Dropbox managed encryption keys: An overview

Updated Nov 02, 2023
person icon

The Dropbox managed encryption keys system is available to customers on Dropbox Enterprise.

The Dropbox managed encryption keys system (DMEK) is a key management system used by Dropbox that encrypts your data, using unique team keys and a multi-layered key encryption approach as extra security measures.

Top level encryption keys are generated by Amazon Web Services Key Management Service (AWS KMS), and stored on Hardware Security Modules (HSM). Encryption keys for namespaces (team folders, shared folders, or folders with restrictions) are created the same way and stored in an encrypted format in Dropbox’s database.

highlight icon


  • The DMEK system can only be activated by a team admin or a security admin.
  • Team encryption keys are automatically rotated every 12 months. 
  • A key revocation will permanently remove access to your team’s data for team members, admins, and Dropbox.
  • Team admins can request and approve key revocations.
  • To revoke a key, teams will need a team admin as requestor, and two other team admins to confirm, since key revocation is a permanent action.

How to activate DMEK on your account

To activate the DMEK system from the admin console:

  1. Log in to dropbox.com with your admin credentials.
  2. Click Admin console.
  3. Click Settings.
  4. Click Advanced data protection.
  5. In the Advanced key management section, click Activate next to Dropbox managed encryption keys.
  6. You’ll see a pop-up window warning you that DMEK activation may take up to 30 days. Click Activate to confirm.

You can check the completion percentage next to Dropbox managed encryption keys to see the activation progress. Once the activation is complete, the button next to Dropbox managed encryption keys will say Activated.

How to request a key revocation

A key revocation removes all access to and permanently deletes all user data on Dropbox. There’s no way to recover the lost data, so a key revocation can only be requested with the approval of at least three team admins: the requestor, and two other team admins, who will be contacted to confirm the key revocation.

To request a key revocation:

  1. Log in to dropbox.com with your admin credentials.
  2. Go to dropbox.com/support.
  3. Click Send an email.
  4. Fill the form with the required information and your request.
  5. Verify your identity through the link you’ll receive from Dropbox support.

Dropbox support will call two team admins to confirm the key revocation. Once all approvers have confirmed, Dropbox will start to process the revocation request.

highlight icon

Note: This will render data on Dropbox inaccessible to team members, and they won’t be able to access their account.

You’ll be notified once the key revocation process is complete.
highlight icon


  • You can check the status of your request from dropbox.com/support. Completed requests will be visible in the activity log, in the admin console.
  • Dropbox is committed to process your request within 24 hours from the confirmation date.

View DMEK logs in the activity log

When any actions are taken in relation to DMEK, they’ll be listed in the activity log in the admin console.

Here’s a list of all DMEK actions:

  • CancelKeyDeletion: A Key Management Service (KMS) key deletion event is canceled
  • CreateKey: A new key is created or replicated
  • DeleteKey: The scheduled period expired and the key is deleted
  • DisableKey: Disable key operation
  • EnableKey: Enable key operation
  • ScheduleKeyDeletion: The deletion of a key is scheduled
Was this article helpful?

We’re sorry to hear that.
Let us know how we can improve.

Thanks for your feedback!
Let us know how this article helped.

Thanks for your feedback!

Community answers