Box Keysafe Not So Safe

Posted by – 19. February 2016

This month Box announced its KeySafe service, a service that should give organizations control over their encryption keys. The ultimate goal of the service is that an organization’s content may reside in the cloud, while allowing them to keep control over their encryption keys.

But let’s stop here. First of all, as the FSFE (Free Software Foundation Europe) stated so nicely: “There is no cloud, just other people’s computers.”

This is particularly critical when you store your sensitive data on another company’s infrastructure. You are effectively moving the control over your data to them. And what happens if one of them has a significant security hole? For example, previously a programming error in Dropbox allowed any user to access any other account without a valid password.

With all of the focus today on privacy and compliance, cloud storage providers are realizing that they need to offer their customers more security. But how can they provide that? It’s Software-as-a-Service, where a customer’s data is stored on the cloud providers’ servers. While strong encryption methods would help, the problem is that most truly effective encryption methods would make their web interface unusable.

One way to try to tackle this problem is claiming that customers have control over their encryption keys. Let me quote this one sentence from the Box website:

Exclusive Key Control. Box can never see or access your encryption keys

And this is probably right! Box can’t access your encryption keys. But let’s think about that phrase. What it effectively says it that they can’t access your encryption keys but they can still access the thing that you want to protect: Your files.

We’re not saying here that the Box encryption is inherently insecure. In fact, we are not in the position at all to say that. Due to the closed-source nature of Box, it is not possible to really verify the security of the platform.  But we are saying you shouldn’t take cloud provider “promises” like this at face value.  You need to know not only who has control over your keys, but also where your data is stored, and who has access to it.  In case of a security or compliance audit, you will be the one responsible for your data’s privacy and security.

What other choice do you have?  How about control over both your keys AND your data!  With ownCloud’s new Encryption 2.0  it is possible for enterprises to achieve complete control over their encryption keys AND files as ownCloud is an on-premises solution.  So you have complete control over your encryption key logic as well as where your data is stored, and who has access to it.

With our strong commitment to open-source and our source code being open-source everybody can verify the security of ownCloud.  Additionally, we also offer a bug bounty program at https://hackerone.com/owncloud where we’re paying hackers for security vulnerabilities found in our product.  Putting our money where our claims are, to keep your data, and your keys, safe.

Please fill out the form below to get your download.


Please deactivate your script blocker or use a different browser to load the form.

By submitting this form, you are granting ownCloud GmbH permission to contact you. You can revoke permission any time using the unsubscribe link found at the bottom of every email or by sending an email to info@owncloud.com