Dropbox advanced encryption: An overview

Updated May 22, 2024

Dropbox advanced encryption is available to customers on Dropbox Advanced, Business Plus, and Enterprise.

The Dropbox advanced encryption system is an advanced key management system used by Dropbox to encrypt your data. It uses unique team keys and a multi-layered key encryption approach as extra security measures.

Top-level encryption keys are generated by Amazon Web Services Key Management Service (AWS KMS), and stored on Hardware Security Modules (HSM). Encryption keys for namespaces (team folders, shared folders, or folders with restrictions) are created the same way, and are stored in an encrypted format in Dropbox’s database.

Notes:

Only a team admin or a security admin can activate advanced encryption.
Team encryption keys are automatically rotated every 12 months.
A key revocation will permanently remove access to your team's data for team members, admins, and Dropbox.
Team admins can request and approve key revocations.
To revoke a key, teams will need a team admin as the requestor and two other team admins to confirm, since key revocation is a permanent action.

How to activate advanced encryption on your account

To activate advanced key management from the admin console:

Log in to dropbox.com with your admin credentials.
Click Admin console.
Click Security.
Click Additional encryption.
In the Advanced key management section, click Get started next to Dropbox managed encryption keys.
Review the warning in the pop-up window that advanced encryption activation may take up to 30 days.
Click Get started to confirm.

You can check the completion percentage next to Dropbox managed encryption keys to see the activation progress. Once the activation is complete, the button next to Dropbox managed encryption keys will say Activated.

How to request a key revocation

A key revocation permanently deletes all user data on Dropbox and removes access to it. Since the lost data can't be recovered, a key revocation can only be requested with the approval of at least three team admins: the requestor and two other team admins, who will be contacted to confirm the revocation.

To request a key revocation:

Log in to dropbox.com with your admin credentials.
Go to dropbox.com/support.
Click Send an email.
Fill out the form with the required information and your request.
Verify your identity through the link you’ll receive from Dropbox support.

Dropbox support will call two team admins to confirm the key revocation. Once all approvers have confirmed, Dropbox will start to process the revocation request.

Note: This will render data on Dropbox inaccessible to team members, and they won’t be able to access their accounts. If keys are revoked, access to all team files will be permanently lost and can’t be restored.

You’ll be notified via email once the key revocation process is complete.

Notes:

Dropbox is committed to processing your request within 24 hours of confirmation.
You can check the status of your request from dropbox.com/support. Completed requests will be visible in the activity log in the admin console.

View advanced encryption logs in the activity log

Any actions taken regarding advanced encryption will be listed in the activity log in the admin console.

Here’s a list of all advanced encryption actions:

CancelKeyDeletion: A Key Management Service (KMS) key deletion event is cancelled.
CreateKey: A new key is created or replicated
DeleteKey: The scheduled period expired and the key is deleted
DisableKey: Disable key operation
EnableKey: Enable key operation
ScheduleKeyDeletion: The deletion of a key is scheduled