Encrypted team folders: an overview

Updated Dec 04, 2023
person icon

End-to-end encryption is a feature available for teams on Dropbox Business Plus, Advanced, and Enterprise, and is subject to additional terms.

Encrypted team folders are team folders that are end-to-end encrypted. Only folder members have access to the encryption key, while excluding anyone else, including Dropbox. Admins can also create recovery keys for encrypted folders, in case of user access issues.
 

Organizational data can be categorized into nonsensitive, sensitive, and highly sensitive. Nonsensitive data can be safely migrated to the cloud, while sensitive data sometimes requires additional protection measures. Highly sensitive data demands the highest level of protection, in some cases with strict adherence to regulatory requirements. End-to-end encryption is recommended for highly sensitive data, while alternative solutions, such as Advanced Key Management or standard Dropbox encryption, may suffice for less sensitive data. Understanding these categories helps organizations safeguard data and maintain compliance.
 

Encrypted team folders act like normal team folders, but they can only be accessed by authorized folder members. While the metadata remains in plain text, the content of the files in an encrypted folder is always encrypted. Encrypted team folders display as a blue folder with a key inside a shield icon. Learn more about file and folder icons.

How to activate team folder encryption

If you’re a team admin, you can activate team folder encryption for your team. To do so:

  1. Log in to dropbox.com with your admin credentials.
  2. Click Admin console in the left sidebar.
  3. Click Security.
  4. Select Encryption options.
  5. Click Get started next to End-to-end encryption.
  6. Click Start on the pop-up window to confirm your choice.
  7. Click Generate recovery key.
    • Notes:
      • You won’t be able to recover your encrypted data if you get locked out and don’t have this recovery key.
      • The recovery key won’t be displayed again, so make sure to save it physically or digitally.
  8. Confirm that you have stored the recovery key by entering the last five characters for verification.
  9. Review your device registration. You can choose either automatic device registration (recommended) or the manual option with manual key verification.
    • If you selected automatic device registration, click Finish to complete the activation process.
    • If you selected manual key verification, confirm this by clicking Set up manual on the next screen. Your team code will then be generated, which you can copy, store, and share with team members. Click Finish to complete the activation process. Click Next to complete the activation process.      
  10. Click Create encrypted folder to create an encrypted team folder, or click Dismiss to close the pop-up window and go back to your account.

How to create an encrypted team folder

If you’re a team admin, you can create encrypted team folders for your team. To do so:

  1. Log in to dropbox.com with your admin credentials.
  2. Click Admin console in the left sidebar.
  3. Click Settings.
  4. Select Content.
  5. Click Create team folder.
  6. Select End-to-end encryption.

How to add and manage recovery keys

Recovery keys make sure data can always be retrieved and decrypted, even in the event of key loss or user access issues. Team admins can create and manage multiple recovery keys for different admins or storage locations.

highlighter icon

Note: You won’t be able to recover your encrypted data if all team members get locked out and you don’t have a recovery key, so you must store it somewhere safe, digitally or physically.

To create an additional recovery key:

  1. Log in to dropbox.com with your admin credentials.
  2. Click Admin console in the left sidebar.
  3. Click Security.
  4. Select Additional encryption.
  5. Click Manage.
  6. Click Add new key next to Manage keys, in the End-to-end encryption section.
  7. Enter any of your existing recovery keys.
  8. Click Generate.
  9. Click Copy or Print to copy your recovery key, and store it somewhere safe.
    • Note: The recovery key won’t be displayed again, so make sure to save it physically or digitally.
  10. Click Next to complete the activation process.
  11. Click Manage keys to manage your existing keys, or click Done to close the pop-up window and go back to your account.



To edit or delete existing recovery keys:

  1. Log in to dropbox.com with your admin credentials.
  2. Click Admin console in the left sidebar.
  3. Click Security.
  4. Select Additional encryption.
  5. Click the Manage button next to Manage keys, in the End-to-end encryption section.
  6. A list of your recovery keys will pop up.
  7. Click the Delete button (trash can icon) next to a recovery key to delete it permanently. Click Delete to confirm your choice.

How to manage device registration

If manual device registration is activated, a key verification process is required. This process is a two-way process. The admin needs to verify the device's code, while the user needs to verify the team code. The team code is shown to the admin during the end-to-end encryption activation process. The admin can then share the team code with team members via email. On the user's side, both the team and client codes are displayed in the sync notifications. The user verifies that the displayed team code matches the code provided by the admin.


To verify that the device code shared by the user matches the value displayed to the admin in the admin console:

  1. Click Settings.
  2. Click Encryption options.
  3. Click Review pending devices.
  4. Click Accept to register the devices.

FAQs about encrypted team folders

Can anyone in the team create encrypted team folders?

No, only team admins can create and manage encrypted team folders.

Can I share an encrypted team folder with someone from another team?

Yes, you can share an encrypted folder with another team. Both teams must enable end-to-end encryption on their accounts to share encrypted folders.

Which features are limited when working with encrypted team folders?

While end-to-encryption offers an additional security level, there is a downside on usability. This means that the following features and functionalities are not available for encrypted files and folders:

  • Server-side processing, including:
    • Search indexing (for example in Dash)
    • Thumbnail generation
    • Preview generation
  • Usability restrictions, including:
    • Dropbox Transfer
    • Content search
    • Shared links
    • File requests
    • Workflow automation

 

Encrypted team folders don’t support:

  • Cloud content (like Dropbox Paper, Google Docs)
  • Data governance (legal holds, content scanning)
    • Note: Legal holds aren't available for Send and track or encrypted folders.
  • Ransomware detection
  • Data classification
  • Dropbox AI
  • Upload and download via Dropbox API
  • Pre-built components for third-party developers (Chooser, Saver, Embedder)
  • Shared folders

 

Important note: End-to-end encryption is currently not available for the Dropbox mobile app. To access encrypted files on your mobile device, use the Dropbox website through your mobile browser.

What happens if I move or copy files to another location outside an encrypted folder?

When files are copied to a location outside the encrypted team folder, they’ll lose their encryption and will be stored in an unencrypted state in the new location.

Where can I track encrypted team folder activity?

All events related to encrypted team folders will be logged in the activity log.

Logged events related to end-to-end encryption: 

  • Team enrollment
  • Device enrollment
  • Device key removal
  • Recovery key enrollment
  • Recovery key removal
  • Key rotation

Isn’t Dropbox already encrypted?

Dropbox provides a high level of security for data, but end-to-end encryption adds an additional layer of privacy. You’ll have exclusive control over encryption keys, ensuring limited access. However, it's important to note that end-to-end encryption may restrict certain functionalities (like sharing files with users outside of your team) and may not be suitable for all files in a Dropbox account.

How and where are the encryption keys stored?

Encryption keys are secured and stored in encrypted form at Dropbox, with another key that’s unknown to Dropbox.

Note: Private client keys aren’t stored at Dropbox and never leave the customer’s device.

Which encryption algorithm does Dropbox use to encrypt team folders?

Dropbox uses Hybrid Public Key Encryption (HPKE), using ECC P-256, HKDF-SHA256 and AES256-GCM for encryption key management. The file content encryption is done with AES256-GCM.

How can I tell if a file or folder uses end-to-end encryption?

To identify if a file or folder uses end-to-end encryption, a shield icon will be displayed alongside the folder icon.

When would I need to enter a recovery key?

If device registration for end-to-end encryption is suspended, team administrators can manually resume the registration process. This can be done by entering a recovery key in the admin console, which will allow the completion of any pending registrations.

What happens if my team is disbanded?

In the event that a team decides to disband, encountering encrypted folders will result in an error message. This message will advise the team to remove these folders before proceeding with the disbandment process.

What happens if my team is deleted?

If an admin chooses to delete all files and users within a team, encrypted data will be permanently erased as well. However, within a 30-day timeframe, if files are restored, encrypted files will also be reinstated. To regain access to these files, the admin must have the recovery key. Therefore, it's highly recommended to keep the recovery key during this period to facilitate any required data restoration.

What’s the difference between end-to-end encryption and advanced key management?

End-to-end encryption protects specific files by encrypting them on the user's device before they’re transmitted to Dropbox servers. This ensures that Dropbox can’t access the private keys or plaintext files. However, it’s important to note that there may be some limitations regarding functionality and usability.

 

Advanced key management offers an additional layer of security for all files by utilizing a unique team encryption key, which the customer can optionally control. This feature enhances security without compromising Dropbox's core features. It’s designed to be easy to adopt and use, with no limitations in functionality or usability.

 

End-to-end encryption is well-suited for selectively protecting files, while advanced key management provides enhanced security for all files without sacrificing Dropbox's essential functionalities. The choice between the two options depends on your team’s specific security needs and requirements.

 

Learn more about how Dropbox keeps your files secure.

Is metadata encrypted?

Dropbox prioritizes encrypting file content while maintaining metadata in plain text. This approach balances usability with robust security measures, such as enabling file searches by name.

 

Note: Extended attributes and resource forks are not encrypted.

Are files encrypted on my device?

Files on a local device aren’t encrypted. While end-to-end encryption safeguards data during transmission and storage on our servers, it doesn't directly address security at the device level. Encryption occurs during the sync process, ensuring that files within an encrypted folder on the Dropbox server remain encrypted. Encrypted files automatically decrypt for access during sync or download. Consider implementing additional security measures such as full-disk encryption and secure access methods to protect your devices effectively.

Was this article helpful?

Let us know how why it didn't help:

Thanks for letting us know!

Thanks for your feedback!

Other ways to get help