- Off-Migration Guide: Decrypt all Boxcryptor encrypted files
- What happens if Boxcryptor goes out of business?
- Migrate to Boxcryptor for macOS v3.x
- Documentation for Boxcryptor 2.x (Legacy)
- How to Create a Debug Log
- I Cannot Connect to the Boxcryptor Servers
- Use self-signed Certificates for Cloud Provider
- I Cannot Move a File to an Encrypted Folder
- Where can I download Boxcryptor Classic?
- Outdated Clients
- Cannot open some files
- Apple Chip-Support
- What is a FolderKey.bch and a .bclink file
- Recover Account Access if Second Factor (2FA) is Lost
FAQ & Troubleshooting
Off-Migration Guide: Decrypt all Boxcryptor encrypted files
With Dropbox acquiring several key assets from Secomba GmbH, Boxcryptor will be discontinued and we will cease our service. All users and customers will be able to continue using the service until the end of their contractual term.
To migrate away from Boxcryptor, you will have to decrypt all your files to keep access to them.
If you are concerned that you might lose access to files encrypted by Boxcryptor you currently do not have physical access, we strongly recommend downloading the latest client software and exporting your keys as described here.
This way, even after your account has been deleted or the Boxcryptor service is shut down, you will be able to decrypt any files later on.
Migration Tips For Organizations
- Administrators are able to export the keys of all users by clicking on each user and selecting
EXPORT KEYSin the User Management.
- Self-service key export for users is not allowed by default. This restriction can be lifted by enabling the
Allow Key Exportpolicy here.
- If Master Key is enabled, the key export of an administrator account will include all keys of all users with an active Master Key. This enables overall access to all of the organization's files.
Decrypting your files is easy: You can simply copy and paste all files within the Boxcryptor drive to a secure location using
CMD+C on the source files and
CMD+V in the target directory. Alternatively, you can use the Finder's context menu entries for that.
When everything is decrypted, you can then delete all encrypted source files.
If you have many files to migrate and would run into low disk space issues doing so, you might want to decrypt and delete the corresponding source files in batches.
What happens if Boxcryptor goes out of business?
Boxcryptor has been designed in such a way that Boxcryptor continues to work even if the Boxcryptor servers are not available and you're still signed into Boxcryptor. If you want to take additional precautions for the event that the Boxcryptor servers would go permanently offline, you must have the following backups:
- Exported key file
- Boxcryptor installer file
When these files are available, you will always be able to access your encrypted files on your own on any supported operating system - without any connection to any server. The exported key file contains all encryption keys associated with your Boxcryptor account. Important: As new keys might be added over time by Boxcryptor's integrated key management (e.g. when sharing files with other Boxcryptor users), it is recommended to regularly export a new key file.
After installing Boxcryptor, you can use the exported key file to access your encrypted files using a local account. Learn more about exporting your keys and local accounts.
Migrate to Boxcryptor for macOS v3.x
With the use of Apple's File Provider framework introduced in macOS 12, we can finally provide an all-new Boxcryptor for macOS app that seamlessly integrates into Apple's Mac ecosystem, similar to Boxcryptor for iOS app.
Boxcryptor for macOS v3.x supports macOS 12.0 and later.
1. Preparation - FileVault
With Boxcryptor, files stored in the cloud are always encrypted and encryption is performed locally on your Mac all the time. Only encrypted files leave your device.
However, in contrast to Boxcryptor for macOS v2.x, files stored locally on your Mac are not encrypted by Boxcryptor anymore due to technical limitations by Apple’s File Provider platform. File Provider apps must store files in clear text on the local file system so that their content can get picked up by macOS and presented to the user. This affects file contents and file names.
Here’s the encryption state by location:
- In the cloud: Files are always protected by Boxcryptor’s encryption
- On your Mac with FileVault: Files are protected by FileVault’s encryption
- On your Mac without FileVault: Files are not protected (not recommended)
We strongly recommend the use of local full-disk encryption for every Mac – regardless if you are using Boxcryptor for macOS v2.x or the new v3.x, or even if you don’t use Boxcryptor at all. Full-disk encryption is an integral part of local device security and can easily be achieved by turning on FileVault on any Mac.
By using FileVault, files available in Boxcryptor for macOS v3.x are still protected by FileVault’s encryption on the local disk, despite appearing as clear text when your Mac is in use. Learn more about FileVault here: https://support.apple.com/en-us/HT204837
Boxcryptor for macOS v3.x is a native File Provider app which works “out-of-the-box” on modern macOS operating systems. Additionally, the app is now fully utilizing the macOS sandboxing security mechanism. All you need to do is download the latest version and follow the standard installation process.
3. Add Clouds and Locations
Boxcryptor for macOS v3.x includes the full functionality for fast, smooth and secure synchronization of your files and folders. To make use of this, directly connect your cloud provider to the app by the following steps:
- Navigate to the Home tab
- Click Add Provider…
- Select your desired Service
- Authenticate with the credentials of your cloud provider
Your credentials are sent directly to the service you choose, they are not sent to our servers.
If you don't want Boxcryptor to sync your files itself, you can still work with your installed sync clients. To do this, select Local Storage in your Boxcryptor app and choose the sync folder of your provider's client.
As every File Provider app, Boxcryptor is now available in
~/Library/CloudStorage where a sync folder for each connected cloud provider is created. These folders are also accessible in the Finder’s Location section.
4. Remove Boxcryptor for macOS v2.x
Since Boxcryptor for macOS v2.x is deeply integrated into macOS and the system does not provide an uninstall mechanism by default, follow these instructions to completely remove the app from your system:
- Quit Boxcryptor
- Open System Preferences → Extensions → Finder Extensions and disable Boxcryptor
- Delete the following folders:
- ~/Library/Application Support/Boxcryptor
The ~/Library denotes the user library folder and NOT the system library folder.
- Remove application preferences by executing the following command in the Terminal app: defaults remove com.boxcryptor.osx
- Open the Keychain Access app and remove all entries starting with com.boxcryptor.osx
- Move Boxcryptor.app into trash
5. Reset Security Policy
If you changed your Mac’s Security Policy to Reduced Security due to Boxcryptor for macOS v2.x, you can then revert this policy back to Full Security by following these steps:
- Reboot your Mac into Recovery Mode
- Open Utilities → Startup Security Utility
- Select and unlock your system volume and click Security Policy…
- Choose Full Security
- Restart your Mac
6. Remove Sync Clients
In addition, Boxcryptor for macOS v3.x is all you require installed on your Mac to work with encrypted files in Dropbox, OneDrive, Google Drive or any other supported cloud provider. You can now remove your cloud provider’s client from your Mac.
File name and type restrictions
Due to technical reasons, the following file types cannot be stored in Boxcryptor:
- App Bundles (.app)
- Frameworks (.framework)
- XIP (.xip)
- Crash Files (.xccrashpoint)
- Boxcryptor Files (.bc, .bch, .bclink)
- Apple Archive Files (.abbu, .icbu)
If required, this file type restriction can be bypassed by zipping the files.
Additionally, file name or type restrictions by used cloud providers apply.
A major advantage of the new File Provider-API over the old virtual drive is that Spotlight works out-of-the-box without requiring special handling by Boxcryptor. This means that Spotlight indexes visited files and folders in Boxcryptor locations automatically and by default. Spotlight support is not an optional advanced setting anymore, but a first-class default experience for every user.
Spotlight indexes file and folder metadata of all items in Boxcryptor locations. File contents are only searchable for downloaded files which are locally available for indexing due to technical limitations.
Why is everything new?
A main driver for the new Boxcryptor for macOS version is Apple’s strategy to disallow third-party kernel extensions on macOS to further secure and close down the Mac operating system. Apple started to deprecate third-party kernel extensions a few years ago and successively made it more difficult to use them. While a kernel extension could be loaded “on-the-fly” in the past, macOS 10.15 Catalina started to require a system reboot during the loading process.
Nowadays, Macs with Apple Silicon processors additionally require the modification of the Mac’s Security Policy in Recovery Mode to allow third-party kernel extension loading. All signs indicate that third-party kernel extensions will not work at all in future versions of macOS. Holding on to our existing concept using a virtual Boxcryptor drive based on a kernel extension would not be sustainable anymore.
Due to Apple’s decisions, we have been forced to come up with a new concept how Boxcryptor for macOS works in the years to come. At the same time, we are excited about the new possibilities and experiences this new integration into macOS opens up for Boxcryptor in the future.
Documentation for Boxcryptor 2.x (Legacy)
This documentation covers our new Boxcryptor for macOS app that requires macOS >= 12. If you need assistance to our old Boxcryptor app, you can download the legacy documentation here.
How to Create a Debug Log
What is a Debug Log?
A debug log captures all internal events while Boxcryptor is running. It can help us to track down issues with Boxcryptor, for example bugs and incompatibilities with other software.
Does a Debug Log Contain Sensitive Data?
When you create a debug log, sensitive user information - like password, encryption keys, or actual file content will not be logged.
Which Information Does a Debug Log Contain?
The debug log captures the following information.
- User interaction such as button clicks and in-app navigation
- File operations (including unencrypted filenames)
- Current Boxcryptor settings
- Communication with our servers and your cloud provider(s)
- System information such as OS version or required frameworks
- Running programs
How Do I Create a Debug Log?
- Open the Console app.
com.boxcryptor.into the top right search bar and press Enter.
- Click Start.
- Reproduce the issue you have with Boxcryptor for macOS (if you have synchronization issues, please give it some time to hypothetically finish).
- Switch back to the Console app.
- Click Pause.
- Select and copy all log entries using CMD+A and CMD+C.
- Open TextEdit (or any other text editor of your choice).
- Paste the log entries using CMD+V.
- Save the file as boxcryptor.log.
What Should I Do With my Debug Information?
I Cannot Connect to the Boxcryptor Servers
Depending on your system or network configuration, Boxcryptor may not always be able to communicate with our servers. However, there are some workarounds for the following scenarios.
Error Message like “No Connection” or “Sync Keys failed”:
When this error message shows, make sure that you still have internet access with Safari. Make sure that the Boxcryptor server status here returns the message OK. One possible source of error could be your proxy settings. For example, try adding
api.boxcryptor.com to an exclusion list.
Warning: This is no Secure Connection
If you are in an environment that performs traffic inspection, you might not be able to connect to our servers. Examples, where traffic inspection might interfere with Boxcryptor:
- Anti-virus solutions that protect internet traffic
- Public hotspots
- Company proxy servers
Traffic inspection, techically speaking, is a man-in-the-middle attack. Therefore, it is important to make sure your system or internet connection is not compromised. You can check the certificate information provided, by clicking advanced in the error message.
If you already have signed in to Boxcryptor sucessfully, you can continue to work on your already opened or downloaded files offline. However, you will not be able to alter Boxcryptor permissions or use other online features of Boxcryptor.
Use self-signed Certificates for Cloud Provider
Connecting to self hosted WebDAV or Owncloud / NextCloud instances with self-signed certificates does not always work out-of-the-box.
For Boxcryptor to connect to your server, you must install your self-signed certificate on your device. For more information how to install it, please see here.
For more information on certificate requirements, check apple's specification here.
If you own the domain, you can instead create a free and trusted certificate. For more information, see Authorities such as Let's Encrypt.
I Cannot Move a File to an Encrypted Folder
Moving files between differently encrypted folders or into a new encrypted folder always requires encrypting the files with the new folder key. Hence, Boxcryptor has to download the item, decrypt, encrypt, and upload the item again. Due to the complexity, we decided to disable the option to move and copy between encrypted folders.
Alternatively, you can simply copy files to the desired folder and finally delete the original items.
Where can I download Boxcryptor Classic?
Boxcryptor Classic is the predecessor of Boxcryptor which has been discontinued. It is not recommended to use Boxcryptor Classic because it is not supported anymore and does not work on the latest operating system versions.
If you’re an existing user of Boxcryptor Classic you can download it here and we recommend you to upgrade to Boxcryptor as soon as possible.
Download Boxcryptor Classic for Mac OS X here: https://www.boxcryptor.com/download/Boxcryptor_Classic_v1.5.415.252_Installer.dmg Supports Mac OS X 10.7, 10.8, 10.9, 10.10
If you already upgraded to Mac OS X >= 10.11 and need to decrypt your encrypted files with Boxcryptor Classic, you can download this “unofficial” version with read-only support for macOS 10.11 and 10.12: https://www.dropbox.com/s/wbrygn4x2kgzlsp/Boxcryptor_Classic_v1.5.417.253_Installer.dmg?dl=0
We regularly release new versions of Boxcryptor with new features, better stability and overall improvements and retire outdated versions over time. On September 30 2018, the following versions have been retired:
- Boxcryptor for Windows 2.22.706 and older
- Boxcryptor for macOS 2.19.907 and older
When you try to use a retired version, you will not be able to use Boxcryptor and receive one of the following error messages:
This client is invalid or outdated. Please upgrade to the latest version.
The client id is invalid!
This is no secure connection
The remote certificate is invalid according to the validation procedure
Boxcryptor can't establish a secure connection to the Boxcryptor server.
Download and install the latest version of Boxcryptor from here. Afterwards you will be able to continue to use Boxcryptor.
If you still see the error message This is no secure connection, the problem lies elsewhere. Check out I Cannot Connect to the Boxcryptor Servers.
I am using Windows XP or Mac OS X 10.14 or earlier
Current versions of Boxcryptor require Windows 7 and later or macOS 10.15 and later. As all earlier operating system versions are not supported by Apple or Microsoft anymore, we recommend affected users to update their operating system to a newer version as soon as possible in order to stay safe.
Using unsupported operation systems poses a huge security risk. You really have to update your operating system for security-related use.
I cannot update to the latest version
Note: If you are using Windows, please look into I Cannot Update or Uninstall Boxcryptor first.
If for any reason you cannot update to the latest version and can't access your encrypted files anymore, you have the following options:
Boxcryptor Portable does not require any installation and can be used to access and decrypt your encrypted files without administrator rights. Download Boxcryptor Portable here.
You can export your keys from our server and use a local account to sign in to your outdated Boxcryptor version without requiring a connection to our servers. Learn more here.
I cannot sign in due to too many connected devices
Cannot open some files
There may be situations where files appear to be inaccessible. This can have multiple reasons:
Boxcryptor Access Issues
On desktop some Applications or the file browser shows a message with
Invalid parameterwhen trying to open a file.
- Boxcryptor is eventually signed-in to a wrong account. → Check the account info in the Boxcryptor settings and compare it with the Boxcryptor permissions.
- The user has no Boxcryptor permissions on the file. → Make sure the user has physical access to the shared file, has Boxcryptor permissions correctly set and the latest permission changes of the file have been synced. Learn how to set permissions here.
Filesystem Permissions Issues
Files are read-only or "permission denied" is displayed. Change files system permissions so your user can (physically) access them.
"Bad padding" issues, empty physical files or inaccessible folders due to an empty
File open shows "Found invalid data while decoding" and the .bc file is empty.
Folder cannot be opened "Found invalid data while decoding." is displayed in the permission settings.
There has been an incompatibility with Dropbox in the past that could create "broken" content for smaller files because Dropbox did not sync the last file change.
- restore an older version of the corrupted file via the file history of your cloud storage provider.
- for folder issues, delete the empty
Folderkey.bchfile and re-encrypt the folder.
On November 10, 2020, Apple revealed new Mac hardware with the revolutionary Apple Silicon M1 processors which are available since November 17. Boxcryptor has been adapted to run natively on the new processor architecture with the maximum performance and battery life.
Boxcryptor natively supports the new Apple Silicon Macs since version 2.39.1119 released on December 18, 2020.
What is a FolderKey.bch and a .bclink file
There is a File Called FolderKey.bch in my Cloud Storage. What is This?
Boxcryptor creates a FolderKey.bch file when a folder is encrypted. It contains encryption metadata for its parent folder and helps Boxcryptor to maintain the encryption hierarchy. This file is not visible within the Boxcryptor drive.
Does it Leak Sensitive Information?
The FolderKey.bch does not contain any sensitive information. Only .bc files contain sensitive information — and these are encrypted.
What Happens When I Lose it?
Dont't worry, you will not loose any data or access to files. All crypto-required information is stored directly within your encrypted *.bc files.
The downside of losing that file is that Boxcryptor no longer perceives the parent folder as encrypted. As a consequence, new files in this folder will not inherit the encryption setting.
There is a File Called .bclink in my Cloud Storage. What is This?
The file helps to verify the account when linking accounts to use features like Whisply.
If the file doesn't exist, the user either used a different account for linking or the sync client is not turned on/syncing.
Does it Leak Sensitive Information? Can I delete it?
The file does not contain any sensitive information. It is not necessary and can also be deleted. However, it may be generated again automatically.
Recover Account Access if Second Factor (2FA) is Lost
In the case of a lost second factor for the two-factor authentication (2FA) such as an authenticator app, your mobile device in total, your security key or other hardware, you will no longer be able to sign in to your Boxcryptor account.
Ways to recover access to your account:
Re-apply the secret key from your initial setup
If you still have your secret key from the initial Authenticator App setup, you can just re-add it to your authenticator app of choice. Next to the QR Code scan method these apps usually provide a "manual" way to add a Time-based One-time Password (TOTP) account.
For reference, the secret key looks similar to:
mzwe wocd mj3d qr3f njjw g2cm grqw cvli
Use a device code
If you are still recently signed-in in Boxcryptor for Windows or Boxcryptor for macOS, You can use these devices as a second factor instead.
The second factor authentication screen will then provide you with the extra option "Use Device Code". Upon clicking on it, our apps will provide you with a temporary 8-digit pin, that will be valid for 5 minutes.
Please ensure that your Boxcryptor client is up-to-date before. You can always download the latest version here.
Also, make sure the Boxcryptor client is started and unlocked before requesting a device code.
Use a backup code
Once you set up your second factor, backup codes will be generated and presented to you. You can use these one-time codes instead of your second factor.
If you run out of one-time codes, you can regenerate new codes here.
None of the above methods apply
If you are still unable to access your account, you can also contact us to disable the two-factor authentication.
However, we need clear evidence that you are the legitimate owner of this account.
The identification will be done via video live chat, you will need the following things:
- A device with a browser installed and a working camera.
- An identification of your person (ID card, passport or driver's license).
- The valid e-mail address of your Boxcryptor account.
To pick an appointment, please visit our Booking Page.
Please provide a valid e-mail address, since it will be used for a calendar invite, further instructions and a meeting join link.
As a video chat platform, we use Microsoft Teams. You do not need a user account there. On desktop computers, a modern browser (Chrome, Edge or Safari) is sufficient. For other browsers or mobile devices, you might have to download the Microsoft Teams App:
iPhone & iPad: https://apps.apple.com/app/microsoft-teams/id1113153706 Android: https://play.google.com/store/apps/details?id=com.microsoft.teams Desktop: https://www.microsoft.com/en-us/microsoft-teams/download-app
Invalid Authenticator App Codes
If you are unable to generate a valid code despite the authenticator app working, this is most likely due to a different time on one of the systems involved.
Since these TOTP codes are only valid for 30 seconds, deviations from real time of just a few seconds can lead to registration problems.
You can check the synchronization on all participating devices by visiting the following website: https://time.is
If the time difference is more than a few seconds, we recommend that you set up the automatic time synchronization of your devices or, if necessary, perform a new one.