Boxcryptor shut down — where encrypted-cloud users should go next
If you are reading this because your Boxcryptor login finally stopped working, you are not alone. Boxcryptor spent a decade as the default answer to one specific question: how do you keep using Dropbox, Google Drive, or OneDrive while making sure the provider can never read your files? In November 2022 that answer changed hands.
What actually happened to Boxcryptor
In November 2022, Dropbox announced it had acquired Boxcryptor's technology and key team members. Boxcryptor stopped selling new licenses to individuals almost immediately and entered a wind-down for existing personal and new users, while the underlying encryption work was folded into Dropbox's own roadmap. The short version: the standalone product that let you wrap any cloud provider in client-side encryption is no longer something you can buy and rely on for the long term.
That matters because Boxcryptor's whole value was being provider-neutral. It sat between you and whatever storage you already paid for. Once that neutral layer is owned by one of the storage providers, the incentive to keep it working across competitors quietly disappears. Plenty of former users kept limping along on old installs, but "it still works for now" is not a security strategy.
What you actually need in a replacement
Before you pick the first tool a search engine throws at you, it helps to be precise about what Boxcryptor gave you, so you do not accidentally downgrade. The non-negotiables for most former users are:
- Client-side (end-to-end) encryption — files are encrypted on your machine before upload, so the storage provider only ever sees ciphertext.
- Encrypted filenames — the names and folder structure leak just as much as contents do, and many "encrypted" tools leave them in plaintext.
- Provider neutrality — you keep control of where the bytes live, instead of being locked into one vendor's cloud.
- A sane key model — you hold the keys; there is no server-side master key that the vendor (or a future acquirer) could be compelled to hand over.
The honest migration options
Move into Dropbox's own encryption
The path of least resistance is to stay inside the Dropbox ecosystem and use whatever encryption features came out of the acquisition. This is fine if you were already a committed Dropbox user and you trust a single provider to both store and encrypt your data. The trade-off is obvious: you give up the provider-neutrality that made you choose Boxcryptor in the first place, and your keys live inside the same company that holds your files.
Open-source mount-and-encrypt tools
Tools like Cryptomator create an encrypted vault that you sync through any cloud folder. They are free, audited, and they encrypt filenames. For a single person who just wants a vault inside an existing Dropbox or Drive folder, this is a genuinely good answer and you should consider it seriously. Where they get awkward is collaboration: sharing a vault with a teammate, handling simultaneous edits, and knowing who changed what are not really what they were built for.
A purpose-built encrypted collaboration app
If you were using Boxcryptor with other people — a small practice sharing client records, a couple of founders passing around contracts, a team that needs an audit trail — you want something built for collaboration that still keeps the zero-knowledge guarantee. That is the gap Kerveros was designed for.
Kerveros encrypts every file — including filenames — on your machine with XChaCha20-Poly1305 before it touches any provider, derives your key from a passphrase using Argon2id, and stores everything in an S3 bucket you own (bring your own Tigris, Backblaze B2, AWS S3, or MinIO). It is a one-time €79 purchase, not a subscription, with a 14-day free trial.
See KerverosA practical migration checklist
- 1Inventory what you have. Before you decrypt anything, list which vaults or folders were under Boxcryptor and roughly how sensitive each is.
- 2Decrypt to a temporary, offline location. Pull your files back into plaintext on a machine that is not syncing to any cloud while you migrate.
- 3Pick the replacement that matches your real use. Solo vault → an open-source tool like Cryptomator. Collaboration, shared buckets, or an audit trail → a purpose-built app like Kerveros.
- 4Re-encrypt and re-upload. Move the plaintext into the new tool, which re-encrypts client-side, then push it back to your storage of choice.
- 5Securely wipe the temporary plaintext and confirm your new keys or passphrase are saved in a password manager. If you lose the passphrase in a zero-knowledge system, the files are gone for good — there is no reset link.
How to choose without regretting it later
The Boxcryptor shutdown is a useful reminder that any tool which holds the keys can be acquired, deprecated, or quietly changed underneath you. The most durable choice is one where you keep the keys and you keep the storage — so that even if the software vendor disappears tomorrow, your encrypted data and your ability to read it do not depend on their servers staying online.
If you only need a personal vault, an audited open-source tool is hard to beat on price and trust. If you collaborate and you want encrypted filenames, an audit trail, and storage you own outright, that is exactly what Kerveros is for — and because it verifies its license offline against an embedded public key, even the app itself does not phone home.
Want the full feature breakdown, the threat model, and the FAQ on what happens if you lose your passphrase? The Kerveros product page covers it, including how the encrypted manifest hides which files you even have.
Read the Kerveros details