Learn Orcashore

Orcashore is a secure content sharing system built on a hybrid cloud infrastructure that allows users to easily incorporate their existing file storage into the system. Orcashore implements the most secure way possible to share content among users through a simple app:

  • The content to be shared will be permanently encrypted on client side.
  • Orcashore lets users hold their content encryption keys.
  • Transferring a key between users is safely achieved by employing asymmetric encryption.

With Orcashore, sharing content across organizations will be consistent, efficient, manageable, cost-effective, and most importantly, secure.

Orcashore is for you, anyone, and your team. Download the app today to give Orcashore a try for free!

To get started with Orcashore, download and install the Orcashore app on your computer, which requires Windows 10 or later. Orcashore also requires .NET Framework 4.8 to run. If .NET Framework 4.8 is not already installed, you will be prompted to download and install during setup.

The Orcashore installation package is very small, hence you can download and set up Orcashore quickly. By default, it is installed under “C:\Program Files (x86)\Orcashore\Dock”.

Once you use Orcashore, you will be notified when the new release becomes available. You can then use the current app to download and install the new release on your own schedule.

The Orcashore app offers dark and light themes. The default theme is dark, but you can easily switch from one to another. The user interface is simple, please follow the instructions and tips on the screen.

Orcashore is an encryption tool. With Orcashore, you can save an encryption version of your documents to your backup storage to protect any sensitive information.

When you run Orcashore for the first time, the app will create an Orcashore folder and an Underwater folder on your computer.

The Orcashore folder, located at “C:\Users\[username]\Orcashore”, is to hold your original content with Orcashore, so you can always get access to your documents even when you are offline.

The Underwater folder, on the other hand, is to hold your encrypted content with Orcashore. By default, this folder is located at “C:\Users\[username]\Orcashore\Underwater”, but it can be moved to your preferred location. For example, if you are using OneDrive, you may relocate the Underwater folder directly under the OneDrive folder on your computer so that your encrypted content with Orcashore can be synced to the cloud for offsite backup, as illustrated below.

Without using a cloud, you may move the Underwater folder to a flash drive or a private network location. When needed, Orcashore can recover your original content from your encrypted content, provided that you can sign in to Orcashore.

From the app, follow “App menu > Settings > Underwater folder” to update the path to the Underwater folder; follow “App menu > Recoverable” to check if there are any encrypted items that do not have their original contents under the Orcashore folder.

You probably use folders on your computer to organize a variety of your sent and received documents. When using Orcashore, your documents will be organized by packs (or packages) for efficient delivery, backup, and retrieval.

An Orcashore pack has a built-in cover (or cover sheet) and can contain an arbitrary number of files. The built-in cover is a standard form with fields such as subject, label, and comment. Further, a pack has a stage of either draft or final. Typically, you start from a draft, prepare the cover, add any files, and then finalize the pack, i.e. create an encryption version of the pack for backup and/or sharing. Note that a final pack can include only the built-in cover without any files, which allows you to share a secure comment with others such as giving feedback to the Orcashore team.

When you finalize a pack that contains one or more files, the Orcashore app will encrypt all files including their names with the Advanced Encryption Standard (AES) and package them into a single container. The container file is named with the “.orca” extension, so it is also called ORCA file.

Each final pack comes with a random 256-bit encryption key ("pack key"). The key is stored in a separate file. All pack keys that you own are encrypted with a master key as described in the “Orcashore account” section, so they can be stored with other encrypted contents in one place, i.e. the Underwater folder.

You need an Orcashore account in order to use the Orcashore encryption and sharing services. You can use the Orcashore app to create your Orcashore account, which only requires your name and a password.

Once you are registered in the Orcashore central database, the app will create your private account file at “\Underwater\Accounts\myorcashore.acc” to store the secrets with your Orcashore account. The secrets are protected by your password, so it is important to remember your password and keep your password confidential.

Note that Orcashore does not offer changing password at this time, so please choose a strong password when you create your Orcashore account. If you forgot your password, Orcashore can help you recover it, provided that your account file is not damaged, your Orcashore account is active, and your Windows logon is the same as the last time you successfully logged in to Orcashore.

With an Orcashore account, you will have a unique 256-bit encryption key (“master key”) that will be used to encrypt all other encryption keys that you own. As part of the secrets in your account file, the master key is not only protected by your password but also protected by a “second key” managed in the Orcashore central database. When signing in to Orcashore, you will use your password to exchange the second key to unprotect your master key for encryption services.

Your account file has other secrets that are required to sign in to Orcashore. Therefore, if this file is lost or damaged, you will lose access to your Orcashore account even you have the password. Note that Orcashore does not have a copy of your account file in the central database. By keeping your account file safe, you exclusively gain the full security control of your encrypted content.

An Orcashore account can only be bound/rebound to the user’s current Windows logon. If you have an individual account that is not associated with any Orcashore group (as described in the following section), you can transfer your account to another computer and rebind it to the system. If you are an Orcashore group member, rebinding may be restricted by your group administrators.

If you have an individual account, you must sign in to Orcashore at least once within a 365-day period to keep it active, otherwise, it will be automatically closed by the system. If your Orcashore account is closed, your encrypted content with Orcashore will be useless.

Some security procedures such as recovering your password and rebinding your Windows environment will require you to enter your name (case sensitive), so remember your exact name with your Orcashore account.

You will notice that the user profile has an optional “job title” field. Provide your job title if you want to join an Orcashore group (typically created for your company or organization). Otherwise, keep it empty to prevent others from adding you to a group.

An Orcashore group represents an organization or a business entity who uses the Orcashore services. You need to create your Orcashore account in order to create or join an Orcashore group. If you are going to create an Orcashore group, make sure that you are the person who can represent your organization. If your organization has been an Orcashore group, you can join the group by giving your name and account number to the group administrator. Note: Once you become a group member, you will no longer be able to disassociate your Orcashore account from the group.

If you create an Orcashore group, you will be the first administrator of the group. As a group administrator, you can add individual users to your group and appoint more administrators as needed. If you are a group member, your group administrators are able to restrict or terminate your access to the Orcashore services. Note: A group membership, once terminated, cannot be reinstated.

As a group member, you can share Orcashore packs with others in your group (internal members). If you have the "standard" permission in your group, you may invite users in other groups, so you can share Orcashore packs across organizations. If you have a standard above permission (either “high” or “maximum”), you can invite any Orcashore users including individuals. Note that both you and your external invitee have to invite each other to be connected. That is, no spam when using Orcashore.

When sharing a pack, the pack may contain sensitive information, so be careful to select your recipients. To help avoid specifying a recipient in error, duplicate names are not allowed in the same group. This restriction will be automatically checked while adding a new member or changing the name of an existing member.

An Orcashore pack, once finalized, will have an encryption version of its cover (excluding encryption key) sent to the Orcashore central database to be shareable for the next 365 days, therefore, sharing a cover-only pack will be simple and secure. After the 365-day period, all information related to the pack will be deleted from the central database. Note that the pack on your computer will not expire after the shareable period, so you can continue to share the same content by copying it to a new pack.

If the pack contains one or more files, all files will be encrypted (using the same key as the encrypted cover) and packaged into a single container (ORCA file) as described in the “Orcashore pack” section. To share the ORCA file with others, you will need your own file storage.

An Orcashore group may employ a consistent way for its members to share ORCA files internally and externally. Given these files are encrypted, it is flexible to set up or choose a file storage.

  • Using a network shared folder to share ORCA files internally wherever possible as it is simple, efficient, and secure. Once having a shared folder, the path can be set up for all members by a group administrator through “App menu > Accounts > Group shared folder”. Note that an ORCA file can be safely transmitted via an insecure channel, not only because the file is encrypted, but also the app can validate it.
  • Using an in-house FTP server to share ORCA files externally if such a server is already available in your organization. With a FTP server, a folder on the server can be set up such that only allows internal members to upload ORCA files, but allows anyone to download them over the internet. The folder link, such as “ftp://[server]/orcas/”, can be supplied to the app through “App menu > Settings > Web folder”, so a typical file link can be generated like “ftp://[server]/orcas/[filename]”. To hide ORCA files on the web, make sure that the file list cannot be viewed by internet users. Note that an ORCA file is automatically named with a pattern like “[yymm]-[random-code][unique-number].orca”, which cannot be easily guessed, so keep the name as is.
  • When using a cloud storage such as OneDrive to share an ORCA file, you typically get a link of the ORCA file (view-only for anyone) from the cloud services, but provide the link to your recipient through the Orcashore app rather than email. From the app, follow “[Pack] > Cover > Web link” where you can offer a link. The link will be encrypted with the same key as the ORCA file, and only your recipient can decrypt and use the link to download the ORCA file.

The above are some of common options to share ORCA files. However, having an ORCA file or an encrypted cover is useless without its encryption key ("pack key"), therefore sharing an Orcashore pack also requires safely passing the pack key from one user to another, which is detailed in the following section.

A finalized (shareable) Orcashore pack comes with a random 256-bit encryption key ("pack key"). The pack key at rest is protected by the owner’s master key (as described in the “Orcashore account” section).

When sharing an Orcashore pack, the pack key must be securely transferred from the sender to each of the recipients because the shared content is always encrypted and the original key is not stored in the Orcashore central database.


The following, from a technical perspective, briefly describes how Orcashore safely transfers a pack key between users. Note that anyone can use Orcashore without these knowledge as protecting and shipping a pack key will be simply carried out by the app.

A pack key being shipped can be protected by the HTTPS secure connection when it travels through the internet, but the key has to temporarily stay in the Orcashore central database until the recipient has picked it up. Hence, this would not give our users sufficient comforts even though the entire database is encrypted.

To eliminate security concerns from all of us, Orcashore adopts the RSA asymmetric encryption to protect a pack key from end to end, which requires each user (recipient) to have a pair of related keys—a private key and a public key. This key pair is randomly generated by the Orcashore app running on the user’s computer during the registration of an Orcashore account. The private key is kept secret by the user (technically it is part of the secrets stored in the user’s account file as described in the “Orcashore account” section), while a copy of the public key is sent to the Orcashore central database that will be available to others.

The asymmetric encryption can be understood in this way: The public key is like an open lock, anyone can use it to lock something for its owner; once locked, however, only the owner who has its matching private key can open it.

Using this technology, a pack key before leaving the sender's computer can be encrypted with the recipient’s public key. The result (“secure key”) will be the most secure way to temporarily stay in the Orcashore central database as it can only be decrypted by using the recipient’s private key.

While a secure key is considered safe to go anywhere, Orcashore takes further protection measures to ensure that the secure key is only handed over to its designated recipient.

Here is a walk-through how Orcashore safely transfers a pack key from one user to another.

  • The sender requests the central service for the recipient’s public key.
  • The central service returns a copy of the recipient’s public key to the sender if it is determined that the sender and the recipient trust each other.
  • The sender encrypts the pack key with the recipient’s public key resulting in a secure key. Note that the pack key at rest is protected by the sender's master key.
  • The secure key travels to the central database via the HTTPS.
  • The secure key stays in the central database waiting for the recipient to pick it up. At this point, the secure key is considered safe enough even if it was hacked by unauthorized. Note that the central database, hosted on Microsoft Azure (Canada Central), is wholly encrypted at rest.
  • When ready, a copy of the secure key will travel to the recipient via the HTTPS.
  • Upon arrival, the secure key is decrypted with the recipient's private key. The pack key converted is immediately protected by the recipient's master key.
  • The recipient notifies the central service that the transaction is complete. The central service deletes the secure key in the central database and then updates the completion timestamp.

1. The Orcashore app running on the sender's computer (the sender)
2. The Orcashore web service hosted on Microsoft Azure (the central service)
3. The Orcashore app running on the recipient’s computer (the recipient)