Box encryption

Box cloud storage data encryption

Is my data encrypted?

Cloud storage services like Box are very popular these days and the de-facto standard to store and share files. But do they apply encryption? We took a closer look at Box and try to answer the following questions:

  • Are my files safe on Box?
  • Does Box have any access to my files?

Whereas privacy is maybe not so crucial for videos and photos users share on social networks, when it comes to files processed in enterprises and for work, data protection quickly becomes more important. And when we think of data protection we mean: data encryption.

Data encryption is great, but as always it depends on the actual implementation. So let's take a closer look on how Box applies encryption.

Phase 1: Data in transit

When you store a file in Box you first have to upload it - this works in several different ways: Drop it on the box website, drop the file in the folder to trigger the installed Box client to sync it back to the Box backend or add it to the Box mobile app. For each single way: Your data is encrypted. Box encrypts all data in transit to and from it's backend by the use of TLS.


This means that all data transferred to the box backend is encrypted by the use of state-of-the-art cipher suites. Which cipher actually is in effect depends on the client you use (browser version, mobile box app, desktop app, etc.) To illustrate the effectiveness of TLS let's compare the connection to the box backend with a connection without TLS:

Box encryption in transit

Phase 2: Data at rest

Once the file is securely transferred to the backend, it is stored. This is the second phase, where data encryption is key: Is the data safe and encrypted? Let's see:

Box encryption at rest

So it seems box is doing a great job on encrypting and protecting your files. There is only one point, where the file is actually available unencrypted: At the TLS termination proxy.
Let's see, what this means:

TLS termination proxy

After phase 1 the TLS connection is decrypted and all data transferred are available in cleartext on the server. The server then can process the files, extract metadata, evaluate content and extract sensible information. The user has no control over her data.
That's the bad news. But there is a concept that helps: End-to-end encryption.

End-to-end encryption

End-to-end encryption (E2EE) is a communication system where only the communicating entities are able to read the messages. No other entity is able to tap in - neither in the the TLS termination proxy, nor anywhere else.

End-to-end encryption

Noticed the difference? The content of the file is still unreadable - even at the crucial point of TLS termination. Nobody can ever tap in - your data is absolutely safe with End-to-end encryption in place.