heiBOX is a secure, end-to-end encrypted, central sync and share service for all employees, PhD candidates and students of Heidelberg University, as well as external users. This instruction explains how to log into heiBOX, how to create libraries, how to share files and how to restore your data. In the following, you can see an overview of the instruction's content:
- General Information
- Data Storage and Transfer
- Login – Web Interface
- Login – Desktop Client
- WebDAV Integration
- (Encrypted) Libraries
- Sharing a Library with Other Users
Authorized are the following groups:
- Employees of Heidelberg University. They have a Uni-ID and receive 30 GB. Their account is created automatically when they log into heiBOX for the first time and they are allowed to invite guests.
- PhD candidates of Heidelberg University through the heiDOCS project. They have a Uni-ID and receive 30 GB. Their account is created automatically when they log into heiBOX for the first time and they are allowed to invite guests.
- Enrolled students of Heidelberg University. They have a Uni-ID and receive 10 GB. Their account is created automatically when they log into heiBOX for the first time and they are not allowed to invite guests.
- External users or better guests have a guest account and receive 0 GB. Their account is created through themselves which is possible only after having been invited by employees or PhD candidates. Guests are not authorized to invite other guests or own libraries. After all users have accepted the invitation, they can be given access to libraries.
- HEIDI logins and project accounts can not be used to log into heiBOX.
Employees also have the possibility to increase their quota (up to 5 TB) for a fee. To do so, please see the price calculator.
The possibility to access heiBOX ends as follows:
- Employees and PhD candidates: At the end of the last official day of employment.
- Students: When the de-registration becomes effective (usually at the end of the semester, but in exceptional cases earlier).
- External users or guests: After 1 year of inactivity or revocation of the invitation
Due to the type authentication method used, there is no grace period! Please make sure that the data you need is downloaded and safely stored in time. Employees should also remember to transfer ownership of shared libraries to a new person in charge (e.g. the supervisor).
Data Storage and Transfer
All data is processed and stored exclusively on the systems of the University Computing Center in Heidelberg. The servers are operated in our own IaaS Private Cloud heiCLOUD: https://heicloud.uni-heidelberg.de/en/. The data itself is stored in two copies on systems in different fire compartments.
The web servers of heiBOX are exclusively accessible via HTTPS - all communication between clients and servers is encrypted.
Login – Web Interface
Employees, PhD candidates and students can reach the heiBOX web interface through the link mentioned above. After that, please click on the button “Login Uni Heidelberg” for logging into heiBOX. You will be redirected to the centralized Shibboleth login (Uni ID and password). You can only access the service if you agree to the forwarding of the required data from the Identity Provider to heiBOX. No registration is necessary as your account will be created automatically during the first login.
Guests need to click on open and use the “Guest Login” form below. They have to be invited first and must already have created an account (see heiBOX: Guest Users/ Create Your Guest Account). The authentication is done directly via heiBOX itself.
Login - Desktop Client
heiBOX is based on Seafile. The Seafile clients, which are available for all common operating systems (Windows, Linux, macOS, Android, iOS), can be used to access and synchronize your files using your PC or Smartphone.
- You can download the software directly from the Seafile website which is mentioned in the margin.
- Instructions for installing the desktop client on Windows can be found via the link which is mentioned in the margin.
(A) Guests can log in directly using the e-mail address they were invited with and the password set during the account creation.
(B) Employees, PhD candidates and students have to log in by clicking on Single Sign-On first. Please enter the address shown below and click OK. You will be redirected to the centralized Shibboleth login page. Complete the login with your Uni ID and password.
Difference between the Desktop Syncing and the Desktop Drive Client
Desktop Syncing client:
- Libraries must be selected and synchronized individually.
- All data stored on the local system (storage space consumption).
- Offline editing and uploading later on is possible.
Desktop Drive Client:
- All libraries are mounted as network drives.
- Data is cached up to a configurable limit (default: 10 GB), otherwise no local storage takes place.
- Offline editing is not possible.
You can use heiBOX via WebDAV as follows:
1. Set a separate password under Settings/ Password for WebDAV.
2. Use the following data for the WebDAV Login:
- WebDAV URL that is mentioned in the margin
- WebDAV username: <University ID>[at]uni-heidelberg.de
- WebDAV Password: <the separately set password>
Please note when using WebDAV:
- Encrypted libraries cannot be accessed.
- Access is slower compared to the web interface or the desktop client.
Create new (encrypted) libraries
1. Log into heiBOX.
2. Click the button New Library.
3. Enter the name of the library.
Optional: Check Encrypt and enter a password to create an encrypted library. Please see the next slide for additional information about encrypted libraries.
4. Click Submit to create the library.
Additional information on encrypted libraries
Encrypted libraries have their own icon showing an additional small lock. Files stored in encrypted libraries are automatically encrypted on the client's side. Only the owner has access to these files. heiBOX users are responsible for their own password management. Therefore, please make sure to store the password in a secure way. The library cannot be decrypted if the password is lost or forgotten!
Please note that due to the encryption of all data, the following functions can no longer be used:
- Regular background virus scan.
- Full text search.
- Upload and download links.
- Online viewing and editing of Office documents.
- Sharing of individual subfolders or files.
- Sharing and access via WebDAV.
The encryption procedure is:
- Generate a 32-byte long cryptographically strong random number. This will be used as the file encryption key ("file key").
- Encrypt the file key with the user provided password. We first use PBKDF2 algorithm (1000 iterations of SHA256) to derive a key/iv pair from the password, then use AES 256/CBC to encrypt the file key. The result is called the "encrypted file key". This encrypted file key will be sent to and stored on the server. When you need to access the data, you can decrypt the file key from the encrypted file key.
- All file data is encrypted by the file key with AES 256/CBC. We use PBKDF2 algorithm (1000 iterations of SHA256) to derive key/iv pair from the file key. After encryption, the data is uploaded to the server.
The above encryption procedure can be executed on the desktop and the mobile client. The Seahub browser client uses a different encryption procedure that happens at the server. Because of this your password will be transferred to the server.
When you sync an encrypted library to the desktop, the client needs to verify your password. When you create the library, a “magic token” is derived from the password and library id. This token is stored with the library on the server side. The client use this token to check whether your password is correct before you sync the library. The magic token is generated by PBKDF2 algorithm with 1000 iterations of SHA256 hash.
For maximum security, the plain-text password won't be saved on the client side, too. The client only saves the key/iv pair derived from the "file key", which is used to decrypt the data. Therefore, if you forget the password, you won't be able to recover it or access your data on the server.
Sharing a Library with other users
To ensure that inviting users and sharing libraries works as smoothly as possible, there are a few things you should be aware of:
- Please do not create guest accounts for students and employees. These users already have access to heiBOX, but accounts are only created when logging into heiBOX for the first time. Instead, please ask them to log into heiBOX for the first time, only then does an account become active and searchable and sharing is possible without any problems.
- Invites and Shares should always be done by Uni ID , i.e. UNIID[at]uni-heidelberg.de and not institute addresses (firstname.lastname[at]xyz.uni-heidelberg.de).
- Students do not have access to the global address book but can invite users or share libraries via the user’s Uni ID as described above.
Libraries can easily be shared with other users and groups (please see the instruction heiBOX: groups). Permissions (Read-only, Read-Write, etc.) can be set individually for each user. You can also create Share and Upload links. These allow downloading and uploading of files within the library.
To share your library please:
1. Make sure you are in the view My Libraries and hover with the mouse over the library you want to share.
2. There should be three symbols. Click the first symbol Share to open the share dialog. The available share options are explained in a little more detail on the following slides.
To share a library with other users, please select Share to user in the side menu.
3. Type in the name or email address you want to share the library with. Names and email address are auto-completed. It is possible to enter multiple users at once.
4. Select the permission for the user(s).
5. Click Submit to share the library with the selected user(s).
Upload and Download Links for Libraries
Share and Upload Links for libraries: You can also set a Share Link for your library. Users can use this link to access and download files within your library. Using an Upload Link allows users to upload and possibly change files in your library. We strongly recommend that you set a password and, if possible, an expiration date, when using Share or Upload Links!
Please note that only folders up to a maximum size of 2 GB can be downloaded via the web interface. Please use Desktop Syncing or Desktop Drive Client to download larger folders.
The following files can be viewed / edited with Office Online:
View: .xls, .xlsx, .ods , .doc, .docx, .odt , .ppt, .pptx, .odp
Edit: .xlsx, .ods , .docx, .odt , .pptx, .odp
Restore deleted files or older file versions
- Deleted files are kept in the recycle bin of their parent library for 30 days. To restore a deleted file please enter the files’ parent library and click on the Trash symbol in the upper right corner near the search bar. A file that was deleted more than 30 days ago cannot be restored!
- To restore a previous file version please enter the files’ parent library and click on the History symbol in the upper right corner near the search bar. You will be redirected to an overview of past changes made in this library. Hover over the date you want to restore files from and select View Snapshot. You will be shown all files and folders at the time of the snapshot. Navigate to and hover over the file you want to restore and use the small icons to Restore or Download the version shown. You can also restore your whole library by using the Restore button. This will replace your current library with the version of the snapshot you are currently viewing.
Restore deleted libraries
Deleted libraries can also be restored for up 30 days after deletion:
1. Log into heiBOX.
2. Click the More button.
3. Click on Deleted Libraries to show your recently deleted libraries.
4.& 5. Hover over the library you want to restore and click the small grey arrow to restore your library.
Please note, that old shares or Share and Download Links for this library are not automatically restored.
The link on the right will take you to the heiBOX FAQs.