Forum Replies Created
-
AuthorPosts
-
Hello Jeff S,
Neil is quite right – please contact our support. If you have Premium (Trial or Paid), sign in to https://forum.axcrypt.net/ and start a Premium support ticket. If not, please email to: support att axcrypt dott net .
Hello Dwain,
Thanks for the input! Just to be clear – as long as you sign out or have a password protected screen saver, your AxCrypt-encryped data is generally safe from other users, including administrators.
It’s when you allow someone else to use the same Windows session, the problem arises.
Hello René,
I don’t really know anything about HiDrive, but if they have support equivalent to Dropbox and Drive on the mobile phones, AxCrypt should work with it. Perhaps you can contact support and send screen shots of what appears to go wrong?
Hello Dwain,
Here’s why: https://forum.axcrypt.net/blog/avoid-self-decrypting-files/ .
Hello skeptical,
George has actually responded correctly, if somewhat strongly perhaps, to your concerns. In this case, since I’m the author of AxCrypt, having designed it all and programmed most of it, I think it might be appropriate with a personal response as well.
First, I’d like to remind everyone here that we’re all friends and let’s keep the tone civil. No need for derogatory terms etc, let’s stick to fact and sometimes opinions without those extra words which bear no extra information.
Here’s the thing about “You must tell Axcrypt what your password is” and “This gives Axcrypt access to your encrypted files“. How else could it possibly be? This is the same for 100% of cryptographic solutions – somewhere there is software that accepts your password, and thus knows it!
I think what you’re really trying to say is “You must send your password to a remote server, which gives the software or operator of that server potential access to your encrypted files – if the operator or software developer has malicious intent. It might give hackers potential access if the operator or software developer is sloppy or incompetent.” This *is* true, but it’s the same regardless of where the software is executing – on your PC or our servers.
Here’s the real difference:
Your PC: A machine with probably literally 100s of installed softwares from all kinds of sources, with absolutely no chance for you to be really sure of the quality or intent of said softwares, and often installed more or less at whim for a moments need. A machine which is operated by a human (you, and possibly your family, kids, kids friends, spouse, friends, collegues etc), making decisions of where to click, what to type, what to download, what sites to visit many, many times a day. All of those decisions with the potential of being wrong. One wrong click, site visit or download is enough to compromise your PC. It’s also a machine which is often moved between public and private wireless networks, often left unattended, sometimes even with Windows signed in while you get a coffee or whatever. A machine which is used for countless purposes, work, play, media etc with software installed for all those reasons. All that software with the risk of bugs and security vulnerabilities. A machine typically with lots of ports open to the Internet to make all those functions and file sharing etc work.
Our Server: A machine with the absolute minimum of installed softwares, with each and every one carefully vetted before installation. A machine with no extra functions except what it needs to do. No play. No games. No media. Not even a database – we rolled our own no-sql to 100% remove the risk of SQL-injection attacks. It never moves. We never use a browser. It has a total of 3 ports open to the Internet: HTTP, HTTPS and SSH. It is operated by a single dedicated professional, with a single purpose – and quite infrequently at that.
Now, which environment do you honestly believe to be the most safe, secure and trustworthy?
Remember – if you’re using ours (or anyone elses cryptographic application) you’re going to be executing that code. So you have to trust the code. You’re giving the code not only your password, but literally every byte of confidential information you encrypt or decrypt will go through that software.
Since you must trust the code in order to use it – given the above, just what environment is really the greatest risk to run that code in?
If security is only as strong as it’s weakest link – where’s the weak link here?
For a technical description of what we do, and what we actually store on the server, please check out https://forum.axcrypt.net/documentation/technical/ . For the full source code of the core libraries and the Windows application, go to https://www.bitbucket.org/axantum/axcrypt-net/ .
To summarize what we keep on the server: A file encrypted with AxCrypt using your password.
What scenario is AxCrypt designed to protect you in: A file encrypted with AxCrypt using your password being accessed by the wrong person.
In other words, should data leak from our server, it’s actually just an application of the exact scenario AxCrypt is intended to handle in the first place. If your password is good enough, no harm is actually done.
April 15, 2017 at 18:15 in reply to: axcrypt signin password vs choosing a passphrase for specific file #6112Hello Jay,
Yes, AxCrypt 2 uses a single password for all encryption and decryption.
However, we added a new cool way to share encrypted files with others instead of sharing passwords.
You can now use our key sharing feature, where you simply add the recipients emails to the list of people you want the file to open for. They will now be able to open the file with their own password, you do not need to share passwords any more!
You’ll still have to send the file to the recipient(s), we don’t do that.
Hello Captain Quirk, FormerAxCrypter, Wellington, Gerard, Robert M and everyone else!
Wow – I’m impressed at the high level of both questions and responses from the community. The AxCrypt community is amazing! Stuff like this, that makes it worthwhile…
For what it’s worth, while I cannot disclose the names or publish the reports, AxCrypt has been professionally audited by both private and government entities. I realize the value of that statement is pretty low, considering I can’t name anyone, but still. Better than nothing, right?
As for myself, I don’t consider myself a cryptographer per se. I do not, and never have, made my living as a cryptographer. That being said, I have made my living for many years, working with properly implementing cryptography both as a developer and at a higher level with cryptography-based products. As such, I feel that I am uniquely qualified to *implement* cryptography and design software based on cryptographic functions as a developer, which unfortunately too often is not the case. As we have seen time after time in both small products as well as enterprise products from major software manufacturers.
I would like note that while AxCrypt is not as wide spread as for example WinZip, it’s still pretty well known and used. It’s been downloaded an estimated 20 million times, and it’s been open source all that time with published specifications of the technology. During this time, not one single cryptography related weakness or vulnerability has been published. That doesn’t mean there aren’t any, but it does increase my confidence in that it’s pretty sound anyway.
I guess this as good place and time as any to point to the appropriate resources should anyone wish to take a look:
https://bitbucket.org/axantum/axcrypt-net/ – The source code for AxCrypt 2 in C#. A few nuget dependencies, otherwise it compiles cleanly as-is with Visual Studio Community.
https://forum.axcrypt.net/documentation/technical/ – Technical information about file format, algorithms, implementation details and server interaction.
Thanks everyone, and keep it up!
Hello Beth (and Gerard),
Actually… If you’re online with AxCrypt 2, there is a limit… Since then it really is an online tool. To get around that, go to File | Options and enable “Always Offline” until you figure it out.
There’s also a tool that can search by trying combinations using a pattern. Let us know if you’d like to try that as well.
Thanks Gerard. Hello Box, I’ve already responded via the support email with essentially the same information.
Hello Dave,
Thank you for your support! It’s really nice to hear. I think Klaus responded fairly exhaustively on the multiple key-issue. We may add some stuff to 2.0 like the ability to share via passwords, but it depends to be honest on resources which are still very limited.
You also asked about the old subscription vs. the new. They are interchangeable, i.e. if you paid for old Axantum Xecrets, you’re also an AxCrypt Premium user and vice versa. However, we have discontinued new subscriptions to Axantum Xecrets, so when that expires you can continue to support us (and get the Premium features like mobile apps etc) by subscribing to AxCrypt Premium instead.
Thank you Klaus!
Hello Jeff,
As Klaus explains – you should only be asked for a second password if the file was not encrypted with the password you use to sign to AxCrypt with.
If the file in question is encrypted with AxCrypt 1.x, it will automatically be re-encrypted using the sign-in password – thus eliminating the extra prompt the next time. Provided you have a sufficiently modern version of AxCrypt installed, and you have not disabled the option.
I can’t tell what version you have, or what version the file is encrypted with. You can see this in the main window title bar and the recent files list.
Hello Jos,
Thank you for reporting this. I think this has already been fixed in the most current beta. You can sign up here https://play.google.com/apps/testing/net.axcrypt.axcrypt2x .
Hello roger,
Go to https://forum.axcrypt.net/ for the latest supported download. You’ll find unsupported legacy downloads at http://www.axantum.com/ .
Hello Chris,
AxCrypt stays signed in until signed out, just like most similar applications such as your email. Once signed in, you can read, write and update information without having to re-enter the password, until signed out. AxCrypt will automatically sign out when the screen saver goes active, or you can sign out manually.
The file is still encrypted, the software just remembers the password until you “sign out”.
-
AuthorPosts