I regularly hear concerns about using cloud storage — the biggest being that online files are at higher risk of compromise should your account or the storage be hacked. There are also concerns that your storage provider could be required to hand over your files to law enforcement agencies under certain circumstances.
Those are all valid concerns.
Cryptomator is a free encryption solution that addresses them.
Become a Patron of Ask Leo! and go ad-free!
Don’t the providers encrypt?
Many online cloud storage providers do encrypt your data. The problem is that since they encrypted it, they can decrypt it.
And while the folks at major online storage providers are professionals (with no interest in snooping around in your data), there have been rare instances of the so-called “rogue employee” poking around. The service providers also have the ability to turn your unencrypted data over to the authorities should that ever be required of them.
In addition, should your account be hacked, the data in your account would be available to the hacker in its unencrypted form, just as it’s available to you.
Provider-supplied encryption is nice, but it doesn’t protect us as well as we’d like.
The solution is simple: encrypt the data yourself. If you encrypt your data before it’s uploaded to any online storage provider, you, and only you, control access to it.
The hidden cost of doing your own encryption
There’s one good reason not to encrypt your data yourself: web access.
Unencrypted files are accessible via your service provider’s web interface. Dropbox, as just one example, allows you to log in to your account from any machine and access the files stored in your account via the web.
If you encrypt the data yourself, only encrypted data is available to you via a web interface. If you ever want to access your unencrypted data from another place — you can’t.
The Cryptomator model
Cryptomator encrypts file-by-file, perfect for cloud storage providers like Dropbox, OneDrive, and others, that upload and download individual files as they change.
You select a folder to be encrypted by Cryptomator, and assign it a passphrase to encrypt its contents.
When you “mount” this folder using Cryptomator — providing the passphrase to do so — another drive letter appears, which I’ll call L:. Anything written to drive L: is encrypted and written to the folder you specified. Anything read from that drive causes the corresponding encrypted file in the source folder to be read and decrypted on the fly. There’s little, if any, noticeable impact on performance, since accessing the disk, not performing the encryption, is generally the slowest part of the operation.
The files in the original folder are always encrypted. It’s only when the folder is mounted using Cryptomator that the files are visible in their decrypted form in the virtual drive.
An example of Cryptomator in use
Let’s say I use OneDrive1. On my machine, there’s a folder:
C:\Users\leon\OneDrive
It contains all the files and folders that are part of my OneDrive cloud storage. I have many files and folders that automatically synchronize with the OneDrive servers, as well as all other machines on which I have OneDrive installed.
One of the folders in my OneDrive folder is:
C:\Users\leon\OneDrive\EncryptedFiles
I don’t place any files in this folder directly. It starts out empty.
Next, I install Cryptomator and configure it to mount “C:\Users\leon\OneDrive\EncryptedFiles” as drive L:. I set up the passphrase required to mount it again in the future.
Drive L: appears on my machine.
I create a Word document on drive L:
L:\MyPrivateInformation.docx
As soon as I save that document to drive L:, new files and folders appear within the EncryptedFiles folder:
C:\Users\leon\OneDrive\EncryptedFiles\d\2G\BQCY3SUZEVRU3MRAGLO6C62JGGGYZJ\5Y5RR6LM5SKSFZ6FIKULKNNBVQ3Y6DDTNGAKKX3VI2N72ZWM6KUOIGWL2AWCGB2TMY======
The file that was saved to L: was automatically encrypted and placed in the EncryptedFiles folder. This extremely obscure filename (along with others) is Cryptomator’s encrypted version of my document. This is the only representation of the file that is written to disk.
Next, OneDrive notices a new file has appeared on disk. This encrypted file is then uploaded and distributed to all my machines running OneDrive. Note that only the encrypted version of the file has been uploaded.
I can continue to work on the file on L: to my heart’s content. In a very real sense, it’s just a file, and can be manipulated like any other. As changes are saved to disk, the corresponding encrypted version of the file is updated appropriately.
Once I dismount the EncryptedFiles folder, its corresponding drive, drive L:, disappears. The unencrypted versions of the files are no longer accessible. All that remains are the encrypted versions stored in the EncryptedFiles folder within the OneDrive folder, both online and on your hard drive.
It’s for more than Windows
Cryptomator is available for:
- Windows
- Mac
- Linux
And there are also apps available for:
- Android
- iOS
That means you can continue to share your documents across all the platforms and devices supported by your online storage provider, but now you can easily encrypt the data you share.
What about BoxCryptor?
Long-time readers may remember a similar utility called BoxCryptor. I still recommend both BoxCryptor and Cryptomator; use whichever you feel most comfortable with.
BoxCryptor is a commercial product. There’s a free tier, which has some limitations, and paid tiers that provide more, including support.
Cryptomator is free2 and open source, with no limitations on use.
My bottom line is that Cryptomator is a convenient solution for making sure the data you place in cloud storage services remains secure and is accessible only by you.
I recommend it.
Podcast audio
Download (right-click, Save-As) (Duration: 7:15 — 3.4MB)
Subscribe: Apple Podcasts | Android | RSS
Leo,
I looked at the Crytomator web site and under dependencies it lists:
Java 8 (min. 8u51, we recommend to use the current version)
JCE unlimited strength policy files (needed for 256-bit keys)
Java has had a long history of security problems which makes me nervous, although I think the problems were more with the browser extensions more than Java itself. Do you have any knowledge that would suggest my worries are misplaced?
Yep. Java as a random programming language that can be exploited by random web pages via your browser is a risky thing.
Java as used by specifically coded software (like Cryptomator and others) doesn’t have nearly the same risks associated with it.
>Java has had a long history of security problems
The Java browser plug-in had a long history of security programs, however, as Leo said, apps coded in Java are as safe as apps coded in any other language.
My Norton Anti Virus found Cryptomator untested sufficiently.
I don’t understand what you mean.
I have been using Boxcryptor (the old classic version) for years and have been very happy with it but wanted to try Cryptomator. In the end, I have decided to stick with Boxcryptor for a few reasons:
1. Cryptomator is quite slow if you are working with a large number of files. It also uses a much larger percentage of CPU.
2. Cryptomator is not a good solution (mostly because of speed, but also b/c the way it uses WebDAV) to run programs. For example, I wanted to run XAMPP from a Cryptomator mounted drive and it couldn’t do it (so slow as to not work). And, when I tried to run Quickbooks I couldn’t open my company file which was being stored in a mounted drive.
3. The Boxcryptor app (Android at least) lets me actually edit files but the Cryptomator app requires me to do a dance by making an edited copy and using it to replace the original.
Also note that while the desktop program is free the apps are not. They are not expensive, so I am not complaining – just providing a bit more information.
I think for the average person Cryptomator is probably a very good option but if you plan to have tons of files or want to run software that accesses files from a mounted drive, it might not be quite ready for that. Since it under active development all my criticisms may disappear with time.
That was a useful review.
You say: “…Cryptomator app requires me to do a dance by making an edited copy and using it to replace the original.”
Does it mean that you cannot open an encrypted file, e.g. Keepass database, in Cryptomator and edit it provided that Keepass app is installed?
What do you have to do to save it and encrypt it again?
Do you have to save another copy and encrypt it and delete the previous one?
Maybe I’m not understanding something fundamental and basic. The only access a user would have to the unencrypted version of the encrypted file, would be from whatever machine Cryptomator was installed and configured on. Is that correct?
If so, what happens if I want to access any of my OneDrive content from anywhere except my own machine? The only place the virtual drive (Leo called it the “L” drive) exists only on my machine. And I would think that installing Cryptomator on another machine is pointless, since the encryption algorithms and keys are tied to just my own machine.
If the answer is “you’re out of luck” then there is no reason for me to use Cryptomator. If I can’t somehow access my unencrypted cloud storage from any device except my own, that defeats the “universal accessibility” appeal of the cloud for me. Again, please let me know if I’m not understanding things correctly.
You are correct: crytpomator (and your passphrase) is required if you want to access your files. That’s kind of the point — if you could access them anywhere without cryptomator, then a hacked account or government subpoena could allow others to access those files as well. It’s a decision you need to make based on how important your files are. Personally I’ve only encrypted on folder within my OneDrive account — all sensitive documents go in there, and they are accessible only to me when Cryptomator is used and I supply the correct passphrase. Other folders are not so encrypted, and are accessible simply by logging into my Microsoft account.
If it helps, Cryptomator does work on mobile devices as well – I have it on my phone, for example.
If you have Cryptomator installed on another machine, you can open those files on that machine as long as you use the same password used to encrypt them on the other machine. That’s why is is so great in combination with OneDrive, Dropbox or other online file sync service. I use OneDrive to keep all of my machines’ data in sync. I have on shared sensitive folder and have Cryptomator installed on all three machines and I can open all of those files on all three machines.
I found your description of Cryptomator interesting enough to try it. I generally do some adhoc testing on software to determine its feasibility in the way I would use it. On a Windows 10 computer using the free version I created a vault, say Zit1, in which I copied or created Word and text files, plus some pictures in the jpg format. All was well until my computer lost power suddenly while the vault was open. After restoring power the Word files appeared damaged. While rying to open a Word file the vault gave a message “Could not open … file” , yet the file came up under Word. It appeared OK, but I could not save it in the vault due to a “Network file permission error”. I could save it outside the vault. I was able to copy all the files from the damaged Zit1 vault into a still functioning vault, and there the files worked OK. By the way, the .txt and .jpg files worked without an error message.
This prompted me to do some more investigation. I created another vault, Zit2, into which I copied the files from the damaged Zit1. Once in the good vault Zit 2, the fifles worked OK.
Next I recreated Zit1 and repopulated it with good files. I left the new vault Zit1 open, Cryptomator running, and then gave the command to the OS to shut down the computer. It did power down. After re-start I tested Zit1. The result was again damage as in the power loss.
I repeated the experiment this time with a slight change. I opened Zit1 using the “Auto-Unlock on start (experimental)” option. Then again, I left the vault open and Cryptomator running while I gave the command to shut down the computer.
After restarting Cryptomator was not running, so I started it. I noticed that Zit1 was already unlocked, so that part worked. Alas, the vault was again corrupted as before.
At this point, as much as I would like to use this interesting software, i cannot take a chance on corrupting a large amount of data if I inadvertently forget to lock a vault or lose power. Note that the Word files that would no longer function were not open during the power loss or commanded shutdown. I don’t know what other kind of data wold also be damaged. Does anybody have a solution to this? The Cryptomator site does not offer any help. I assume that they might for the paid version.
Have you done the same kind of experiments with Boxcryptor?
What were the results?
Leo can the entire OneDrive folder somehow be encrypted?
Yes. Just set the OneDrive folder as the Cryptomator or BoxCryptor encrypted folder.
Yes. Using Cryptomator or BoxCryptor.
Can the encrypted one drive or Google drive folder be backed up with backblaze?
Yes, but you have to make sure that BackBlaze isn’t backing up the unencrypted virtual drive.