if Boxcryptor goes out of business?
Boxcryptor has been designed in such a way that Boxcryptor continues to work even if the Boxcryptor servers are not available and you're still signed into Boxcryptor. If you want to take additional precautions for the event that the Boxcryptor servers would go permanently offline, you must have the following backups:
- Exported key file
- Boxcryptor installer file
When these files are available, you will always be able to access your encrypted files on your own on any supported operating system - without any connection to any server. The exported key file contains all encryption keys associated with your Boxcryptor account. Important: As new keys might be added over time by Boxcryptor's integrated key management (e.g. when sharing files with other Boxcryptor users), it is recommended to regularly export a new key file.
After installing Boxcryptor, you can use the exported key file to access your encrypted files using a local account. Learn more about exporting your keys and local accounts.
We regularly release new versions of Boxcryptor with new features, better stability and overall improvements and retire outdated versions over time. On September 30 2018, the following versions have been retired:
- Boxcryptor for Windows 2.22.706 and older
- Boxcryptor for macOS 2.19.907 and older
When you try to use a retired version, you will not be able to use Boxcryptor and receive one of the following error messages:
This client is invalid or outdated. Please upgrade to the latest version.
The client id is invalid!
This is no secure connection
The remote certificate is invalid according to the validation procedure
Boxcryptor can't establish a secure connection to the Boxcryptor server.
Download and install the latest version of Boxcryptor from here. Afterwards you will be able to continue to use Boxcryptor.
If you still see the error message This is no secure connection, the problem lies elsewhere. Check out I Cannot Connect to the Boxcryptor Servers.
I am using Windows XP or Mac OS X 10.14 or earlier
Current versions of Boxcryptor require Windows 7 and later or macOS 10.15 and later. As all earlier operating system versions are not supported by Apple or Microsoft anymore, we recommend affected users to update their operating system to a newer version as soon as possible in order to stay safe.
Using unsupported operation systems poses a huge security risk. You really have to update your operating system for security-related use.
I cannot update to the latest version
Note: If you are using Windows, please look into I Cannot Update or Uninstall Boxcryptor first.
If for any reason you cannot update to the latest version and can't access your encrypted files anymore, you have the following options:
Boxcryptor Portable does not require any installation and can be used to access and decrypt your encrypted files without administrator rights. Download Boxcryptor Portable here.
You can export your keys from our server and use a local account to sign in to your outdated Boxcryptor version without requiring a connection to our servers. Learn more here.
I cannot sign in due to too many connected devices
Cannot open some files
There may be situations where files appear to be inaccessible. This can have multiple reasons:
Boxcryptor Access Issues
On desktop some Applications or the file browser shows a message with
Invalid parameterwhen trying to open a file.
- Boxcryptor is eventually signed-in to a wrong account. → Check the account info in the Boxcryptor settings and compare it with the Boxcryptor permissions.
- The user has no Boxcryptor permissions on the file. → Make sure the user has physical access to the shared file, has Boxcryptor permissions correctly set and the latest permission changes of the file have been synced. Learn how to set permissions here.
Filesystem Permissions Issues
Files are read-only or "permission denied" is displayed. Change files system permissions so your user can (physically) access them.
"Bad padding" issues, empty physical files or inaccessible folders due to an empty
File open shows "Found invalid data while decoding" and the .bc file is empty.
Folder cannot be opened "Found invalid data while decoding." is displayed in the permission settings.
There has been an incompatibility with Dropbox in the past that could create "broken" content for smaller files because Dropbox did not sync the last file change.
- restore an older version of the corrupted file via the file history of your cloud storage provider.
- for folder issues, delete the empty
Folderkey.bchfile and re-encrypt the folder.
On November 10, 2020, Apple revealed new Mac hardware with the revolutionary Apple Silicon M1 processors which are available since November 17. Boxcryptor has been adapted to run natively on the new processor architecture with the maximum performance and battery life.
Boxcryptor natively supports the new Apple Silicon Macs since version 2.39.1119 released on December 18, 2020.
What is a FolderKey.bch and a .bclink file
There is a File Called FolderKey.bch in my Cloud Storage. What is This?
Boxcryptor creates a FolderKey.bch file when a folder is encrypted. It contains encryption metadata for its parent folder and helps Boxcryptor to maintain the encryption hierarchy. This file is not visible within the Boxcryptor drive.
Does it Leak Sensitive Information?
The FolderKey.bch does not contain any sensitive information. Only .bc files contain sensitive information — and these are encrypted.
What Happens When I Lose it?
Dont't worry, you will not loose any data or access to files. All crypto-required information is stored directly within your encrypted *.bc files.
The downside of losing that file is that Boxcryptor no longer perceives the parent folder as encrypted. As a consequence, new files in this folder will not inherit the encryption setting.
There is a File Called .bclink in my Cloud Storage. What is This?
The file helps to verify the account when linking accounts to use features like Whisply.
If the file doesn't exist, the user either used a different account for linking or the sync client is not turned on/syncing.
Does it Leak Sensitive Information? Can I delete it?
The file does not contain any sensitive information. It is not necessary and can also be deleted. However, it may be generated again automatically.
Recover Account Access if Second Factor (2FA) is Lost
In the case of a lost second factor for the two-factor authentication (2FA) such as an authenticator app, your mobile device in total, your security key or other hardware, you will no longer be able to sign in to your Boxcryptor account.
Ways to recover access to your account:
Re-apply the secret key from your initial setup
If you still have your secret key from the initial Authenticator App setup, you can just re-add it to your authenticator app of choice. Next to the QR Code scan method these apps usually provide a "manual" way to add a Time-based One-time Password (TOTP) account.
For reference, the secret key looks similar to:
mzwe wocd mj3d qr3f njjw g2cm grqw cvli
Use a device code
If you are still recently signed-in in Boxcryptor for Windows or Boxcryptor for macOS, You can use these devices as a second factor instead.
The second factor authentication screen will then provide you with the extra option "Use Device Code". Upon clicking on it, our apps will provide you with a temporary 8-digit pin, that will be valid for 5 minutes.
Please ensure that your Boxcryptor client is up-to-date before. You can always download the latest version here.
Also, make sure the Boxcryptor client is started and unlocked before requesting a device code.
Use a backup code
Once you set up your second factor, backup codes will be generated and presented to you. You can use these one-time codes instead of your second factor.
If you run out of one-time codes, you can regenerate new codes here.
None of the above methods apply
If you are still unable to access your account, you can also contact us to disable the two-factor authentication.
However, we need clear evidence that you are the legitimate owner of this account.
The identification will be done via video live chat, you will need the following things:
- A device with a browser installed and a working camera.
- An identification of your person (ID card, passport or driver's license).
- The valid e-mail address of your Boxcryptor account.
To pick an appointment, please visit our Booking Page.
Please provide a valid e-mail address, since it will be used for a calendar invite, further instructions and a meeting join link.
As a video chat platform, we use Microsoft Teams. You do not need a user account there. On desktop computers, a modern browser (Chrome, Edge or Safari) is sufficient. For other browsers or mobile devices, you might have to download the Microsoft Teams App:
iPhone & iPad: https://apps.apple.com/app/microsoft-teams/id1113153706 Android: https://play.google.com/store/apps/details?id=com.microsoft.teams Desktop: https://www.microsoft.com/en-us/microsoft-teams/download-app
Invalid Authenticator App Codes
If you are unable to generate a valid code despite the authenticator app working, this is most likely due to a different time on one of the systems involved.
Since these TOTP codes are only valid for 30 seconds, deviations from real time of just a few seconds can lead to registration problems.
You can check the synchronization on all participating devices by visiting the following website: https://time.is
If the time difference is more than a few seconds, we recommend that you set up the automatic time synchronization of your devices or, if necessary, perform a new one.