• Last Updated:
  • May 28th, 2021 9:58 am
[OP]
Newbie
Aug 29, 2006
43 posts
28 upvotes

Box crytpor - dead

Deal dead.
Last edited by ephdub on May 28th, 2021 9:22 am, edited 2 times in total.
13 replies
Deal Addict
Aug 7, 2011
1802 posts
2591 upvotes
VANCOUVER
I've looked into this before but depending on your use case you may be able to do this for free using software like Duplicati. I personally backup my NAS to AWS and use the Synology encryption feature to encrypt before transit.

But I guess if you don't want to DIY this solution would be fine. You just have to trust the company that they are really doing what they say. But I am sure they have done independent audits?
Jr. Member
User avatar
Feb 2, 2011
138 posts
203 upvotes
Markham, ON
FYI - just signed up for CyberGhost VPN service at $2~ per month (billed every 3 years) and it came with a one year free license key for Boxcryptor
Don't spend two dollars on drying clean a shirt. Donate it to the Salvation Army instead. They'll clean it and put it on a hanger. Next morning, buy it back for seventy-five cents.
Newbie
Jan 25, 2008
43 posts
37 upvotes
If you have a bit of know-how with command lines, I highly recommend Rclone. It's OSS built for managing files in cloud providers. It's cross platform, can do encryption on the fly (with your key!), can mount providers as a letter drive and can even act as a DLNA server hosting files from the cloud provider of your choice.
Deal Addict
Feb 14, 2006
1364 posts
2070 upvotes
Hammonds
ephdub wrote: Cryptomator is the main competitor. It’s open source however the iOS version is closed and proprietary. It also doesn’t receive as much updates.

Truecrypt, cryptfs, veracrypt, etc… was all under consideration but ultimately, ease of integration, simplicity, and constant updates made me choose Boxcryptor over the others.

Boxcryptor is normally not on sale. This was a code that their sales team gave me to give out.
Its $13 on google play, or you can buy a licence key for €9.99/about $15CAD through f-droid. On their /android page. Strange it's cheaper through google, usually fdroid available apps (found on github) are substantially cheaper or free.
Deal Addict
User avatar
Feb 2, 2010
1313 posts
1195 upvotes
ephdub wrote: Yup. They have been audited before. I would love to choose FOSS alternatives.

I lack the time, and knowledge to hunker down, and set up my own shit. Priorities...

If I had the time, and knowledge, I'd implement:
Bitwarden (self hosted), Pihole + unbound, my own email server, and my own cloud services (nextcloud).

There's obviously "trust" in those companies, since I'm willing to give them my "keys to the kingdom".

I'm choosing the automated, non-DIY version so it's seamless and constantly up to date.
I'm using Pi-Hole + Cloudflared, both running on Docker containers on my Synology, + Bitwarden. I'm still considering Boxcryptor though so thanks for the code. Out of curiousity, why self-hosted for Bitwarden? I can appreciate the idea of keeping everything local but the idea that your password database could go up in a fire or out the door with a break-in scares the beezebus out of me.
Beep\Bop\Boop
Newbie
May 1, 2017
94 posts
129 upvotes
I was using it before, replaced by the simple Safe in OneDrive.
Deal Addict
Feb 14, 2006
1364 posts
2070 upvotes
Hammonds
Tapout123 wrote: I'm using Pi-Hole + Cloudflared, both running on Docker containers on my Synology, + Bitwarden. I'm still considering Boxcryptor though so thanks for the code. Out of curiousity, why self-hosted for Bitwarden? I can appreciate the idea of keeping everything local but the idea that your password database could go up in a fire or out the door with a break-in scares the beezebus out of me.
It's encrypted so both a break-in at home/vps, or data breach on a remote sever/paid version shouldn't be an issue. I know when I looked into it the self hosted version was more feature packed like paid commercial. Also it's super easy to trust yourself, migrate anywhere anytime, monitor whos looking around the domain and also who can look, and easily remove everything from the net if you are your host by disconnecting a cable
Deal Addict
User avatar
Feb 2, 2010
1313 posts
1195 upvotes
Ruciz wrote: It's encrypted so both a break-in at home/vps, or data breach on a remote sever/paid version shouldn't be an issue. I know when I looked into it the self hosted version was more feature packed like paid commercial. Also it's super easy to trust yourself, migrate anywhere anytime, monitor whos looking around the domain and also who can look, and easily remove everything from the net if you are your host by disconnecting a cable
I have no qualms about the security of the database, I'm more concerned about how it could literally be destroyed, corrupted or stolen. Can you back it up to the cloud (encrypted of course)?
Beep\Bop\Boop
Deal Addict
Jan 10, 2017
1498 posts
937 upvotes
GTA
ephdub wrote: Woah. Never seen that one. Have they been independently audited/have a good rep?
https://en.wikipedia.org/wiki/Canadian_ ... _Authority

The Canadian Internet Registration Authority (CIRA) (French: Autorité canadienne pour les enregistrements Internet ACEI) is the organization that manages the .ca country code top-level domain (ccTLD) for Canada. Its offices are located at 979 Bank Street in Ottawa, Ontario, Canada. CIRA sets the policies and agendas that support Canada's Internet community and Canada's involvement in international Internet governance. It is a member-driven organization with membership open to all that hold a .ca domain. As of January 2021, there were more than 3 million active .ca domains.

Considering they are an important aspect of Canadian internet, they have the budget to.
Deal Addict
Jan 10, 2017
1498 posts
937 upvotes
GTA
Their partners would probably be Canadian CSE and CSIS and high value Canadian asset companies (to actively block malicious traffic).
Log retention seems on par with other DNS like google and Quad9.

Quad9/IBM is also in the security business and actively use Quad9 to feed into their own intel platform and will send out this data (I work for companies that pay into this data).

I use CIRA cause I'd rather have my dns pinging on Canadian grounds.

Most of my self-hosted services and paid ones tend to be kept within borders is one of my privacy goals.
Deal Addict
Jan 10, 2017
1498 posts
937 upvotes
GTA
ephdub wrote: I get it but you can’t assume their partners are strictly Canadian. Canada is part of the 5/9/14 eyes so it could be any of the signatories.

The fact cira won’t tell you how or why, you’re considered a threat to them… and it’s up to them to determine what’s “anomalous”. And they actively disclose they’re sharing that information, it’s a hard pass for me.
d. Your detailed DNS query data that includes your IP address will be retained by CIRA for up to twenty-four (24) hours, in order to identify and protect the Service from any malicious behaviour, after which time it will be deleted. Beyond 24 hours only aggregated data will be retained in which your domain name queries will no longer be attributable to your IP address.

f. CIRA will use threat feeds provided by intelligence partners.CIRA may share with intelligence partners data about domains and the number of blocks associated with them. This data will not include any Canadian Shield User’s Personally Identifiable Information (PII).
Threat's include using a DNS resolver to perform attacks on their infrastructure or performing DNS attacks such as Distributed Reflection DoS and DNS flood attack.
Quad9 acts in similar fashion to CIRA in which that if they deem you a "threat", they log your IP address thanks to their "Anomalous Conditions" clause that overrides their original privacy policy.

So using either service leads to the same conclusion on privacy policy.

Talking about CIRA partners, Canadian Information is not something that the eyes publicly share, the eyes is meant to share foreign intel with each other, that includes multi-border criminal activity. Regular Canadian citizen data isn't going to be given up that easily.
You are more susceptible to US surveillance since US foreign surveillance is not illegal post Snowden, and US Domestic surveillance isn't eradicated either, just moved to Israel and rebranded as shared foreign surveillance.

To be handling Canadian data thats so close to government, you have to have a Canadian restricted clearance to work for any large data Canadian asset.
IBM/Quad9 is a private entity, while they clearly state they are sharing domain data with cybersecurity professionals (anyone who pays for it as part of their Xforce Qradar subscription or visits https://exchange.xforce.ibmcloud.com/) They also follow the private enterprise jurisdiction of where they operate.

Top