9

Boxcryptor https://www.boxcryptor.com is not Open Source. Can I trust this? Is it secure? No government backdoor?

Because there is no alternative for OS X and iOS.

Sybil
  • 1,435
  • 2
  • 15
  • 29
  • as @Mark touched upon, we don't really have any more information than you. how would _we_ know if it's backdoored, if it's not free and open source software? – strugee Jul 21 '14 at 01:19
  • 1
    I'm using [SpiderOak](https://spideroak.com/), their encryption method seems pretty secure ([and is well documented](https://spideroak.com/engineering_matters#encryption)), and it runs on OSX and iOS. – mdeous Jul 21 '14 at 01:23
  • 3
    The fact that it's closed source should raise a red flag. So no, you probably shouldn't trust this software. – Expedient Jul 21 '14 at 03:18
  • encfs can be used on OSX why ins't that an option? http://www.maketecheasier.com/install-encfs-mac/ – YoMismo Jul 21 '14 at 11:05
  • Here are the things I worry about with BoxCryptor: Not open source, and no audit. Encryption is not authenticated. However, perhaps dropbox provides some kind of integrity check? I don't know. Just be aware that possibly your ciphertext could be modified by an attacker that has access to your files. So, you will have to make your own judgment call as to how much you trust the company. (I posted this as an answer, but apparently it doesn't qualify. I question if this has "an answer") – DrEntropy May 27 '15 at 19:30

2 Answers2

14

That's a judgment call you'll have to make for yourself, but their technical overview has what I consider a huge red flag:

Which data is stored on the Boxcryptor Key Server

Private RSA key (encrypted with the user's password)

The fact that your private key is stored on their server, even if it's encrypted with your password, greatly weakens security. It means that, at best, the security is as strong as your password, rather than being as strong as the underlying encryption.

Mark
  • 34,390
  • 9
  • 85
  • 134
  • Using the key severs is the default setting but it is not required: https://www.boxcryptor.com/help/boxcryptor-account/#local-account – Oliver A. Jun 17 '19 at 09:05
3

The storage of the encrypted private key on their servers mentioned by Mark is optional - you can choose to use the local account and distribute the keys yourself.

numo68
  • 74
  • 3
  • 1
    Done. The EncFS compatibility is there only for the Boxcryptor Classic, which is still available, but unfortunately not supported anymore. – numo68 Jan 03 '16 at 13:32
  • Have an upvote :-) – Rory Alsop Jan 03 '16 at 14:06
  • 1
    Sad that boxcryptor classic is dead. I'll be moving on to something else. – Jus12 Mar 26 '16 at 11:20
  • @Jus12: What did you move to now? Cloudfogger? I know it's not supported anymore, but I don't think it needs many major updates regarding security - I mean encfs is an pretty old algorithm and as far as it was already implemented correctly, no need to update it. Only feature wise it would be nice. – tim May 28 '16 at 16:06