So basically the encryption key for the specific folder is in the shared url, and wuala servers decrypt the content to the user's browser.
If sharing is disabled then a new key is created and used locally to decrypt/encrypt directly from the client.
Thanks!
