You can store sensitive data in the cloud safely.

I regularly hear concerns about using cloud storage, the biggest being that online files are at higher risk of compromise should your account or the storage provider get hacked. There are also concerns that your storage provider could be required to hand over your files to law enforcement agencies under certain circumstances.
Those are all valid concerns.
Cryptomator is a free encryption solution that addresses them.
Become a Patron of Ask Leo! and go ad-free!

Cryptomator
You can store files safely in the cloud if you encrypt them before uploading. Cryptomator makes the encryption transparent by allowing you to designate a folder within your cloud service that is automatically and transparently encrypted before uploading and decrypted when used on your device.
Donāt the providers encrypt?
Many online cloud storage providers encrypt your data. The problem is that since they encrypted it, they can decrypt it.
And while the folks at major online storage providers are professionals with no interest in snooping around in your data, there have been rare instances of the so-called ārogue employeeā poking around. The service providers can also turn your unencrypted data over to the authorities should that ever be required.
In addition, should someone hack your account, the data would be available to them unencrypted, just as itās available to you.
Provider-supplied encryption is nice, but it doesnāt protect us as well as weād like.
The solution is simple: encrypt the data yourself. If youĀ encrypt your dataĀ before itās uploaded to an online storage provider, you, and only you, control access to it.
The Cryptomator model
Cryptomator encrypts file-by-file, which is perfect for cloud storage providers like Dropbox, OneDrive, and others that upload and download individual files as they change.
You select a folder to be encrypted by Cryptomator and assign it a passphrase to encrypt the contents.
When you āmountā this folder using Cryptomator ā providing the passphrase to do so ā another drive letter appears, which Iāll call L:. Anything written to drive L: is encrypted and written to the folder you specified. Anything read from that drive causes the corresponding encrypted file in the source folder to be read and decrypted on the fly. Thereās little noticeable impact on performance, since accessing the disk, not performing the encryption, is the slowest part of the operation.
The files in the original folder on disk are always encrypted. Itās only when the folder is mounted using Cryptomator that the files are visible in their decrypted form in the virtual drive.
An example of Cryptomator in use
Letās say I use OneDrive.1 On my machine, thereās a folder:
C:\Users\leon\OneDrive
It contains all the files and folders that are part of my OneDrive cloud storage. I have many files and folders that automatically synchronize with the OneDrive servers, as well as on all other machines on which I have OneDrive installed.
One sub-folder within my OneDrive folder is:
C:\Users\leon\OneDrive\EncryptedFiles
I donāt place any files in this folder directly. It startsĀ out empty.
Next, I install Cryptomator and configure it to mount āC:\Users\leon\OneDrive\EncryptedFilesā as drive L:. I set up the passphrase required to mount it again in the future.
Drive L: appears on my machine.
I create a Word document on drive L:
L:\MyPrivateInformation.docx
As soon as I save that document to drive L:, new files and folders appear within the EncryptedFiles folder:
C:\Users\leon\OneDrive\EncryptedFiles\d\2G\BQCY3SUZEVRU3MRAGLO6C62JGGGYZJ\5Y5RR6LM5SKSFZ6FIKULKNNBVQ3Y6DDTNGAKKX3VI2N72ZWM6KUOIGWL2AWCGB2TMY======
The file that was saved to L: is automatically encrypted and placed in the folder I named EncryptedFiles. This extremely obscure filename (along with others) is Cryptomatorās encrypted version of my document. This is the only representation of the file that is physically written to disk.
Next, OneDrive notices a new file has appeared on disk within the OneDrive folder. It uploads this encrypted file and distributes it to all my machines running OneDrive. Note that only the encryptedĀ version of the file has been uploaded.
Ā
I can continue to work on the file on L: to my heartās content. Itās just a file, and I can manipulate it like any other. As changes are saved to disk, the corresponding encrypted version of the file is updated appropriately.
Once IĀ dismount the EncryptedFiles folder, its corresponding drive, drive L:, disappears. The unencrypted versions of the files are no longer accessible. All that remains are the encrypted versions stored in the EncryptedFiles folder within the OneDrive folder, both online and on my hard drive.
Itās for more than Windows
Cryptomator is available for:
- Windows
- Mac
- Linux
And there are also apps available for:
- Android
- iOS
That means you can continue to share your documents across all the platforms and devices supported by your online storage provider, but now you can easily encrypt the data you share.
The hidden cost of doing your own encryption
I have to mention one caveat: thereās one good reason not to encrypt your data yourself, and thatās web access.
Unencrypted files are accessible via your service providerās web interface. Dropbox, as one example, allows you to log in to your account from any machine and access the files stored in your account via the web.
If you encrypt the data yourself, only encrypted data is available to you via a web interface. If you ever want to access your unencrypted data on a device that doesnāt have the encryption software installed and configured, you canāt.
What about Boxcryptor?
In the past, I used Boxcryptor to perform the same task as Cryptomator.
Boxcryptor was sold to Dropbox, and its future is now unclear. You can no longer create new accounts.
Do this
Cryptomator is free2 and open source, with no limitations on use.Ā My bottom line is that Cryptomator isĀ a convenient solution for making sure the data you place in cloud storageĀ services remains secure and accessible only by you.
I recommend it.
I also recommend you subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Hi Leo,
In some of the online articles comparing Boxcryptor vs Cryptomator, there is a phase that suggests that making changes to a single file in Cryptomator would change the entire storage vault. Your article mentions that Cryptomator encrypts file-by-file, which the paragraph below seems to contradict, or I simply misunderstand it.
Would you be able to enlighten me how file-by-file encryption cause changes to the entire vault? My main concern is how changing a single file (e.g. working on a word doc) may potentially result in me corrupting/ruining/losing other files in the vault. Thank you.
āWhen it comes to Cryptomator, encrypted data goes to storage vaults before it goes directly to the software. If you want to use this storage, Cryptomator will take note of a certain pathway and use it to check files. A change in a single file will also lead to changes in the entire storage vault, so keep that in mind when editing content in Cryptomator.
Files encrypted with a Boxcryptor are subsequently stored in key vaults. That way, these files are encrypted one after the other so if a single file changes in any way, then users can easily change the content without ruining other files.ā
I think itās a conflicting use of the term āvaultā (which really has no definition for our purposes). If you take a look at the folder in which Cryptomator stores its encrypted files youāll see a lot of nonsensical files. My belief (and to be clear, itās just a guess) is that your file (say a .docx for example) might be contained in one or more of these files. Thus changing the .docx ālogicalā file could change multiple physical files, and quite possibly the information in the folder path to the file as well (if you have folders within your Cryptomator setup, as I do). So changing one logical file could cause multiple physical files to appear to have changed, quite possibly including something at the top of the folder tree.
I can confirm that changing ONE file does NOT cause EVERYTHING to be altered. That would defeat Cryptomatorās purpose.
I can also confirm that editing directly a file (the .docx in my example) does not corrupt other things. I do it all the time. The only time I could conceive of an issue might be if multiple edits were happening on ānearbyā files across multiple machines.
Nonetheless, as with all things, I back up the unencrypted contents of my Cryptomator vault anyway. Because you never know.
Iāve had a serious go at installing Cryptomator but it keeps on sticking (after Iāve installed it) at
ā I enter āreveal driveā
ā it replies āH: is unavailable. If the location is on this PC, make sure the device or drive is connected ā¦.. etc
The āhelpā section is rather complicated and suggests making changes Iām not comfortable with. As Boxcryptor is closing down, is there any other encryption app that is more user-friendly than Cryptomator? I donāt want to go back to hiding pendrives of my key files in the loft ā¦
Make sure you have āFiles on Demandā turned OFF in OneDrive, to start.
I should add that Iām using Windows 10, and trying to link Cryptomator to OneDrive. There are suggestions that I should link my vault to a directory not a letter ā though I donāt see how to do this in OneDrive ā and generally it all gets very techy very fast.
Iām beginning to see why seniors find computing difficult ā¦
Create a Cryptomator folder inside your OneDrive folder and place everything you want encrypted into the Cryptomator virtual drive. They will be encrypted on OneDrive. The same works for Dropbox, Google Drive, pCloud and more.
Sorry to be a Muppet, Leo, but how would I do that?
Canāt find any such command box on OneDrive.
Mark ā Iāve made a Cryptomator folder in my OneDrive. But when I try to run Cryptomator it gives the āH: is unavailableā¦ā message. There is therefore no option to put anything into the Cryptomator folder as Cryptomator canāt find it. Iāve tried the custom route but that fails, too.
Clearly Iām doing something wrong but computers sulk so effectively ā¦
Thanks for your patience, gentlemen. Iām at my witsā end (not a long journey, I grant you).
Itās an option in OneDrive settings. Right click on the icon in the notification area of the taskbar, click the gear, click Settings, scroll down and click Advanced settings. Youāll find it there. Once you turn it off give OneDrive a chance to download anything that hadnāt been.
Thanks Leo, after a reinstall of Cryptomator, and making the changes you suggest, all seems to be tickety-boo. Problem may have also included a āhidden.^^^ā file that appeared from nowhere, and also that I set my initial vault to be in \OneDrive instead of \OneDrive\Cryptomator, but Iām now a happy bunny.
Thanks for your patience and knowledgeable assistance.
Andrew
Iām glad I switched from Dropbox to OneDrive. Dropbox was irresponsible for dropping support for BoxCryptor in an attempt to drive BoxCryptor users to Dropbox.
To be clear, itās not clear who drove the decision. Could have been the BoxCryptor team making that call, but it certainly could have been DropBox making a criteria for the deal.
Either way, communication to customers has been handled very poorly.
I started using Cryptomator about a year ago and I use OneDrive. Just as a heads up, when I was setting up my Cryptomator vault I moved rather than copying existing files into the vault. I received multiple warnings via Windows Security pop-ups and messages from Microsoft about a possible ransomware attack.
I considered it a test of the security features, but after I had everything set up, I accessed my OneDrive online to make sure that no copies of the files I had moved were recoverable. Once I had done that, I keep copies of my vault contents unencrypted on an external hard drive, just in case something goes wrong. That is in addition to doing regular backups.
Also, for those deciding to give Cryptomator a try, make sure to make a copy of the recovery key and keep it in a safe location. Just like a good password manager, if one forgets the password to their Cryptomator vault there is no support to get back into it. The recovery key can be used to get back into it.
Just a quick tip for new Cryptomators users:
1. NEVER copy or save files directly into the Cryptomator folder in your cloud service ā always work within the vault you created.
2. The Cryptomator folder in your cloud service will only reveal a handful of files, a few which start with the word āmasterkeyā and the others starting with the word āvault.ā There should be one folder with a single letter (like ādā). This is where all your encrypted content sits. Again, donāt save anything directly into it ā always use your vault to access your stuff.
I speak from experience that if you have a problem, the CR forum has a lot of users willing to help and they provide great support even for a free app.
I have been using Cryptomator for some time with pCloud. I am happy with it but there is one thing that puzzles me: At some point developers introduced an option to save password for the vault. To my simple mind it seems to encourage people to take a step that makes it less secure.
I have an Open Document (LibreOffice Writer) file I use to keep track of my monthly bills. I tried using Cryptomator to encrypt it for storage on OneDrive (changing the desktop icon I use to open it in LibreOffice accordingly, since its location changed). When I had the āvaultā mounted with Cryptomator, all worked as expected, but after a re-boot, Iād often forget to re-mount the vault in Cryptomator, making it less than convenient for me. If there was an option to auto-mount the vault in Cryptomator on system startup, Iād be using it today. If anyone can tell me how to set this up, Iād appreciate it,
Ernie
First, set Cryptomator to launch automatically with Windows. Itās a Cryptomator setting.
Then, next time you mount your vault, check the settings for that vault. Remember password, and auto-mount should be available options.
Before attempting to use Cryptmator, I am curious what happens if my computer that Cryptomator is installed on crashes, what is the recovery process to setup on a new computer. Having never used an encryption software, Iām sure itās a fairly easy process but want to be sure before attempting. Thank you!
Assuming the encrypted data is being replicated to other computers (as in Dropbox) you would simply install CryptoMator on the other machine, and open the vault.
Good morning Leo,
I am wondering if I could use the mklink /j to redirect the Windows Folders (Desktop, Documents, Downloads, Music, Pictures and Videos) to the OneDrive Folder being encrypted (to use your example C:\Users\leon\OneDrive\EncryptedFiles ā of course I would create my own OneDrive folder) before going to my Unlimited Sync.com Cloud Storage?
I really enjoy your YouTube videos and am thrilled I stumbled across this article.
Thanks for any time and help you can offer.
John Levesque
I would be shocked if it worked, and would expect it to be fragile if it appeared to. The mounted Cryptomator drive doesnāt have all the characteristics of a ārealā hard drive, and Windows treats those folders so specially in so many nuanced ways that I suspect itād just be a mess. (Remember also, Windows will run and expect those folders to be present before you even have a chance to mount them.)
If itās an issue, Iād keep sensitive files out of the Windows standard folders, and set up your own elsewhere.
Thanks Leo,
Yes you are correct it didnāt work. What I ended up doing was just creating Folders of the same same in my Crytomator folder. I then removed the Quick Access pins from all the System folders in the Windows Explorer and add Quick Access pins to my newly created folders inside the crypto folder.
I noticed an issue that I will just ignore pertaining to screen shots. When I tried relocating the target it seemed to be recreating the Camera Roll and Screenshots folder, over and over again, so I just removed them.
I am about to try this new arrangement which I actually installed to my PCloud which has an empty 16TB of storage being used, except for a few files that only amount to less than 1GB currently.
I am now going to install TickTick using my newly created Quick Access Folders and see what happens as far as speed (especially since I purchased the migration of my PCloud to Switzerland).
Thanks again for your time and help. Love your program.
John Levesque
I should have mentioned that I am in Florida and switched from US PCloud to EU because I am looking forward to a day I can trust our government again.
Also, I have the Lifetime 16TB with Lifetime Crypto but I enjoy the idea of being in control of my encryption. I purchased enough Lifetime Storage and eventually got PCloud to consolidate it all into one 16TB drive with another 4TB leftover for my wife under her ID.
Love your show Leo.
Thanks,
John
āI am looking forward to a day I can trust our government again.ā Itās legal according to American law to spy on the EU. Itās illegal for the US to spy on domestic servers. although as Ed Snowden pointed out. The only way to protect your data is via encryption, and of course, backing up.
(This isnāt legal advice. Itās just an observation)