Encrypted team folders: an overview

Updated Dec 04, 2023

In this article

person icon

End-to-end encryption is available for teams on Dropbox Business Plus, Advanced, and Enterprise.

Encrypted team folders are team folders that are end-to-end encrypted. Only folder members have access to the encryption key, while excluding anyone else, including Dropbox. Admins can also create recovery keys for encrypted folders, in case of user access issues.
 

Why use encrypted team folders?

Organizations handle different types of data:

  • Nonsensitive data: Safe for general cloud storage.
  • Sensitive data: May need extra security measures.
  • Highly sensitive data: Requires the highest level of protection, in some cases with strict adherence to regulatory requirements.

End-to-end encryption is recommended for highly sensitive data, while alternative solutions, such as Advanced Key Management or standard Dropbox encryption, may suffice for less sensitive data.

Encrypted team folders behave like regular team folders. File content is always encrypted, but metadata remains visible in plain text. Encrypted team folders appear as a blue folder with a key inside a shield icon. Learn more about file and folder icons.
 

How to activate team folder encryption

If you’re a team admin:

  1. Log in to dropbox.com with your admin credentials.
  2. Click Admin console in the left sidebar.
  3. Under Products, select Dropbox.
  4. Click Security.
  5. Select Additional encryption.
  6. Click Get started next to End-to-end encryption.
  7. In the pop-up window, click Start.
  8. Click Generate recovery key.
    • Notes:
      • You can't recover encrypted data if you get locked out and don’t have your recovery key.
      • The recovery key won’t be displayed again, so make sure to save it physically or digitally.
  9. Click Copy to save the recovery key, then click Next.
  10. Enter the last five characters of the recovery key, click Verify, then Next.
  11. Choose how to register devices:
    • Automatic device registration: Click Finish.
    • Manual key verification:
      • Click Set up manual registration.
      • Click Set up manual.
      • Click Copy to copy the team code.
      • Share it with team members.
      • Click Finish
  12. Click Create encrypted folder to add an encrypted team folder, or Dismiss to exit.

How to create an encrypted team folder

If you’re a team admin:

  1. Log in to dropbox.com with your admin credentials.
  2. Click Admin console in the left sidebar.
  3. Under Products, select Dropbox.
  4. Click Content.
  5. Click Create team folder.
  6. Select Encrypt this folder end-to-end.
  7. Click Create.
     

How to add and manage recovery keys

Recovery keys make sure data can always be retrieved and decrypted, even in the event of key loss or user access issues. Team admins can create and manage multiple recovery keys for different admins or storage locations.

highlighter icon

Note: You won’t be able to recover your encrypted data if all team members get locked out and you don’t have a recovery key, so you must store it somewhere safe, digitally or physically.

To add an additional recovery key:

  1. Log in to dropbox.com with your admin credentials.
  2. Click Admin console in the left sidebar.
  3. Under Products, select Dropbox.
  4. Click Security.
  5. Select Additional encryption.
  6. Under End-to-end encryption, click Manage.
  7. Click Add new key.
  8. Enter any of your existing recovery keys.
  9. Click Generate.
  10. Click Copy or Print to copy your recovery key and store it somewhere safe.
    • Note: The recovery key won’t be displayed again, so make sure to save it physically or digitally.
  11. Click Next to complete the activation process.
  12. Click Manage keys to manage your existing keys, or click Done to close the pop-up window and go back to your account.


To edit or delete a recovery key:

  1. Log in to dropbox.com with your admin credentials.
  2. Click Admin console in the left sidebar.
  3. Under Products, select Dropbox.
  4. Click Security.
  5. Select Additional encryption.
  6. Under End-to-end encryption, click Manage.
  7. A list of your recovery keys will pop up.
  8. Click  (Delete) next to a recovery key to delete it permanently. 
  9. Click Delete to confirm.

How to manage device registration

If manual device registration is activated, a key verification process is required. This process is a two-way process: the admin needs to verify the device's code, while the user needs to verify the team code. The team code is shown to the admin during the end-to-end encryption activation process. The admin can then share the team code with team members via email. On the user's side, both the team and client codes are displayed in the sync notifications. The user verifies that the displayed team code matches the code provided by the admin.


To verify that the device code shared by the user matches the value displayed to the admin in the admin console:

  1. Log in to dropbox.com with your admin credentials.
  2. Click Admin console in the left sidebar.
  3. Under Products, select Dropbox.
  4. Click Security.
  5. Select Additional encryption.
  6. Under Manage device enrollments, click Manage.
  7. Enter your recovery key, then click Next.
  8. Click Accept to register the device.

FAQs about encrypted team folders

Can anyone create encrypted team folders?

No, only team admins can create and manage encrypted team folders.

Can I share an encrypted team folder with another team?

Yes, you can share an encrypted folder with another team. Both teams must enable end-to-end encryption on their accounts.

Which features are limited when working with encrypted team folders?

While end-to-encryption offers an additional security level, there is a downside on usability. This means that the following features and functionalities are not available for encrypted files and folders:

  • Server-side processing, including:
    • Search indexing (for example, in Dash)
    • Thumbnail generation
    • Preview generation
  • Usability restrictions, including:
    • Dropbox Transfer
    • Content search
    • Shared links
    • File requests
    • Workflow automation

 

Encrypted team folders don’t support:

  • Cloud content (like Dropbox Paper, Google Docs)
  • Data governance (legal holds, content scanning)
    • Note: Legal holds aren't available for Send and track or encrypted folders.
  • Ransomware detection
  • Data classification
  • Dropbox AI
  • Upload and download through Dropbox API
  • Pre-built components for third-party developers (Chooser, Saver, Embedder)
  • Shared folders

Important note: End-to-end encryption is currently not available for the Dropbox mobile app. To access encrypted files on your mobile device, use the Dropbox website through your mobile browser instead.

What happens if I move files outside an encrypted folder?

When files are copied to a location outside the encrypted team folder, they’ll lose their encryption and will be stored in an unencrypted state in the new location.

Where can I track encrypted team folder activity?

All events related to encrypted team folders will be logged in the activity log.

Logged events related to end-to-end encryption: 

  • Team enrollment
  • Device enrollment
  • Device key removal
  • Recovery key enrollment
  • Recovery key removal
  • Key rotation

Isn’t Dropbox already encrypted?

Dropbox provides a high level of security for data, but end-to-end encryption adds an additional layer of privacy. You’ll have exclusive control over encryption keys, ensuring limited access. However, it's important to note that end-to-end encryption may restrict certain functionalities (like sharing files with users outside of your team) and may not be suitable for all files in a Dropbox account.

How and where are the encryption keys stored?

Encryption keys are secured and stored in encrypted form at Dropbox, with another key that’s unknown to Dropbox.

Note: Private client keys aren’t stored at Dropbox and never leave the user’s device.

Which encryption algorithm does Dropbox use to encrypt team folders?

Dropbox uses Hybrid Public Key Encryption (HPKE), using ECC P-256, HKDF-SHA256 and AES256-GCM for encryption key management. The file content encryption is done with AES256-GCM.

How can I tell if a file or folder uses end-to-end encryption?

To identify if a file or folder uses end-to-end encryption, a shield icon with a key inside will be displayed alongside the folder icon.

When would I need to enter a recovery key?

If device registration for end-to-end encryption is suspended, team administrators can manually resume the registration process. This can be done by entering a recovery key in the admin console, which will allow the completion of any pending registrations.

What happens if my team is disbanded?

In the event that a team decides to disband, encountering encrypted folders will result in an error message. This message will advise the team to remove these folders before proceeding with the disbandment process.

What happens if my team is deleted?

If an admin chooses to delete all files and users within a team, encrypted data will be permanently erased as well. However, within a 30-day timeframe, if files are restored, encrypted files will also be reinstated. To regain access to these files, the admin must have the recovery key. Therefore, it's highly recommended to keep the recovery key during this period to facilitate any required data restoration.

What’s the difference between end-to-end encryption and advanced key management?

End-to-end encryption protects specific files by encrypting them on the user's device before they’re transmitted to Dropbox servers. This ensures that Dropbox can’t access the private keys or plaintext files. However, it’s important to note that there may be some limitations regarding functionality and usability.

Advanced key management offers an additional layer of security for all files by utilizing a unique team encryption key, which the user can optionally control. This feature enhances security without compromising Dropbox's core features. It’s designed to be easy to adopt and use, with no limitations in functionality or usability.

End-to-end encryption is well-suited for selectively protecting files, while advanced key management provides enhanced security for all files without sacrificing Dropbox's essential functionalities. The choice between the two options depends on your team’s specific security needs and requirements.

Learn more about how Dropbox keeps your files secure.

Is metadata encrypted?

Dropbox prioritizes encrypting file content while maintaining metadata in plain text. This approach balances usability with robust security measures, such as enabling file searches by name.

Note: Extended attributes and resource forks are not encrypted.

Are files encrypted on my device?

Files on a local device aren’t encrypted. While end-to-end encryption safeguards data during transmission and storage on our servers, it doesn't directly address security at the device level. Encryption occurs during the sync process, ensuring that files within an encrypted folder on the Dropbox server remain encrypted. Encrypted files automatically decrypt for access during sync or download. Consider implementing additional security measures such as full-disk encryption and secure access methods to protect your devices effectively.

Was this article helpful?

Let us know how why it didn't help:

Thanks for letting us know!

Thanks for your feedback!

Related Articles

Change admin rights

Customize Dropbox team security settings

Data classification

Dropbox Paper: admin settings for Dropbox teams

Community answers

Other ways to get help

Icon depicting two people
Community
Icon depicting a speech bubble
Contact support
Twitter Icon
Social media support