You can store sensitive data in the cloud safely.
I regularly hear concerns about using cloud storage, the biggest being that online files are at higher risk of compromise should your account or the storage provider get hacked. There are also concerns that your storage provider could be required to hand over your files to law enforcement agencies under certain circumstances.
Those are all valid concerns.
Cryptomator is a free encryption solution that addresses them.
Become a Patron of Ask Leo! and go ad-free!
You can store files safely in the cloud if you encrypt them before uploading. Cryptomator makes the encryption transparent by allowing you to designate a folder within your cloud service that is automatically and transparently encrypted before uploading and decrypted when used on your device.
Don’t the providers encrypt?
Many online cloud storage providers encrypt your data. The problem is that since they encrypted it, they can decrypt it.
And while the folks at major online storage providers are professionals with no interest in snooping around in your data, there have been rare instances of the so-called “rogue employee” poking around. The service providers can also turn your unencrypted data over to the authorities should that ever be required.
In addition, should someone hack your account, the data would be available to them unencrypted, just as it’s available to you.
Provider-supplied encryption is nice, but it doesn’t protect us as well as we’d like.
The solution is simple: encrypt the data yourself. If you encrypt your data before it’s uploaded to an online storage provider, you, and only you, control access to it.
The Cryptomator model
Cryptomator encrypts file-by-file, which is perfect for cloud storage providers like Dropbox, OneDrive, and others that upload and download individual files as they change.
You select a folder to be encrypted by Cryptomator and assign it a passphrase to encrypt the contents.
When you “mount” this folder using Cryptomator — providing the passphrase to do so — another drive letter appears, which I’ll call L:. Anything written to drive L: is encrypted and written to the folder you specified. Anything read from that drive causes the corresponding encrypted file in the source folder to be read and decrypted on the fly. There’s little noticeable impact on performance, since accessing the disk, not performing the encryption, is the slowest part of the operation.
The files in the original folder on disk are always encrypted. It’s only when the folder is mounted using Cryptomator that the files are visible in their decrypted form in the virtual drive.
An example of Cryptomator in use
Let’s say I use OneDrive.1 On my machine, there’s a folder:
It contains all the files and folders that are part of my OneDrive cloud storage. I have many files and folders that automatically synchronize with the OneDrive servers, as well as on all other machines on which I have OneDrive installed.
One sub-folder within my OneDrive folder is:
I don’t place any files in this folder directly. It starts out empty.
Next, I install Cryptomator and configure it to mount “C:\Users\leon\OneDrive\EncryptedFiles” as drive L:. I set up the passphrase required to mount it again in the future.
Drive L: appears on my machine.
I create a Word document on drive L:
As soon as I save that document to drive L:, new files and folders appear within the EncryptedFiles folder:
The file that was saved to L: is automatically encrypted and placed in the folder I named EncryptedFiles. This extremely obscure filename (along with others) is Cryptomator’s encrypted version of my document. This is the only representation of the file that is physically written to disk.
Next, OneDrive notices a new file has appeared on disk within the OneDrive folder. It uploads this encrypted file and distributes it to all my machines running OneDrive. Note that only the encrypted version of the file has been uploaded.
I can continue to work on the file on L: to my heart’s content. It’s just a file, and I can manipulate it like any other. As changes are saved to disk, the corresponding encrypted version of the file is updated appropriately.
Once I dismount the EncryptedFiles folder, its corresponding drive, drive L:, disappears. The unencrypted versions of the files are no longer accessible. All that remains are the encrypted versions stored in the EncryptedFiles folder within the OneDrive folder, both online and on my hard drive.
It’s for more than Windows
Cryptomator is available for:
And there are also apps available for:
That means you can continue to share your documents across all the platforms and devices supported by your online storage provider, but now you can easily encrypt the data you share.
The hidden cost of doing your own encryption
I have to mention one caveat: there’s one good reason not to encrypt your data yourself, and that’s web access.
Unencrypted files are accessible via your service provider’s web interface. Dropbox, as one example, allows you to log in to your account from any machine and access the files stored in your account via the web.
If you encrypt the data yourself, only encrypted data is available to you via a web interface. If you ever want to access your unencrypted data on a device that doesn’t have the encryption software installed and configured, you can’t.
What about Boxcryptor?
In the past, I used Boxcryptor to perform the same task as Cryptomator.
Boxcryptor was sold to Dropbox, and its future is now unclear. You can no longer create new accounts.
Cryptomator is free2 and open source, with no limitations on use. My bottom line is that Cryptomator is a convenient solution for making sure the data you place in cloud storage services remains secure and accessible only by you.
I recommend it.
I also recommend you subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.