I regularly hear concerns about using cloud storage — the biggest being that online files are at higher risk of compromise should your account or the storage be hacked. There are also concerns that your storage provider could be required to hand over your files to law enforcement agencies under certain circumstances.
Those are all valid concerns.
Cryptomator is a free encryption solution that addresses them.
Become a Patron of Ask Leo! and go ad-free!
Don’t the providers encrypt?
Many online cloud storage providers do encrypt your data. The problem is that since they encrypted it, they can decrypt it.
And while the folks at major online storage providers are professionals (with no interest in snooping around in your data), there have been rare instances of the so-called “rogue employee” poking around. The service providers also have the ability to turn your unencrypted data over to the authorities should that ever be required of them.
In addition, should your account be hacked, the data in your account would be available to the hacker in its unencrypted form, just as it’s available to you.
Provider-supplied encryption is nice, but it doesn’t protect us as well as we’d like.
The solution is simple: encrypt the data yourself. If you encrypt your data before it’s uploaded to any online storage provider, you, and only you, control access to it.
The hidden cost of doing your own encryption
There’s one good reason not to encrypt your data yourself: web access.
Unencrypted files are accessible via your service provider’s web interface. Dropbox, as just one example, allows you to log in to your account from any machine and access the files stored in your account via the web.
If you encrypt the data yourself, only encrypted data is available to you via a web interface. If you ever want to access your unencrypted data from another place — you can’t.
The Cryptomator model
Cryptomator encrypts file-by-file, perfect for cloud storage providers like Dropbox, OneDrive, and others, that upload and download individual files as they change.
You select a folder to be encrypted by Cryptomator, and assign it a passphrase to encrypt its contents.
When you “mount” this folder using Cryptomator — providing the passphrase to do so — another drive letter appears, which I’ll call L:. Anything written to drive L: is encrypted and written to the folder you specified. Anything read from that drive causes the corresponding encrypted file in the source folder to be read and decrypted on the fly. There’s little, if any, noticeable impact on performance, since accessing the disk, not performing the encryption, is generally the slowest part of the operation.
The files in the original folder are always encrypted. It’s only when the folder is mounted using Cryptomator that the files are visible in their decrypted form in the virtual drive.
An example of Cryptomator in use
Let’s say I use OneDrive1. On my machine, there’s a folder:
C:\Users\leon\OneDrive
It contains all the files and folders that are part of my OneDrive cloud storage. I have many files and folders that automatically synchronize with the OneDrive servers, as well as all other machines on which I have OneDrive installed.
One of the folders in my OneDrive folder is:
C:\Users\leon\OneDrive\EncryptedFiles
I don’t place any files in this folder directly. It starts out empty.
Next, I install Cryptomator and configure it to mount “C:\Users\leon\OneDrive\EncryptedFiles” as drive L:. I set up the passphrase required to mount it again in the future.
Drive L: appears on my machine.
I create a Word document on drive L:
L:\MyPrivateInformation.docx
As soon as I save that document to drive L:, new files and folders appear within the EncryptedFiles folder:
C:\Users\leon\OneDrive\EncryptedFiles\d\2G\BQCY3SUZEVRU3MRAGLO6C62JGGGYZJ\5Y5RR6LM5SKSFZ6FIKULKNNBVQ3Y6DDTNGAKKX3VI2N72ZWM6KUOIGWL2AWCGB2TMY======
The file that was saved to L: was automatically encrypted and placed in the EncryptedFiles folder. This extremely obscure filename (along with others) is Cryptomator’s encrypted version of my document. This is the only representation of the file that is written to disk.
Next, OneDrive notices a new file has appeared on disk. This encrypted file is then uploaded and distributed to all my machines running OneDrive. Note that only the encrypted version of the file has been uploaded.
I can continue to work on the file on L: to my heart’s content. In a very real sense, it’s just a file, and can be manipulated like any other. As changes are saved to disk, the corresponding encrypted version of the file is updated appropriately.
Once I dismount the EncryptedFiles folder, its corresponding drive, drive L:, disappears. The unencrypted versions of the files are no longer accessible. All that remains are the encrypted versions stored in the EncryptedFiles folder within the OneDrive folder, both online and on your hard drive.
It’s for more than Windows
Cryptomator is available for:
- Windows
- Mac
- Linux
And there are also apps available for:
- Android
- iOS
That means you can continue to share your documents across all the platforms and devices supported by your online storage provider, but now you can easily encrypt the data you share.
What about BoxCryptor?
Long-time readers may remember a similar utility called BoxCryptor. I still recommend both BoxCryptor and Cryptomator; use whichever you feel most comfortable with.
BoxCryptor is a commercial product. There’s a free tier, which has some limitations, and paid tiers that provide more, including support.
Cryptomator is free2 and open source, with no limitations on use.
My bottom line is that Cryptomator is a convenient solution for making sure the data you place in cloud storage services remains secure and is accessible only by you.
I recommend it.
If you found this article helpful, I'm sure you'll also love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and give you more confidence with technology. Subscribe now and I'll see you there soon,
Podcast audio
Download (right-click, Save-As) (Duration: 7:15 — 3.4MB)
Subscribe: Apple Podcasts | Android | RSS
Leo,
I looked at the Crytomator web site and under dependencies it lists:
Java 8 (min. 8u51, we recommend to use the current version)
JCE unlimited strength policy files (needed for 256-bit keys)
Java has had a long history of security problems which makes me nervous, although I think the problems were more with the browser extensions more than Java itself. Do you have any knowledge that would suggest my worries are misplaced?
Yep. Java as a random programming language that can be exploited by random web pages via your browser is a risky thing.
Java as used by specifically coded software (like Cryptomator and others) doesn’t have nearly the same risks associated with it.
I have been using Boxcryptor (the old classic version) for years and have been very happy with it but wanted to try Cryptomator. In the end, I have decided to stick with Boxcryptor for a few reasons:
1. Cryptomator is quite slow if you are working with a large number of files. It also uses a much larger percentage of CPU.
2. Cryptomator is not a good solution (mostly because of speed, but also b/c the way it uses WebDAV) to run programs. For example, I wanted to run XAMPP from a Cryptomator mounted drive and it couldn’t do it (so slow as to not work). And, when I tried to run Quickbooks I couldn’t open my company file which was being stored in a mounted drive.
3. The Boxcryptor app (Android at least) lets me actually edit files but the Cryptomator app requires me to do a dance by making an edited copy and using it to replace the original.
Also note that while the desktop program is free the apps are not. They are not expensive, so I am not complaining – just providing a bit more information.
I think for the average person Cryptomator is probably a very good option but if you plan to have tons of files or want to run software that accesses files from a mounted drive, it might not be quite ready for that. Since it under active development all my criticisms may disappear with time.
That was a useful review.
You say: “…Cryptomator app requires me to do a dance by making an edited copy and using it to replace the original.”
Does it mean that you cannot open an encrypted file, e.g. Keepass database, in Cryptomator and edit it provided that Keepass app is installed?
What do you have to do to save it and encrypt it again?
Do you have to save another copy and encrypt it and delete the previous one?
Maybe I’m not understanding something fundamental and basic. The only access a user would have to the unencrypted version of the encrypted file, would be from whatever machine Cryptomator was installed and configured on. Is that correct?
If so, what happens if I want to access any of my OneDrive content from anywhere except my own machine? The only place the virtual drive (Leo called it the “L” drive) exists only on my machine. And I would think that installing Cryptomator on another machine is pointless, since the encryption algorithms and keys are tied to just my own machine.
If the answer is “you’re out of luck” then there is no reason for me to use Cryptomator. If I can’t somehow access my unencrypted cloud storage from any device except my own, that defeats the “universal accessibility” appeal of the cloud for me. Again, please let me know if I’m not understanding things correctly.
You are correct: crytpomator (and your passphrase) is required if you want to access your files. That’s kind of the point — if you could access them anywhere without cryptomator, then a hacked account or government subpoena could allow others to access those files as well. It’s a decision you need to make based on how important your files are. Personally I’ve only encrypted on folder within my OneDrive account — all sensitive documents go in there, and they are accessible only to me when Cryptomator is used and I supply the correct passphrase. Other folders are not so encrypted, and are accessible simply by logging into my Microsoft account.
If it helps, Cryptomator does work on mobile devices as well – I have it on my phone, for example.
If you have Cryptomator installed on another machine, you can open those files on that machine as long as you use the same password used to encrypt them on the other machine. That’s why is is so great in combination with OneDrive, Dropbox or other online file sync service. I use OneDrive to keep all of my machines’ data in sync. I have on shared sensitive folder and have Cryptomator installed on all three machines and I can open all of those files on all three machines.
I found your description of Cryptomator interesting enough to try it. I generally do some adhoc testing on software to determine its feasibility in the way I would use it. On a Windows 10 computer using the free version I created a vault, say Zit1, in which I copied or created Word and text files, plus some pictures in the jpg format. All was well until my computer lost power suddenly while the vault was open. After restoring power the Word files appeared damaged. While rying to open a Word file the vault gave a message “Could not open … file” , yet the file came up under Word. It appeared OK, but I could not save it in the vault due to a “Network file permission error”. I could save it outside the vault. I was able to copy all the files from the damaged Zit1 vault into a still functioning vault, and there the files worked OK. By the way, the .txt and .jpg files worked without an error message.
This prompted me to do some more investigation. I created another vault, Zit2, into which I copied the files from the damaged Zit1. Once in the good vault Zit 2, the fifles worked OK.
Next I recreated Zit1 and repopulated it with good files. I left the new vault Zit1 open, Cryptomator running, and then gave the command to the OS to shut down the computer. It did power down. After re-start I tested Zit1. The result was again damage as in the power loss.
I repeated the experiment this time with a slight change. I opened Zit1 using the “Auto-Unlock on start (experimental)” option. Then again, I left the vault open and Cryptomator running while I gave the command to shut down the computer.
After restarting Cryptomator was not running, so I started it. I noticed that Zit1 was already unlocked, so that part worked. Alas, the vault was again corrupted as before.
At this point, as much as I would like to use this interesting software, i cannot take a chance on corrupting a large amount of data if I inadvertently forget to lock a vault or lose power. Note that the Word files that would no longer function were not open during the power loss or commanded shutdown. I don’t know what other kind of data wold also be damaged. Does anybody have a solution to this? The Cryptomator site does not offer any help. I assume that they might for the paid version.
Have you done the same kind of experiments with Boxcryptor?
What were the results?
Leo can the entire OneDrive folder somehow be encrypted?
Yes. Just set the OneDrive folder as the Cryptomator or BoxCryptor encrypted folder.
Yes. Using Cryptomator or BoxCryptor.
Can the entire Google Drive be encrypted with Cryptomator or BoxCryptor? Thanks
If you like, sure.
Can the encrypted one drive or Google drive folder be backed up with backblaze?
Yes, but you have to make sure that BackBlaze isn’t backing up the unencrypted virtual drive.
As a satisfied Boxcryptor use for years I can only recommend the reader try this kind of encryption; Cryptomator sounds like a good option. However, since switching to Chromebook, Boxcryptor is no longer an option (since it doesn’t work within the Chrome browser). Yes, I know they say it’s in beta, but they’ve finally admitted to not working on that any more for technical reasons. And, while Linux versions are available, not all Chrome OS users are into Linux.
So, Boxcryptor (and I assume Cryptomator) work in Windows, Mac and Linux, but not on a Chromebook. I thought that needed to be said, so I said it.
You can find encryption extensions in the Chrome store. I haven’t tried any so I can’t make any recommendations.
Thanks for the great tutorial, really nice! I neither have Boxcryptor nor Cryptomator installed, but am first checking around to comments/reviews.
Take it that, in case of using multiple devices (e.g. desktop/laptop, etc), one needs to install Cryptomator on each device, so as to have files sync in a proper way.
Maybe with the introduction of Personal Vault for OneDrive Cryptomator has become a little less significant for that cloud service?
Or would, for one reason or the other, Cryptomator still be a better option compared to Personal Vault.
For instance, Personal Vault has a lock time, i.e. after xx minutes the vault gets locked.
Although, Microsoft is currently rolling out extended times, upto 4 hours before the vault is locked.
I believe in that you get what you pay for, not all free softwares can be reliable. I needed a safe place where to keep my financial documents and installed Nordlocker (already have their vpn and never been disappointed). Very easy to setup and to use. Actually, they have a freemium too, but I wanted unlimited space. Also, I haven’t tried Cryptomator and can’t say anything about it.
Is Cryptomator still the best encryption software now to encrypt files before I upload to Google Drive/ OneDrive? What is the difference of Cryptomator vs Truecrypt?
Thanks
I can’t say it’s the best because I haven’t tried or seen reviews of others but I find it perfect for my needs.
Cryptommator is good, I happen to use BoxCryptor these days. The difference between these tools and tools like VeraCrypt (formerly TrueCrypt) is that if you change a file ONLY that file needs to be uploaded / updated in your cloud or elsewhere. With VeraCrypt if you make a change to ANY file then the ENTIRE vault must be uploaded / updated.
Jason
If a person prefers the more paranoid route with securing ones files online, and don’t want to trust their security to just one program, and are not always updating your encrypted uploads (like you only update it once in a while)… I suggest using double encryption. .7z (7-zip) paired with VeraCrypt. so basically your sensitive file(s) are stored in the VeraCrypt container and then you put the VeraCrypt container in a .7z file. both are password protected with different secure passwords (use something like Diceware with a bit of padding to make your passwords and make the passwords really long). one can even use keyfiles on the VeraCrypt container (which I would recommend and let VeraCrypt generate the keyfiles for you) and then store the keyfiles on a different account/service than where the VeraCrypt container is stored. if you want to go a bit further you can put a bunch of additional keyfiles in a .7z file so this way even if someone managed to get a hold of your keyfiles (after breaking through the password you got on the .7z file) and the VeraCrypt container file, they won’t know which keyfile(s) you used which should make it that much harder to break should they attempt brute forcing it since they can’t be sure they are using the right keyfiles. like generate say 20 keyfiles (named, for example… Keyfile01,Keyfile02 etc) and you could end up using the 1st/2nd/4th/5th keyfiles for your VeraCrypt container in combination with your password but the attacker won’t know this.
then you can just write this stuff down on a piece of paper and store it in a secure location for future use should you need it. but what I describe is more security based and sacrifices convenience which is why programs like Cryptomator is probably easier for the common person.
Is there a software that could encrypt or just add a password to a single file/folder, then I can upload to Google Drive or move it to any external flash disk or just store in my PC, anyone who wants to open the file can double click it and but need to type in a password to open it.
Thanks.
7Zip or any file compression program can do that. How Do I Encrypt a File?
You can use the same procedure to zip and encrypt a folder of a number of files.