As you may have noticed with the release 1.11.0 there is a new item in the web shop for Sandboxie-Plus I called it initially Advanced Upgrade, but have renamed it now to Advanced Encryption Pack for better clarity. It adds the ability to use Encrypted Sandboxes, these are boxes with the root file system being stored in an encrypted image file. This caused some concern about the future of new premium features if they would be only available with an Upgraded certificate, no they won't, don't worry, most new premium features will be released as expected for all certificates. The Ram Disk integration released also on 1.11.0 is available to all project supporters, in an upcoming build the USB Sandboxing already present in insider builds will be added to the public build the same way, etc... The reason to split this functionality out into a separate option is that it adds a completely new usage scenario, something that's entirely outside of the scope of sandboxing, in a way its reverse sandboxing i.e. creation of secure enclaves where data can be safely stored and processed while being protected from adversarial processes running on the host. Such a paradigm shift would merit a product of its own but to simplify things and in order to use the developed new component ImBox.exe to provide RamDisk support for regular Sandboxie use cases, I opted to just integrate the functionality fully with Sandboxie and instead add an option which has to be Purchase separately. I see this could have been better communicated and clarified up front, I'm sorry about that, it was not my intention to get anyone worried. Now that said lets see what this new feature does and how it is different from just pointing Sandboxie to a encrypted VeraCrypt volume. There are two main differences: One is that Sandboxie knowing what is sandboxed and what not, can block all processes not belonging to the correct sandbox from accessing the mounted volume. So a malicious application running outside will not be able to access the file stored on the encrypted volume only Sandboxed processes are. This protection can be switched on or left off when the image file is being mounted, it can not be changed afterwards, the image must be unmounted and re mounted without the protection, ensuring that only an entity knowing the password can perform this operation. The other feature which plays a vital role here is the recently added ability of Sandboxie to protect sandboxed processes memory from being read by other processes on the system (except some critical well protected system processes that is) so not only the files are protected but the data in memory as well, which is particularly important when using Password Managers, Crypto Wallets and alike. This functionality may be of particular interest to corporate users who handle sensitive data and require an extra layer of security. The integration of these features ensures that any data that is sandboxed is not only stored securely but also executed in a protected environment, minimizing the risk of data breaches or unauthorized access. This is a game-changer for companies that have faced challenges with employees unintentionally putting corporate data at risk. Moreover this feature can be leveraged to combat insider threats, where an employee might try to exfiltrate sensitive company data, the mechanism can ensure that any such efforts would be in vain if the data is stored in a remotely managed encrypted sandbox. This would require additional remote management functionality, something I'll add later to the encryption pack. The real potential of this new functionality shines in a corporate environment where the stakes are high, and data security is paramount.
@DavidXanatos , Thank you for separating/explaining encryption and Imdisk functionality. I have three questions, specifically about encryption and encrypted boxes: Q1: To create an encrypted box, do we always have to go through the "new box" wizard? If I double-click a box and in box options=>General Configuration=>Box Type Preset, the dropdown menu does not include the type "Encrypted Confidential Box" . So, how can I change the box type preset from say a "green" box to an encrypted ("black") box?separate Q2: Imdisk functionality and encryption are separate entities, not tied in any way. So, what are the steps to create an encrypted box if I don't have Imdisk (or don't want it)? Q3: If I create an encrypted box, will I be asked to create a password (during box creation)?
A1: No you can turn any empty box into an encrypted one, just go to the box options file options and check the Encrypt sandbox content checkbox (ignore the message box that's a bug) this gives you an encrypted box to get a "Black Box" you need to also enable the following option: So a black box can be of any type you can select in the combo box, as long as encryption and protection options are checked. A2: The ImBox.exe component is a block device proxy for the ImDisk driver you can not create an encrypted sandbox without having the ImDisk driver loaded. A3: Yes on the last page of the box creation wizard when you press finish a window will show asking for password and box size.
An encrypted box is not stored on a ram disk, the data are en/de-crypted on the fly from to the image file, and yes you can store that image file on a usb disk.
