Hey guys, on the boxcryptor info site on "App Protection" there is a note that says:

Note: If an attacker gains access to your operating system, it is theoretically possible for him to modify the locally stored Boxcryptor settings in such a way that the protection feature can be circumvented. While this feature can help you better protect your encrypted data on your computer, it does not guarantee 100% security against sophisticated attackers with access to your operating system. We recommend to follow local device security best practices, to avoid such a situation.
(https://www.boxcryptor.com/en/help/settings/macos/)

Now, I just want to understand why/how an attacker can do this when he gains access to the operating system. Doesn't he still need my password to decrypt my private key to decrypt the data? (Sorry for such a beginners question)

Oh and of course I am not asking you for a detailed instruction on how one can do this , I just want to know what I generally misunderstand with my simple logic from above. Why does the attacker not need the password to decrypt my data?

Thanks a lot!

juliju

So I thought about it and I guess what happens is the following:

My key is stored in unencrypted form locally on my computer. If an attacker takes control over my computer, then he can simply take this key to decrypt my data. I.e. what actually happens when I open boxcryptor locally on my computer and I am asked to input my password is not that my private key gets decrypted by my password (since it is already stored in decrypted form anyway). What happens is simply that the boxcryptor app decrypts the data for me. So it is basically a user convenience thing. If I don't enter the password, I could still just take my private key (that I already have access to since it is stored on my computer!) and use it to decrypt my data myself. So on my computer the data is not secured at all, boxcryptor provides security exclusively for the cloud. (Which is of course entirely legid! That is what it is meant to do! I just wanted to make sure that I actually understand correctly what is going on)

Is that correct?

If it is correct, then I think that the official boxcryptor note that I cite above is quite misleading! Since in the scenario I described, there is no need for the attacker to modify any settings, or is there?

This is a very good post. Thank you. I'm surprised you have not heard back from support. Maybe you could help me with a follow-up question however:

Does what your said also apply to other devices? Such as my Android phone or my iPad which I have Boxcryptor on? Is the key stored unencrypted and if an attacker got access to these devices they could just decrypt local files? (assuming one can save local encrypted files on android and iOS. I haven't tried, I just use it w cloud service)

Still curious if the key is in plain text or encrypted with my Boxcryptor password?
Thanks!

Hey, kluzaklien, I hope somebody will tell us one day.

But maybe the only way for this to happen is to buy a boxcryptor subscription such that we are allowed to directly ask the customer support

Dear Esad, thank you very much for your reply. You talked about the settings. I'm struggling to understand the role that the settings are playing. Why does access to my data (on my device) depend on the settings?

Is the data on my device encrypted or is it not encrypted?