Boxcryptor and its Alternatives in Comparison – Cloud Encryption for Teams
The cloud security landscape has changed since we launched Boxcryptor. There are now different solutions on the market with very different approaches, but they all have the same goal: to protect your data in the corporate cloud. In this article we want to compare Boxcryptor with other enterprise cloud security solutions. We discuss the advantages and disadvantages of the individual services, the different encryption and key management approaches, and other differences between the solutions.
The services included in the comparison are Boxcryptor, the team and enterprise solutions from Tresorit and sync.com, as well as Microsoft’s Azure Information Protection. We explain, why you should not just use Dropbox, Google Drive or OneDrive without encryption and why some of the encryption solutions are sold that way but aren’t real alternatives.
All information provided was collected on the 26th of August 2019.
Boxcryptor
Boxcryptor is a zero knowledge encryption software that adds an additional layer of security to the cloud of your choice through strong end-to-end encryption (E2EE).
In addition, Boxcryptor is the only cloud encryption provider to offer true single sign-on (SSO) to enterprises based on the zero knowledge principle.
The company behind it: Secomba GmbH was founded in 2011 by Andrea Pfundmeier and Robert Freudenreich and is based in Augsburg. The company has 30 employees and exclusively develops Boxcryptor and the file transfer service Whisply.
Encryption: End-to-end encryption with AES-256 and RSA-4096, Zero Knowledge
Team licenses: Company, Enterprise
Pricing of the team licenses: from 10 € per user/month (Company, annual billing)
Supported providers: 30+ and all providers with WebDAV protocol, NAS, File Server and network drives
__Supported platforms: __ Windows, Mac, iOS, Android, Portable Version (usable on Linux)
Enterprise features: Single sign-on, Active Directory support, activity auditing, remote wipe, custom policies, premium support, personal account manager, personal onboarding support
Languages: GER, EN, ES, IT, FR, RU
Further advantages: Discounts for NGOs and educational institutions, NAS and network drive encryption, HIPAA compliance
Since Boxcryptor itself is not a storage provider, features such as versioning and data recovery are not part of our own portfolio. However, most cloud providers offer that feature and our software does not interfere with this feature. This means you can choose the cloud storage of your choice, independently of Boxcryptor, and then set up our award-winning encryption as an additional layer of security without worrying about loss of convenience.
Info: In addition to team licenses, Boxcryptor also offers licenses for private and commercial single use.
Tresorit
Tresorit is a cloud storage provider with integrated zero-knowledge encryption. The biggest difference to Boxcryptor is that Tresorit offers cloud and encryption in one. Other popular cloud storage services such as Dropbox, Google Drive and OneDrive cannot be encrypted with it.
Because Tresorit works with the Microsoft Azure infrastructure, the data is basically stored on servers of an American provider. Although these are located in Europe, they fall under the sphere of influence of the CLOUD Act. Thanks to the strong encryption methods this is not necessarily bad, but there is no real advantage over the storage of Boxcryptor-encrypted data by Dropbox or other providers.
The company behind it: Tresorit AG is a Swiss-Hungarian company founded in 2011 by three Hungarian programmers. In April 2014, Tresorit was launched on the market.
Encryption: End-to-end encryption with AES-256 and RSA-4096, Zero Knowledge
Team Licenses: Business small/regular, Enterprise
Pricing of the team licenses: from 12 / 16 / 20 € per user/month (with annual billing)
Supported providers: Own cloud service, no encryption of external providers
Supported platforms: Windows, Mac, iOS, Android, Linux
Team and enterprise features: Unlimited versioning, remote wipe, user-defined policies, Active Directory integration, custom branding
Languages: DE, EN, ES, FR, HU
Storage: 1 TB/user for team licenses
Data Centre: EU (IRL/NL) - Microsoft Azure
Info: Tresorit also offers licenses for private and single users.
Sync.com
Similar to Tresorit, the Canadian company Sync.com offers cloud storage with integrated zero knowledge encryption. With its own server locations in Canada, data stored on Sync.com servers does not fall under American laws such as the CLOUD-Act. Sync.com, like Dropbox, relies on the “Sync Folder” structure.
Sync.com supports Single Sign-on (SSO) according to its own description. However, on its website the company only describes the automated login into the web application of the service when users are already logged in to the desktop program.
In its privacy whitepaper sync.com also states that it encrypts both files and their metadata. Unfortunately, there is no explicit information about whether file names are also encrypted.
The company behind it: Sync.com Inc. was founded in 2011 and launched its desktop and mobile apps in 2015. Special business solutions have been available since 2016.
Encryption: End-to-end encryption with AES-256 and RSA-2048, Zero Knowledge
Team Licenses: Business Pro / Business Pro Advanced - from 2 users each
Pricing of the team licenses: 5 / 15 $ per user/month (with annual billing)
Supported providers: Own cloud service, no encryption from external providers
Supported platforms: Windows, Mac, iOS, Android
Team and enterprise features: Remote Wipe and Lockout, Team Folder, Custom Policies and Permission Management, Admin Features such as User Password Management and Activity Auditing
Languages: EN
Data Center: CA – Own Server Structure
Further features: Sync Vault is a cloud-exclusive storage space, e.g. for backup data. Files in the Vault are not automatically synchronized and therefore do not occupy any space on your hardware.
Info: Sync.com also offers licenses for private and single users.
Azure Information Protection
Azure Information Protection (AIP) was launched by Microsoft in June 2016. Previously, the company acquired the Israeli startup Secure Islands, which focused on automatic data protection. AIP enables companies to classify documents and emails and optionally protect them. The security label is linked to the corresponding file and is active regardless of where it is stored or processed.
The company behind it: Microsoft
Encryption: AES-128/256 (Data Encryption), RSA-2048 (Key Protection), SHA-256 (Certification)
Team Licenses: AIP for Office 365 / AIP Premium P1 / AIP Premium P2
Pricing of the team licenses: Included in Office 365 Enterprise E3 / 2 $ / 5 $. The AIP Premium P1 and P2 licenses are also included in various software bundles.
Supported providers: Provider-independent protection
Supported platforms: Windows, Mac, iOS, Android
Languages: DE, EN, ES, FR, RU, CN, etc.
Team and enterprise features: Access protection through digital rights management based on protection classes, audit functions, BYOK/HYOK (Comes with many limitations. Further information can be found on the info page of the provider.)
Information that you protect is never sent to or stored in Azure, unless you explicitly store it in Azure or use another cloud service that stores it in Azure. Azure RMS simply makes the data in a document unreadable to anyone other than authorized users and services. (Source: Microsoft)
Problems: Only a selection of file formats can be protected with native content protection and only a selection of programs support AIP functions. Boxcryptor, on the other hand, encrypts any type of file. A similar function is provided by AIP under the name “General Protection”. This classifies and protects a file as a whole. It is then given the file name extension .PFILE. However, AIP does not offer file name encryption. This means that both the name and type of an AIP-protected file are still recognizable in plain text, although the content itself is protected. Also .PFILE files under macOS, iOS and Android can only be viewed with the corresponding viewer app.
Although AIP separates the data storage location from the key storage location, there is also no zero-knowledge encryption: Microsoft has access to all stored keys.
Advantages: Protection independent of storage location, access rights can be graded (access policies are added separately to the document and are not affected by document encryption), classification takes place in the respective program.
Info: Azure Information Protection also offers a free license to use AIP content. However, the free feature is limited to reading files.
Overview: Comparison of All Providers
The comparison shows that we are no longer alone with Boxcryptor when it comes to protecting cloud data. Nevertheless, when choosing a suitable encryption service, the decisive, security-relevant functions should be in the foreground.
What You Should Pay Attention To
First of all, the question of which algorithms and processes are used is important. Only strong algorithms like the AES-256 and RSA-4096 can offer reliable state-of-the-art protection. Also, the difference between server-side and client-side encryption should always be considered. Only if data is encrypted in the client (on your device) and only transferred to cloud storage after it has been encrypted, true zero knowledge encryption can be guaranteed. In order to guarantee this, it is always advisable to separate encryption and storage.
Incidentally, it is not enough to simply use your own keys (BYOK). Although providers promise that you will retain control over your keys, it will still be transferred to the service. The provider then works with your key in a certified environment (FIPS 140-2). It is therefore no longer only yours, although of course you provided it yourself. BYOK solutions, therefore, do not always comply with the zero knowledge principle.
You should also become skeptical in case you cannot find a clear description of the encryption processes and algorithms at the respective provider within a few clicks and without much research. At Boxcryptor, you will find these, for example, divided into key management, an overview of our algorithms used, and a general technical overview. In our help section we also offer a larger selection of detailed process descriptions and step-by-step instructions.
Zero Trust is not Zero Knowledge
In the previous paragraph we refer to the important (spatial) separation of data and keys. Some providers promote this separation under the “Zero Trust” label. However, you should not confuse this promise with the zero knowledge principle.
Zero trust only means not leaving full responsibility to one party. Providers can achieve this by either keeping data and keys separate or by actually storing only one of the two themselves. In both cases, however, the key host theoretically has access to the keys and the data host to the (encrypted) data.
Imagine the whole thing as an errand run: Messenger A carries a locked box, messenger B the key. Neither of the two messengers can access the data itself, but if both were intercepted in parallel or met secretly on the way, the encryption would be worthless again.
Boxcryptor already supports “zero trust” by acting independently of the cloud storage provider. The encryption takes place on the end device. In addition, Boxcryptor not only secures the data, but also the data key – with your personal password, which we can never see. In this way, we guarantee that only you (or persons authorized by you) have access to encrypted information. We call this promise a zero knowledge guarantee. This excludes a back door for third parties. You can read in detail, how this solution works here.
Conclusion: No Compromises When it Comes to the Security of Your Data
While strong encryption methods would help, the problem is that most truly effective encryption methods would make their web interface unusable.
With these words, the cloud provider ownCloud criticized the lack of security of many providers, especially in the public cloud sector. Our comparative article is intended to help you identify solutions that are not ideal.
With an additional protective layer, for example with storage-independent and user-side encryption, you can take strong measures to protect your company’s data yourself. The advantage of Boxcryptor is that the functionality of your preferred cloud storage services is not impaired. On-the-fly encryption allows you to work as usual in a familiar environment. Boxcryptor takes care of data protection in the background. Whichever solution you choose in the end: Please do not compromise on the security of your data.