FolderKey.bch - Can an attacker use this file to decrypt my files?

Bjoern

Hello there,

i have a question. I run ownCloud on my own Server. I also use boxcryptor to encrypt some of my important files.

So now i`ve seen that there is a file called FolderKey.bch in that Folder that holds the encrypted files.

If someone now attacks my Server and can gain Access to my encrypted files. Can then the attacker use this File to decrypt my files?

I`m a Little bit unsure for what this file is?!

Robert

Hello Bjoern,

No, the FolderKey.bch file cannot be used to gain access to your encrypted files. This file serves three purposes:

1) Marking a folder as "encrypted"
A folder which contains a FolderKey.bch file is recognized as an encrypted folder by Boxcryptor and thus be marked "green" in the Boxcryptor drive. All files created in such an encrypted folder are automatically encrypted.

2) Permission to access a folder
In order to be allowed to open a folder in Boxcryptor, a user must be able to successfully decrypt the key stored in the FolderKey.bch file. If he cannot, Boxcryptor will deny access to this folder. (Note: This is not a strong access restriction but rather a convenience feature. Anybody with access to the source folder could easily open the folder outside of Boxcryptor. Strong access restriction is only available for files whose content is encrypted by Boxcryptor - folders itself (not their files) cannot be "encrypted" as they're just containers for files)

3) Permission inheritance
Most importantly, the FolderKey.bch of a folder is used as a permission "template" for new files and folders created within this folder. When you create a new file, Boxcryptor will apply the same permissions of its parent folder (instead of just you). So if users A, B and C have access to a folder, new files will also be accessible for the users A, B and C. This information needs to be stored somewhere and we're using the FolderKey.bch file for it.

Best regards,
Robert

PS: If the FolderKey.bch file is deleted, no damage is done. All information required to decrypt a file is directly stored in the encrypted file itself. When the FolderKey.bch file is missing, the parent folder will simply not be recognized as an encrypted folder anymore (but it's encrypted content will be).

JohanUU

I've found that an attacker can delete the folder key but can not actually access the file. However, when the authorized editors modify the file, the encryption automatically disables after saving. No notifications whatsoever.

In other words, an attacker can delete the folder keys and wait for someone to edit the file. after that it is accessible to the attacker.

Christian

Hello JohanUU,

you do get the notification that the folder itself is no longer regarded as "encrypted" by Boxcryptor by looking at the status icons.

This behavior is not shared among all applications, either. Most apps update their files on a safe by just doing that - updating the existing file. In this case, deleting the FolderKey.bch will not result in an unencrypted file on a save.

Some apps, however, don't really update the existing file, but create a completely new file and delete the old one afterwards. Since it's a new file, it's created by the access rights stored for the containing folder. And since the FolderKey.bch is deleted, this means it is going to be created as plaintext.

I agree that it would be better if this behavior would be handled explicitly. I've added this to our roadmap - though I cannot name a date when and if it will be implemented.

May I ask which app does display the said behavior?

Best regards,
Christian

florian2833z

Christian I agree that it would be better if this behavior would be handled explicitly. I've added this to our roadmap - though I cannot name a date when and if it will be implemented.

Has this been fixed? I recently contacted the support regarding an option to force encryption and she told me that she just added this to the roadmap.

Christian

Hello Florian,

the issue is still on our roadmap - our support did push it a bit more into our focus, though. The changes required to handle this scenario were simply bigger than expected, and we had some issues with higher priority that kept us busy.
For companies however, there does already exist an option to enforce encryption with a policy.

Christian

Update: There will be an option in the upcoming desktop versions to change the default encryption behavior of Boxcryptor.

To activate it on Windows:
Edit Boxcryptor.exe.config in the installation folder -> Set the value for "EncryptByDefault" from "false" to "true" -> restart Boxcryptor.

For OSX we'll adapt the documentation on https://www.boxcryptor.com/en/help/faq-and-troubleshooting/macos/#hidden-preferences as soon as we release the new feature.