Is Box end-to-end encrypted?

Box has become a favorite cloud provider for tens of millions of companies, schools, and individuals. How secure is Box?

Box is a cloud-based storage and collaboration platform that was founded in 2005. It allows users to store, share, and access files online. Box's features include file sharing, version control, and security controls. Box offers users 10GB of free storage space. As on Dropbox, Google Drive, and other platforms, users can earn more storage space by referring friends or completing certain tasks. Box also offers a variety of paid plans for businesses and individuals who need more storage space or who need additional features, such as the ability to password protect files or set expiration dates. Box also offers native applications for synchronizing files across devices on iOS, Mac, Android, Linux, Microsoft Windows, and more.

Box, Dropbox, and other cloud providers

There are a few key differences between Box, Dropbox, and Google Drive, which are currently the largest cloud providers by number of users. For one, Box is geared more towards businesses, while Dropbox and Google Drive are frequently marketed more towards individuals, or with more consumer features. This is reflected in the pricing structure of the three services - Box is more expensive than Dropbox and Google Drive.Another key difference is in the features offered by the three services. Box offers more features than Dropbox and Google Drive, including the ability to create custom workflows, access control features, and integration with a variety of business applications. Dropbox and Google Drive, on the other hand, are more basic and focused on file storage, upload, and sharing.Another key difference is in the way the three services are structured. Box is a cloud-based service, while Dropbox and Google Drive are more focused on offering client-side synchronization applications - which was Dropbox’s first major invention in 2008. This means that Box is more flexible and scalable, but it also requires more trust from users, as all data is stored off-site.Overall, Box is a common choice for businesses that need a more robust and feature-rich file storage and collaboration solution than larger consumer products including Drive and Dropbox. Dropbox and Google Drive are better suited for individuals or businesses that have less need for advanced features and are more concerned with affordability. However, all three services, including Box, do not use end-to-end encryption, meaning that sensitive encrypted data remains accessible to service providers (Box, Google, etc.). As a result, service provider employees, law enforcement, or data breaches could lead to exposure and decryption of user data by hackers.We’ll review why end-to-end encryption matters, and then give a brief overview of the best end-to-end encrypted cloud providers that keep all data private to users and intended recipients.

Encryption at rest vs. encryption in transit vs. E2EE

Box’s security page on encryption markets encryption at rest, encryption in transit, and the use of 256-bit AES encryption to protect stored data. However, compared to other cloud provider and when facing vulnerabilities today, is this sufficient?Encryption at rest is used to protect data that is stored, such as on a hard drive or in a database, and is where Box would use 256-bit AES encryption. Encryption in transit is used to protect data that is being sent, such as over the internet or through email. In this format, Box uses TLS 1.2, which is now a basic standard for internet communication and represents the absolute bare minimum of security an internet user may expect. For example, Chrome completely blocks all websites that do not support TLS and HTTPS.Encryption at rest is important because it helps to prevent data from being accessed by unauthorized people. If data is encrypted, it is much more difficult for someone to access it and read it. Encryption in transit is important because it helps to prevent data from being intercepted by someone who should not have access to it. Data should always be encrypted when it is being stored or sent. This will help to protect it from being accessed by unauthorized people.Today, this level of encryption is considered a bare minimum - yielding basic levels of protection but not a sufficient standard for data privacy. End-to-end encryption works on a much stronger level, encrypting data client-side with users’ public keys such that users, and not cloud providers, can access this data. Below, we’ll give an overview of how end-to-end encrypted cloud providers operate, as well as some suggestions for the best E2EE cloud services.End-to-end encryption keeps encrypted data completely private to users - user files, documents, and notes cannot be decrypted by a cloud provider. Encryption keys never leave customers’ devices, or are encrypted with another key (such as a user’s password) before they are ever sent over a network connection. As a result, all private keys remain unknown to cloud providers. This level of protection is critical in multiple cases, including if a cloud provider is hacked, which has happened multiple times, if employees try to maliciously access data, or if law enforcement seeks data access. Many user privacy debates have surfaced around end-to-end encryption protecting users’ encrypted messages as well.

End-to-end encrypted cloud providers

Not all cloud providers offer end-to-end encryption, so it is important to check whether a provider offers this service before signing up. Some providers may offer end-to-end encryption as an add-on service, so it is also worth checking whether there is an additional cost or configuration required to enable end-to-end encryption.Given end-to-end encryption’s obvious superiority, all messaging apps have migrated to this standard for communication. This includes Signal, WhatsApp, Apple’s iMessage, and more. Facebook Messenger and Instagram Messenger is migrating to default end-to-end encryption. Today, it would be considered security bad practice to release a messaging service that does not support end-to-end encryption out of the box. As a result, we consider it a baseline level of security for products such as cloud storage, where individual, customer, and client data is frequently stored.We recommend trying out Skiff, which provides end-to-end encrypted storage, notes, email, and collaborative documents (with 10 GB free as well); Tresorit, which provides end-to-end encrypted cloud storage and sync; or Sync.com, which also provides end-to-end encrypted cloud storage and sync for consumer and business users. All of these providers have cross-platform compatible apps for iOS and Android mobile devices, as well as desktop applications for viewing, storing, and sharing files.

Conclusion

Although Box provides many easy-to-use services and integrations for individual and enterprise customers, it generally uses quite data standards on cryptography and data encryption to protect users’ most sensitive data. Today, end-to-end encryption is the strongest standard consumers should expect from their providers and has become a basic expectation in all messaging and communications.