- Off-Migration Guide: Decrypt all Boxcryptor encrypted files
- What happens if Boxcryptor goes out of business?
- I Cannot Install Boxcryptor
- My Screen Goes Black on Install
- I Cannot Update or Uninstall Boxcryptor
- WebView2 Troubleshooting
- Boxcryptor is Using a Lot of CPU
- Boxcryptor is Slow
- Icons or the Context Menu are Not Shown
- How to Create a Debug Log
- Boxcryptor Crashes at Start
- I Cannot Connect to the Boxcryptor Servers
- Where can I download Boxcryptor Classic?
- Advanced Client Configuration
- Outdated Clients
- Cannot open some files
- How to use Windows Search / Cortana
- What is a FolderKey.bch and a .bclink file
- Incompatibility with Bitdefender
- Recover Account Access if Second Factor (2FA) is Lost
This short quickstart guide for company administrators provides you with the best solution on how to set up Boxcryptor. This way you can avoid sync-problems or long waiting times during the encryption.
Our Guides to Download
- Best Practice Guide for Admins: Download PDF
- Quickstart Guide for Company Users: Download PDF
- Quickstart for Windows and Dropbox (for Boxcryptor Admins): Download PDF
Some Tips for the Safety of Your Data
- Make sure that your cloud is accessible.
- For your first test we recommend using some dummy files, to figure out how everything works.
- Be aware that encrypting and migrating your company’s data could take a day or two, depending on how much data you handle.
Now you are ready to get started. Following the next steps in the right order is important because it will make sure that Boxcryptor works as quick as possible and at its general best.
How to Set up Your Company Account
Step 1: Go to boxcryptor.com and set up your company admin account:
- Sign in with your admin account to boxcryptor.com
- Enable Master Key (only with the Master Key enabled you will be able to reset passwords if someone in the company forgets it, which is unfortunately very likely).
- Get to know the general functionalities, especially the available Boxcryptor Company policies.
Step 2: Create all necessary groups, but do not add any members yet.
Step 3: Create your folder structure with encrypted folders. Do not share it yet and do not put any data into the folders at this point.
Step 4: Grant all necessary Boxcryptor permissions for these empty folders. Decide now, which groups will be allowed to access which folders. (Please note that all set permissions for encrypted folders will be inherited to its subfolders and files automatically. All files and folders will have the same permissions as their parent folder.)
Step 5: Now it is time to put all your unencrypted data into these folders.
Step 6: Create new accounts or invite your members to your team via boxcryptor.com. Make sure to provide the individually created temporary passwords to each respective Boxcryptor user in your team.
Step 7: Assign all members to their Boxcryptor group or groups.
Step 8: Go to your cloud provider and share the encrypted data there with your team members. This step is necessary, since you only shared the permission to access the encrypted data in Boxcryptor so far. Now, you also have to share the data physically at your cloud provider.
Congratulations, you are all set now.
How to Manage Your Users
With a company account you can have 5, 10, 20, 50 or even 10.000 users. You can manage them on the Users page.
The user status is shown on the top of the page (it indicates the amount of available and used users). Below this section, you will find the user overview where you see a list of your users. Here you can edit users or remove them from your company.
In the middle, you can add new users to your company by entering their email address. If you want to create more than one user, you can enter a comma separated list of email addresses, e.g.:
email@example.com, firstname.lastname@example.org, email@example.com
If the user does not have a Boxcryptor account yet, he will receive an email with the account information and a temporary password. If the user already has a Boxcryptor account, he will receive an email with a verification link to join the company. The user must accept your invitation by clicking the verification link before he is added to your company.
Manage a single user
When you click Edit on a single user, you will see the user detail page, where you can view and edit the follonwing user details.
If the Master Key is enabled for your company, this field indicates whether it is active for the given user. The user must change his password at least once after the Master Key has been enabled, in order to become active for a given user. Only if the Master Key is active for a user, it can be used to access the user’s encrypted files or reset his password. Possible values are:
- Active The user’s files can be accessed using the master key and it can also be used to reset the user's password.
- Inactive The user’s files cannot be accessed and his password cannot be reset. The user must login to Boxcryptor and change his password in order to activate the master key.
If this field is enabled, the user must change his Boxcryptor password at the next login.
If a user is enabled, he can use Boxcryptor regularly. If a user is disabled, he cannot use Boxcryptor anymore and does not use a license, i.e. he does not count against your license quota. This can be used to temporarily disable user accounts (e.g. for consultants, interns) without having to remove or delete them.
Reset User Password
If the Master Key is active, the Reset User Password button allows you to reset the user’s password:
- Unlock Master Key
- Copy the new temporary password
- Confirm by entering your own password
- Send the new temporary password to the user using a secure channel (e.g. encrypted email)
Remove or Delete A User
The Remove button gives you two options:
- Delete User The user’s account and associated keys will be permantently deleted. All connected devices and web session will be deleted and the user will not be able to login and decrypt his encrypted files anymore.
- Remove User The user will only be removed from your company. He will be downgraded to Boxcryptor Free and can still continue to use Boxcryptor, i.e. he can sign in and access his encrypted files as before.
Devices and Web Sessions
At the bottom, you see all devices which are connected with this user account and you can unlink them (for example if an employees’ laptop is stolen, you can unlink it to prevent unauthorized access to the encrypted data). When a device or web session has been unlinked, the user will be remotely signed out on the next connection with the Boxcryptor servers.
You can manually sync your Boxcryptor users with an existing Active Directory or LDAP directory. Alternatively, you can also connect Boxcryptor with your Dropbox for Business account to sync your Dropbox users with Boxcryptor. When you sync your users, Boxcryptor accounts will be created, deleted or removed as necessary. You can choose if a Boxcryptor account should be deleted or just removed from your company account if it is not needed anymore.
Active Directory & LDAP
If you manage your users in your organization with an Active Directory or LDAP you can easily import these users and groups to Boxcryptor. Requirements:
- Read access to your directory
- Active Directory or LDAP server which can be reached from our servers
- Groups Sync: LDAP admin need to set a unique never changing id per group
Click here if you need to whitelist our IP’s for your firewall.
If your Active Directory or LDAP server is located behind a firewall, please whitelist our IP ranges so that our servers can query your directory. The IP ranges should be fairly stable, but might change over time. The current IP ranges are:
184.108.40.206/28 220.127.116.11/28 18.104.22.168/28
To configure Boxcryptor with your user directory, click on the Setup LDAP Button. Now you can configure the access to your user directory using common Active Directory / LDAP properties:
- Server Address: Fully qualified URI to your directory server. LDAP and LDAPS protocols are supported. Example: ldap://server.company.com:389/
- User Base: Starting point for the user search. Example: dc=company,dc=com
- User for authentication: User which will be used to connect to your user directory. Must have read access rights. Example: cn=Administrator,cn=Users,dc=company,dc=com
- Password for authentication: Password which will be used to connect to your user directory.
- Search String: Users returned by this search string will synced with Boxcryptor. Example: (objectClass=user)
- Search Base: Base for the search string. Example: cn=users
- Field of Firstname: This user directory field will be mapped to the firstname of Boxcryptor accounts Example: givenname
- Field of Lastname: This user directory field will be mapped to the lastname of Boxcryptor accounts Example: sn
- Field of Email: This user directory field will be mapped to the email of Boxcryptor accounts Example: userprincipalname
- Deletion Procedure: When a Boxcryptor account does not exist in your user directory anymore, it will either be deleted, removed or disabled.
Dropbox for Business
To connect Boxcryptor with your Dropbox for Business account, click on the Setup Dropbox for Business button followed by the Connect button on the next page. If not done yet, you must login to your Dropbox account and grant Boxcryptor access to your Dropbox for Business account.
After setting up your user directory or Dropbox for Business account, you can import your users. You will see which Boxcryptor accountsand groups would be created, which users would be invited to join your company or which Boxcryptor accounts would be deleted. If you think everything is fine, unlock the "Synchronize" button, and the changes will be written to the database. If you need to resync your users at a later time, simply start the import process again.
A company can define a set of policies (rules) which applies to their users (e.g. minimum password length). A policy can be applied to all users and it is possible to include or exclude specific users.
- Restrict sign in to specific countries A user can only sign in to his account from specific countries. If you do not only want to restrict the sign in, take a look at the "Restrict use to specific countries" policy. Tip: We recommend to exclude your own user from the policy while you are setting the policy up and testing it.
- Restrict sign in to specific IP addresses A user can only sign in to this account from IP addresses which match the regular expression specified in the "Value" field. If you do not only want to restrict the sign in, take a look at the "Restrict use to specific IP addresses" policy. Tip: We recommend to exclude your own user from the policy while you are setting the policy up and testing it. Example Value: ^123.123.123.(1(0-9)|200)$
- Restrict Use to Country of Sign-In A user can use Boxcryptor only in the country where he initially signed in. If the country changes and a user connects from any other country, he will be signed out and will have to sign in again.
- Restrict Use to IP-Address of Sign-In A user can use Boxcryptor only from the IP address where he initially signed in. If the IP address changes and a user connects from any other IP address, he will be signed out and will have to sign in again. Example Value: ^123.123.123.(1(0-9)|200)$
- Restrict use to specific countries A user can use Boxcryptor only in specific countries. If a user is connected from any other country, he will be signed out and will not be able to sign in. If you do not want to restrict signed in users, take a look at the "Restrict sign in to specific countries" policy. Tip: We recommend to exclude your own user from the policy while you are setting the policy up and testing it.
- Restrict use to specific IP addresses A user can use Boxcryptor only from an IP address which matches the regular expression specified in the "Value" field. If a user is connected from any other IP address, he will be signed out and will not be able to sign in. If you do not want to restrict signed in users, take a look at the "Restrict sign in to specific countries" policy. Tip: We recommend to exclude your own user from the policy while you are setting the policy up and testing it. Example Value: ^123.123.123.(1(0-9)|200)$
- Disable auditing Do not store any auditing information. This only applies to new auditing data - existing auditing data will not be deleted.
- Allow Account Reset Allow users to reset their account.
- Allow Key Export Allow your users to export their account da.
- Maximum number of devices A user can only be connected to a maximum number of devices at the same time. Please enter the maximum number of devices in the "Value" field. Example Value: 5
- Disallow filename encryption Filename encryption is forbidden and cannot be enabled.
- Require encryption Encryption is obligatory and every new file will automatically be encrypted. Important: This policy only removes the ability to create unencrypted files or to e.g. decrypt files via the context menu. If the user really wants to permanently decrypt a file, he might be able to find ways to do so.
- Require filename encryption Filename encryption is obligatory and cannot be disabled.
Disable file download in Microsoft Teams A user cannot download files in the Boxcryptor Microsoft Teams app.
Disable Whisply A user cannot share encrypted files via Whisply.
- Disallow to create groups A user may not create any new group.
- Disallow to join groups A user may not join any group.
- Disallow to leave groups A user may not leave any group.
Using all three group policies, users can effectively be prevented from modifying groups. If administrators are excluded from the policies, only administrators can manage groups of their company.
- Allow Locations A user may only use the locations which are specified here. Locations can either be provider specific or use a custom path on a selected platform. Note: This policy only works on Windows and macOS devices.
- Maximum number of locations A user can only have a maximum number of locations (Desktop) or providers (Mobile) configured at the same time. Example Value: 2
- Require Locations A user must have the locations which are specified. Locations can either be provider specific or use a custom path on a selected platform. Note: This policy only works on Windows and macOS devices.
- Disallow two-factor authentication using authenticator apps Boxcryptor supports two-factor authentication using the Time-based One-Time Password (TOTP) algorithm. Users are not allowed to setup an authenticator app for their accounts and any existing authenticator app will be disabled.
- Require two-factor authentication using authenticator apps Boxcryptor supports two-factor authentication using the Time-based One-Time Password (TOTP) algorithm. Users are forced to setup an authenticator app for their accounts and enter an additional security code when signing in. Users will not be able to sign in to any Boxcryptor client until they setup an authenticator app.
- Require two-factor authentication using Duo Boxcryptor supports two-factor authentication using Duo. A user is forced to approve his sign in with a second factor, e.g. his mobile device.
- Disallow two-factor authentication using security keys Boxcryptor supports two-factor authentication using security keys based on the WebAuthN standard. Users are not allowed to setup a security key for their accounts and any existing security key will be disabled.
- Require two-factor authentication using security keys Boxcryptor supports two-factor authentication using security keys based on the WebAuthN standard. Users are forced to setup a security key for their accounts and authorize with the key when signing in. Users will not be able to sign in to any Boxcryptor client until they setup a security key.
- Disable remember password A user cannot use the "Remember password" feature and has to enter his password every time the Boxcryptor software starts.
- Minimum password length New passwords must have a minimum number of characters. Please enter the minimum number of characters in the "Value" field. Example Value: 12
- Disallow to modify permissions A user may not modify any permission of encrypted files or folders.
Using this policy, users can be prevented from modifying permissions. If administrators are excluded from this policy, only administrators can manage file and folder permissions.
The Master Key is one of the most important Boxcryptor Company and Boxcryptor Enterprise features. If enabled, the Master Key gives you the power to decrypt every file which is accessible by users of your company or resetting your users' passwords - without having to know them. With the Master Key, you are protected against the loss of access to your property (your files) even in complicated situations (e.g. when a user forgets his password or leaves the company).
Set up the Master Key
You will lose access to the Master Key if you forget your Master Key password. We are not able to restore it because Boxcryptor is zero knowledge.
- Go to boxcryptor.com.
- Navigate to Security and start the setup procedure.
After the Master Key has been set up, every user will be forced to change their password the next time they sign in to Boxcryptor in order to activate the Master Key for the user.
Each user has to change his password in order to activate the Master Key for his account. The Master Key is inactive and unusable for a user until he changed his password.
Use the Master Key
When the Master Key is set up and activated, it can be used to reset a user's password or access the user's encrypted files in emergency situations.
Reset a user's password
- Go to boxcryptor.com.
- Navigate to Users and edit a user.
- Verify that the Master Key is active.
- Click on Reset password.
Access your users' encrypted files
- Use Boxcryptor for Windows.
- Open Settings.
- Select the Account tab.
- Click on Unlock.
- Enter your Master Key Password.
- Get physical access to the encrypted files
- Access any encrypted file which can be decrypted by any of your users with an active Master Key.
The Master Key gives you access to the user's private key so that you can decrypt files which also the user can decrypt. If the user cannot decrypt a file because he currently does not have the necessary permission, you also cannot decrypt the file. The Master Key gives you access to all files your users currently have access to, not to any file ever created by your users if they do not have access anymore.
If you delete a user, the user's private key will be deleted and you will permanently lose access to files which can only be access by this user - even if the Master Key is active. If you want the ability to access a user's files in the future, it is recommended to disable a user instead.
Activities allow administrators to monitor user activitites by logging and recording events related to users, devices, groups and policies. You can filter by date and user as well as setting a maximum number of actvitites. An activity contains the following information:
- Date / time
- Activity type
- Short description
- IP address (last digits are anonymized)
Who can use Boxcryptor for Microsoft Teams?
Boxcryptor for Microsoft Teams is available for all Boxcryptor Company and Boxcryptor Enterprise customers. It is not available for individual users on Boxcryptor Free, Personal or Business plans. If you are interested to use Boxcryptor for Microsoft Teams in your organization, you can start a free 14-day Boxcryptor Company trial or reach out to our sales team for more information. Boxcryptor Company is already available for 5 users and more.
How to setup Boxcryptor for Microsoft Teams?
Setting up Boxcryptor for Microsoft Teams requires two steps:
Step 1: Add the Boxcryptor for Microsoft Teams App
Required role: Microsoft Teams tenant administrator.
The Boxcryptor for Microsoft Teams App can simply be downloaded from the Microsoft App Store.
Step 2: Connect Boxcryptor and Microsoft Teams
Required role: Boxcryptor administrator.
When the Boxcryptor app is added, a Boxcryptor administrator must sign in to Boxcryptor in Microsoft Teams once, so that your Boxcryptor organization can be connected to your Microsoft Teams tenant. After at least one Boxcryptor administrator successfully signed in to Boxcryptor in Microsoft Teams, Boxcryptor for Microsoft Teams is available for users.
Where can I use Boxcryptor in Microsoft Teams?
Boxcryptor is available in three locations in Microsoft Teams:
- As a personal app in the left navigation bar. The personal app connects with your own OneDrive so that you can access your own encrypted files.
- As a channel app in a channel’s tab bar. The channel app connects with the channel’s SharePoint folder so that all channel members can access encrypted files in the channel.
- As a message extension app in the message compose box of public channels and chats. The message extension app allows you to create conversations using encrypted files and messages. Encrypted files uploaded in the channel chat are stored in the channel’s encrypted files root folder and can also be opened via the channel app.
All three apps are included in the app package you need for the installation and are installed as a complete package.
How can encrypted files be stored in a channel?
Add the Boxcryptor tab to the channel and all channel members will be able to store and access encrypted files in the Boxcryptor tab.
How can I upload an encrypted file in the Boxcryptor personal app or channel app?
To upload a file, drag and drop the file to the file browser in Boxcryptor or click on the “Upload” icon in the upper right corner. You can also upload multiple files at once. Files are automatically encrypted on your computer before sent to Microsoft.
How can I upload and post an encrypted file or message in a channel or a chat?
Locate the Boxcryptor app in the message compose box. Make sure to also check the “three dots menu” if you cannot find it right away. Then, open the Boxcryptor app and proceed with one of the following options:
- Select “Upload Encrypted Files” and drag and drop or select the files to upload them. After the upload finished, a Boxcryptor card will be added to your message, which you can send in the chat.
- Select “Send Encrypted Message” and enter your sensitive information in the markdown-supporting text editor. You can also add an unencrypted title to your message that is easily searchable within Microsoft Teams and also set an expiration time if desired.
Don not forget to send your message afterwards. Only then the Boxcryptor card will be posted in the chat so that others can see it.
Can I encrypt already existing files in Microsoft Teams?
No, it is not possible to encrypt already existing files in Microsoft Teams. If you already have files in Microsoft Teams which you want to encrypt, follow these steps:
- Download the existing files in Microsoft Teams to your computer.
- Delete the files in Microsoft Teams.
- Upload the files in Boxcryptor for Microsoft Teams.
Which files can be previewed in Boxcryptor?
In the initial release, Boxcryptor for Microsoft Teams can preview image files (e.g. JPG or PNG) and PDF documents. You can view those files directly in Microsoft Teams without having to download them. If you want to view other files, you must download them and open the downloaded files on your computer. We plan to add preview support for additional file types in the near future.
Can I edit Microsoft Office (Word, Excel, etc.) documents in Boxcryptor?
Unfortunately, no. Microsoft Teams uses Office Online to directly create, view and edit Office documents. Office Online is provided and run by Microsoft and requires Office documents to be sent to Microsoft's servers in order to work with them. For obvious reasons, Boxcryptor cannot send plaintext data to Microsoft and thus does not support Office Online for document editing.
The recommended workflow to edit Office documents in Boxcryptor for Microsoft Teams is to download the document, edit it locally on your device and re-upload the edited document in Boxcryptor for Microsoft Teams. If a file with the same name already exists, you will be asked if you want to overwrite or skip it.
Where are files stored when I downloaded them?
Microsoft Teams stores downloaded files in your default download folder on your computer.
Are all files in Microsoft Teams encrypted by Boxcryptor?
No, even if you install Boxcryptor not all files in Microsoft Teams will or can be encrypted. If you upload files in the channel Files tab, you upload them directly to Microsoft without any chance for Boxcryptor to encrypt them before the upload. This applies when you use the paper clip icon or drag and drop a file when composing a chat message.
To encrypt files in Microsoft Teams, always ensure that you are using the Boxcryptor app, e.g. via the Boxcryptor personal app, channel app or Boxcryptor in the message compose box. Every file you upload via Boxcryptor for Microsoft Teams will be automatically encrypted.
Can I access the encrypted channel files in the Boxcryptor clients?
Depending on your Boxcryptor client, you can access your Microsoft Teams encrypted files in one of the following ways:
- For Boxcryptor for Android, Boxcryptor for iOS and Boxcryptor for macOS: Simply add Microsoft Teams as a provider and sign in with your Microsoft account. You will then see all teams and channels to which you have subscribed and that have Boxcryptor installed.
- For Boxcryptor for Windows: Make sure that the OneDrive client is running and authenticated. Then, open Microsoft Teams, navigate to the Boxcryptor tab of your desired channel and click on the “Sync” button to sync the SharePoint location to your device. Once the sync is setup, the Boxcryptor client will automatically detect your Microsoft Teams channels that have Boxcryptor installed and present them under the Microsoft Teams location.
Boxcryptor permission management in the Microsoft Teams location is not available in the Boxcryptor clients and can only be done within Microsoft Teams.
Can I use Boxcryptor for Microsoft Teams on my mobile device, e.g. iPhone or iPad, or in browsers?
Boxcryptor for Microsoft Teams can be used on Android and iOS in addition to desktop platforms. Here you can view, manage, and share encrypted files as well. You can also use Boxcryptor for Microsoft Teams in the browser versions of MS Teams.
Can I use Boxcryptor in private channels?
Boxcryptor also works in private channels. Unfortunately due to a Microsoft limitation, you cannot create encrypted files or messages directly in the chat textbox. There is a workaround for encrypted files, however: You can upload files in the Boxcryptor tab and share links to it in your conversations for easier reference.
Does Boxcryptor for Microsoft Teams have a maximum file size limit?
Boxcryptor for Microsoft Teams is subject to Microsoft's file size limitations but does not impose any additional limit.
How can I enable filename encryption in the Boxcryptor personal app?
By default, filename encryption is disabled for Microsoft Teams. If you want filenames in OneDrive to be encrypted, enable filename encryption in the Boxcryptor settings:
- Open the Boxcryptor personal app in the left navigation bar
- Open the Settings tab
- Enable Filename Encryption
This setting only applies to your Boxcryptor personal app and encrypted files stored in your own OneDrive. It does not apply to encrypted files in your Boxcryptor channel tabs.
How can I enable filename encryption in Boxcryptor channel tabs?
By default, filename encryption is disabled for Microsoft Teams and users cannot enable it in channels. If filenames should be encrypted in channels, Boxcryptor administrators can enable the Require Filename Encryption policy.
If you need a different way to manage filename encryption in channels, drop us a line with your feedback.
How can I enable filename encryption for encrypted chat files?
Filename encryption of encrypted chat files depends on the settings of your personal Boxcryptor app. These settings are overuled by Filename Encryption policies of your organization.
Where are the encrypted channel files stored?
Boxcryptor for Microsoft Teams stores the encrypted files of a channel in a special folder within the channel’s folder in the SharePoint team site document library. The special folder is located at
/App Data/b32f3a5e-53f3-4fc7-b387-8aa72d66c95e. If this folder is renamed, moved or deleted, encrypted files can no longer be accessed in Boxcryptor for Microsoft Teams.
Where are the encrypted chat files stored?
Encrypted chat files are stored in a special Onedrive folder (
Boxcryptor Chat Files/<CHAT_ID>) of the sender of the file and shared with the respective conversational participants.
How can I prevent the upload of unencrypted files in a channel?
As all files uploaded in a channel are stored in the SharePoint team site, SharePoint permissions can be used to enforce usage of the Boxcryptor app and prevent the upload of unencrypted files in a channel.
- Make sure that the Boxcryptor tab is installed in the channel.
- Open the channel's Files tab and click on Open in SharePoint.
- In SharePoint, on the Details pane by clicking on the Information icon in the upper right corner.
- Click on Manage access and change the members' permissions from Can Edit to Can View.
- Navigate to the Boxcryptor special folder at
- Click on Manage access and change the members' permissions from Can View to Can Edit.
By restricting edit permissions to the Boxcryptor special folder, team members cannot upload files outside of this folder and are prevented from uploading unencrypted files in the Files tab or in the channel's chat.
What happens if the Boxcryptor tab is removed?
Encrypted files stored in the channel’s folder in SharePoint are not deleted if the tab is removed. If you change your mind, any user with access to the encrypted files can always add the tab back in and access to encrypted files will be immediately restored. If you do not yet have access to the encrypted files, ask a team member with access to add the Boxcryptor tab again. If you want to delete the encrypted files, you must delete the Boxcryptor App Data folder in SharePoint.
What happens if a channel is deleted?
Encrypted files stored in a channel’s folder in SharePoint are not deleted if a channel is deleted. If you change your mind and restore a channel, you will be able to access the encrypted files again after the Boxcryptor tab has been added. If you want to delete the encrypted files, you must delete the Boxcryptor App Data folder in SharePoint.
How can I manage permissions for encrypted files in a channel?
Good news: You don’t have to. Boxcryptor automatically takes care of key and permission management so that all channel members have access to encrypted files in the channel. Manual permission management is not required.
When Boxcryptor has been added to a channel, the user who added the tab has access to the encrypted files. If other members open the Boxcryptor tab and do not yet have access, they can request access from other channel members. Once their request has been granted, they can access the encrypted channel files.
How can I sign out from my Boxcryptor account?
- Open the Boxcryptor personal app in the left navigation bar
- Open the Settings tab
- Click on Sign Out
How can I stay informed about the latest Boxcryptor for Microsoft Teams updates?
If you would like to stay up to date on the latest updates and features, please subscribe to our newsletter.
Click on the appropriate icon at the top to see instructions for the different platforms.
Besides users being able to install Boxcryptor on their devices with administrator rights, Boxcryptor administrators can also roll-out and deploy Boxcryptor for their users.
Deployment through GPO
Boxcryptor can be deployed comfortably within a company network by means of group policies. The basic steps for this process are described in this tutorial.
There are, however, a couple of necessary modifications of the process described in the tutorial. This is due to the fact that the Boxcryptor installer is multi-language, and cannot be deployed over group policy without modification.
Prerequisites: Microsoft Orca is required to modify the Boxcryptor installer. It is a tool that allows modification of existing MSI package files and is shipped as part of the Windows SDK Components for Windows Installer Developers. There is also a standalone version available at technipages.com.
- Download the current version of Boxcryptor from here.
- Open Microsoft Orca and open the Boxcryptor Setup MSI package.
- Select View -> Summary Information….
- Remove all entries in Language except 1033.
- Click OK.
- Save the installer using File -> Save.
The installation might still fail due to different language settings on your client. In this case, make sure to ignore languages during installation:
- Open the Group Policy Management Editor.
- Navigate to the Boxcryptor deployment package.
- Right-click it -> Properties.
- Navigate to Deployment -> Advanced.
- Make sure that Ignore language when deploying this package is checked.
If the installation still fails, try the following steps:
- Open the Group Policy Management Editor, navigate to Computer Configuration -> Policies -> Administrative Templates -> System -> Group Policy and increase the Startup policy processing wait time.
- Open the Group Policy Management Editor and make sure that Make this 32-bit X86 application available on Win64 machines is checked (next to the Ignore language when deploying this package setting).
Custom Installer Flags
The Installer can be started with following flags:
"True"), set to
"False"to avoid creating autostart entries for Boxcryptor.
"True"), set to
"False"to avoid creating a desktop shortcut for Boxcryptor.
"False"), set to
"True" to enable logging for the Explorer integration.
"True"), set to
"False" to avoid starting Boxcryptor after the installation completes.
Use the flags like so:
<PATH\TO\INSTALLER.msi> [<FLAG>=<VALUE> [<FLAG>=<VALUE>]... ] VALUE :: "True"|"False"
Custom Settings location
Boxryptor will by default store it's user settings at
The destination can also be set using following methods:
- Boxcryptor.exe.config (in the Boxcryptor installation directory): change
- HKLM Registry: Create a string value
- HKCU Registry: Create a string value
HKCU > default path at
We recommend to use environment variables such as
%userprofile% so the settings are distinct between user profiles.
Sharing the same settings folder among multiple windows user profiles is not supported.
(Experimental) Support for Thin Clients (Terminal / Citrix Server)
To run Boxcryptor on thin clients, we recommend to enable Terminal Environment Mode via Boxcryptor.exe.config. Also, we recommmend to change the default settings folder to a roaming location so Boxcryptor settings are correctly synchronized. If you encounter any problems during the implementation, don't hesitate to contact us.
Advanced Client Configuration
Some preferences of Boxcryptor are not exposed in the user interface. While it is generally not recommended to modify these preferences, experienced users or administrators might want to do it to better tailor Boxcryptor to their needs.
How to manage the application configuration file
Boxcryptor's configuration file
Boxcryptor.exe.config is located in the Boxcryptor installation folder (
To make modifications to this file, open it in a text editor.
%PROGRAMFILES(x86)% require administrative permissions.
If using the default text editor (
Notepad.exe), it must be run as administrator to successfully save modifications. (Windows Key + type "Notepad" -> right-click on the texteditor in the search result -> Run as Administrator)
Also make sure that the result is saved as a
.config file, as some Editors may append
The application configuration file is a XML based configuration with following format:
<configuration> ... <appSettings> <add key="KEY" value="VALUE" /> </appSettings> ... </configuration>
To change any setting defined by a
key, change the associated
The Configuration file is loaded when Boxcryptor is starting. If Boxcryptor is running when you modify a the config, you have to restart Boxcryptor in order for the change to be applied.
Updating Boxcryptor may revert the configuration file. Make sure to create a backup of your configuration.
List of application settings
false): New files created by applications in unencrypted directories will be written encrypted by default.
true): Support for alternate data streams. Note that ADS support is only enabled if all enabled Boxcryptor locations do support this feature.
EncryptDialogIncludedProcesses: A comma-separated list of processes which will trigger the "Do you want to encrypt" Dialog when creating files in unencrypted directories.
SupportedBackupProcesses: A comma-separated list of processes which that will receive backup-optimized file system I/O such as early downloading on-demand files.
true): Create log file in
%LOCALAPPDATA%\Boxcryptor\Crash Logsupon crash.
ProcessNamesPreventingShutdownOnSessionEnd: A comma-separated list of all processes that need to be closed before Boxcryptor closes on session end to prevent data loss on files open via the Boxcryptor volume.
false): Prevent automatic updates and also suppress any update notifications.
false): Disable the creation of the Boxcryptor quick access icon in the Windows Explorer's navigation pane.
""): A custom path where Boxcryptor stores it's user settings. Can contain environment variables. See Teams/Deployment/Custom Settings location for more information.
false): Predefines and restricts certain Boxcryptor settings to be compatible to thin clients (Terminal / Citrix Server).
15000): Defines the period in milliseconds in which the client synchronizes with the Boxcryptor servers.
false) Permanently deactivates the automatic display of the tutorial and the introduction.
""): Provides the ability to transfer command line parameters to the WebView2 web rendering engine.
true) Attempts to reconnect disconnected network locations (SMB and WebDAV) at startup. Might show a user authentication dialog.