AxCrypt Online vs. Offline

There’s some concern about the fact that AxCrypt is able to connect to the Internet.

1. Do I need to be online to encrypt or decrypt my files with AxCrypt?
2. Is my data sent over the Internet in any form?
3. Why does AxCrypt need to be online at all?

The first two are easy enough to answer.

• No, AxCrypt does not need to be online to install or operate.
• No, your data never leaves your computer – unless it resides there in the first place of course.

AxCrypt will automatically switch to ‘offline’ mode if it’s not possible to connect to the server. It can also be started with the –offline command line switch, or set permanently offline by using the “File | Options | Always Offline” option.

The third, why is there even an online connection at all, is a little more complex to answer. There are three main reasons. Key, Password and Subscription management.

Key Management

We store what we call an AxCrypt ID which is associated with your account on our servers. (Technically this is an RSA-4096 encryption key pair.) This key pair consists of a public sharing and private secret part. When we encrypt a file we don’t really encrypt it with your password as the encryption key. We encrypt your file with a random and unique key every time a file is encrypted. We call this the master file key. It’s this master file key that we actually encrypt with your password and add to the encrypted file. We also encrypt this same master file key with your public sharing key from your AxCrypt ID, as well as the public sharing keys of any additional recipients you may have added with the key sharing feature.

An AxCrypt-encrypted file consists of the following:

• The original file encrypted with  AES-128/256 using a random unique master file key.
• The master file key, encrypted with your password.
• The master file key, encrypted with your public sharing key.
• The master file key, optionally encrypted with other recipients public sharing keys.

The unique thing about public sharing and private secret key pairs is that while anyone can *encrypt* data with the public sharing key, only the person knowing the private secret part can *decrypt*, and even knowing the public sharing key it’s not possible to figure out the private secret key.

To decrypt an AxCrypt-encrypted file, you need to have either of:

• The original password, to decrypt the master file key.
• Any private secret key corresponding to a public sharing key used to encrypt the master file key as described above.

On the AxCrypt server, we store yours and everyone else’s AxCrypt IDs which consists of the public sharing key, and your private secret key – encrypted as an AxCrypt file using only your password to encrypt the master file key for that file.

Finally, we can tell you what the server is used for!

1. To make public sharing keys available to anyone who would potentially want to make encrypted data available to someone else.
2. To keep a backup of your encrypted private secret key, so if you buy a new device or need to reinstall AxCrypt you can get it back to your device.
3. To enable global password change for you. If you change your password on our server, we’ll re-encrypt your private key there with the new password and this means that all your already encrypted files will now be decryptable with the new password! Very convenient. You can still also decrypt them with the original password used when the file was encrypted of course.

Password Management

There’s also an online password manager, where we can keep track of all of your passwords encrypted with your AxCrypt password. One password to rule them all ;-) This is such a common use of AxCrypt, to encrypt a file with a list of passwords, we thought we could make this even easier.

Subscription Management

Since some of the features of AxCrypt are reserved for paying Premium users, we need to know if you have a valid Premium subscription. To avoid various hacks used by offline software licensing technologies, we keep it simple and secure and keep track of payment status on our server. This is fairly standard procedure.