Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Cryptomator: Encryption for Your Cloud Storage

You can store sensitive data in the cloud safely.

Cryptomator is a powerful tool to protect the data you store in the cloud.
The Cryptomator Model
The Cryptomator model. (Image: askleo.com)

I regularly hear concerns about using cloud storage, the biggest being that online files are at higher risk of compromise should your account or the storage provider get hacked. There are also concerns that your storage provider could be required to hand over your files to law enforcement agencies under certain circumstances.

Those are all valid concerns.

Cryptomator is a free encryption solution that addresses them.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

Cryptomator

You can store files safely in the cloud if you encrypt them before uploading. Cryptomator makes the encryption transparent by allowing you to designate a folder within your cloud service that is automatically and transparently encrypted before uploading and decrypted when used on your device.

Don’t the providers encrypt?

Many online cloud storage providers encrypt your data. The problem is that since they encrypted it, they can decrypt it.

And while the folks at major online storage providers are professionals with no interest in snooping around in your data, there have been rare instances of the so-called “rogue employee” poking around. The service providers can also turn your unencrypted data over to the authorities should that ever be required.

In addition, should someone hack your account, the data would be available to them unencrypted, just as it’s available to you.

Provider-supplied encryption is nice, but it doesn’t protect us as well as we’d like.

The solution is simple: encrypt the data yourself. If you encrypt your data before it’s uploaded to an online storage provider, you, and only you, control access to it.

The Cryptomator model

Cryptomator encrypts file-by-file, which is perfect for cloud storage providers like Dropbox, OneDrive, and others that upload and download individual files as they change.

You select a folder to be encrypted by Cryptomator and assign it a passphrase to encrypt the contents.

When you “mount” this folder using Cryptomator — providing the passphrase to do so — another drive letter appears, which I’ll call L:. Anything written to drive L: is encrypted and written to the folder you specified. Anything read from that drive causes the corresponding encrypted file in the source folder to be read and decrypted on the fly. There’s little noticeable impact on performance, since accessing the disk, not performing the encryption, is the slowest part of the operation.

Cryptomator Basic

The files in the original folder on disk are always encrypted. It’s only when the folder is mounted using Cryptomator that the files are visible in their decrypted form in the virtual drive.

An example of Cryptomator in use

Let’s say I use OneDrive.1 On my machine, there’s a folder:

C:\Users\leon\OneDrive

It contains all the files and folders that are part of my OneDrive cloud storage. I have many files and folders that automatically synchronize with the OneDrive servers, as well as on all other machines on which I have OneDrive installed.

One sub-folder within my OneDrive folder is:

C:\Users\leon\OneDrive\EncryptedFiles

I don’t place any files in this folder directly. It starts out empty.

Next, I install Cryptomator and configure it to mount “C:\Users\leon\OneDrive\EncryptedFiles” as drive L:. I set up the passphrase required to mount it again in the future.

Drive L: appears on my machine.

I create a Word document on drive L:

L:\MyPrivateInformation.docx

As soon as I save that document to drive L:, new files and folders appear within the EncryptedFiles folder:

C:\Users\leon\OneDrive\EncryptedFiles\d\2G\BQCY3SUZEVRU3MRAGLO6C62JGGGYZJ\5Y5RR6LM5SKSFZ6FIKULKNNBVQ3Y6DDTNGAKKX3VI2N72ZWM6KUOIGWL2AWCGB2TMY======

The file that was saved to L: is automatically encrypted and placed in the folder I named EncryptedFiles. This extremely obscure filename (along with others) is Cryptomator’s encrypted version of my document. This is the only representation of the file that is physically written to disk.

Next, OneDrive notices a new file has appeared on disk within the OneDrive folder. It uploads this encrypted file and distributes it to all my machines running OneDrive. Note that only the encrypted version of the file has been uploaded.

 

Cryptomator to the Cloud

I can continue to work on the file on L: to my heart’s content. It’s just a file, and I can manipulate it like any other. As changes are saved to disk, the corresponding encrypted version of the file is updated appropriately.

Once I dismount the EncryptedFiles folder, its corresponding drive, drive L:, disappears. The unencrypted versions of the files are no longer accessible. All that remains are the encrypted versions stored in the EncryptedFiles folder within the OneDrive folder, both online and on my hard drive.

It’s for more than Windows

Cryptomator is available for:

And there are also apps available for:

  • Android
  • iOS

That means you can continue to share your documents across all the platforms and devices supported by your online storage provider, but now you can easily encrypt the data you share.

The hidden cost of doing your own encryption

I have to mention one caveat: there’s one good reason not to encrypt your data yourself, and that’s web access.

Unencrypted files are accessible via your service provider’s web interface. Dropbox, as one example, allows you to log in to your account from any machine and access the files stored in your account via the web.

If you encrypt the data yourself, only encrypted data is available to you via a web interface. If you ever want to access your unencrypted data on a device that doesn’t have the encryption software installed and configured, you can’t.

What about Boxcryptor?

In the past, I used Boxcryptor to perform the same task as Cryptomator.

Boxcryptor was sold to Dropbox, and its future is now unclear. You can no longer create new accounts.

Do this

Cryptomator is free2 and open source, with no limitations on use. My bottom line is that Cryptomator is a convenient solution for making sure the data you place in cloud storage services remains secure and accessible only by you.

I recommend it.

I also recommend you subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

Podcast audio

Play

23 comments on “Cryptomator: Encryption for Your Cloud Storage”

  1. Hi Leo,

    In some of the online articles comparing Boxcryptor vs Cryptomator, there is a phase that suggests that making changes to a single file in Cryptomator would change the entire storage vault. Your article mentions that Cryptomator encrypts file-by-file, which the paragraph below seems to contradict, or I simply misunderstand it.

    Would you be able to enlighten me how file-by-file encryption cause changes to the entire vault? My main concern is how changing a single file (e.g. working on a word doc) may potentially result in me corrupting/ruining/losing other files in the vault. Thank you.

    “When it comes to Cryptomator, encrypted data goes to storage vaults before it goes directly to the software. If you want to use this storage, Cryptomator will take note of a certain pathway and use it to check files. A change in a single file will also lead to changes in the entire storage vault, so keep that in mind when editing content in Cryptomator.

    Files encrypted with a Boxcryptor are subsequently stored in key vaults. That way, these files are encrypted one after the other so if a single file changes in any way, then users can easily change the content without ruining other files.”

    Reply
    • I think it’s a conflicting use of the term “vault” (which really has no definition for our purposes). If you take a look at the folder in which Cryptomator stores its encrypted files you’ll see a lot of nonsensical files. My belief (and to be clear, it’s just a guess) is that your file (say a .docx for example) might be contained in one or more of these files. Thus changing the .docx “logical” file could change multiple physical files, and quite possibly the information in the folder path to the file as well (if you have folders within your Cryptomator setup, as I do). So changing one logical file could cause multiple physical files to appear to have changed, quite possibly including something at the top of the folder tree.

      I can confirm that changing ONE file does NOT cause EVERYTHING to be altered. That would defeat Cryptomator’s purpose.

      I can also confirm that editing directly a file (the .docx in my example) does not corrupt other things. I do it all the time. The only time I could conceive of an issue might be if multiple edits were happening on “nearby” files across multiple machines.

      Nonetheless, as with all things, I back up the unencrypted contents of my Cryptomator vault anyway. Because you never know.

      Reply
  2. I’ve had a serious go at installing Cryptomator but it keeps on sticking (after I’ve installed it) at
    – I enter “reveal drive”
    – it replies “H: is unavailable. If the location is on this PC, make sure the device or drive is connected ….. etc
    The ‘help’ section is rather complicated and suggests making changes I’m not comfortable with. As Boxcryptor is closing down, is there any other encryption app that is more user-friendly than Cryptomator? I don’t want to go back to hiding pendrives of my key files in the loft …

    Reply
  3. I should add that I’m using Windows 10, and trying to link Cryptomator to OneDrive. There are suggestions that I should link my vault to a directory not a letter – though I don’t see how to do this in OneDrive – and generally it all gets very techy very fast.
    I’m beginning to see why seniors find computing difficult …

    Reply
    • Create a Cryptomator folder inside your OneDrive folder and place everything you want encrypted into the Cryptomator virtual drive. They will be encrypted on OneDrive. The same works for Dropbox, Google Drive, pCloud and more.

      Reply
  4. Sorry to be a Muppet, Leo, but how would I do that?
    Can’t find any such command box on OneDrive.

    Mark – I’ve made a Cryptomator folder in my OneDrive. But when I try to run Cryptomator it gives the “H: is unavailable…” message. There is therefore no option to put anything into the Cryptomator folder as Cryptomator can’t find it. I’ve tried the custom route but that fails, too.
    Clearly I’m doing something wrong but computers sulk so effectively …

    Thanks for your patience, gentlemen. I’m at my wits’ end (not a long journey, I grant you).

    Reply
    • It’s an option in OneDrive settings. Right click on the icon in the notification area of the taskbar, click the gear, click Settings, scroll down and click Advanced settings. You’ll find it there. Once you turn it off give OneDrive a chance to download anything that hadn’t been.

      Reply
  5. Thanks Leo, after a reinstall of Cryptomator, and making the changes you suggest, all seems to be tickety-boo. Problem may have also included a “hidden.^^^” file that appeared from nowhere, and also that I set my initial vault to be in \OneDrive instead of \OneDrive\Cryptomator, but I’m now a happy bunny.
    Thanks for your patience and knowledgeable assistance.
    Andrew

    Reply
    • To be clear, it’s not clear who drove the decision. Could have been the BoxCryptor team making that call, but it certainly could have been DropBox making a criteria for the deal.

      Either way, communication to customers has been handled very poorly.

      Reply
  6. I started using Cryptomator about a year ago and I use OneDrive. Just as a heads up, when I was setting up my Cryptomator vault I moved rather than copying existing files into the vault. I received multiple warnings via Windows Security pop-ups and messages from Microsoft about a possible ransomware attack.
    I considered it a test of the security features, but after I had everything set up, I accessed my OneDrive online to make sure that no copies of the files I had moved were recoverable. Once I had done that, I keep copies of my vault contents unencrypted on an external hard drive, just in case something goes wrong. That is in addition to doing regular backups.
    Also, for those deciding to give Cryptomator a try, make sure to make a copy of the recovery key and keep it in a safe location. Just like a good password manager, if one forgets the password to their Cryptomator vault there is no support to get back into it. The recovery key can be used to get back into it.

    Reply
  7. Just a quick tip for new Cryptomators users:
    1. NEVER copy or save files directly into the Cryptomator folder in your cloud service – always work within the vault you created.
    2. The Cryptomator folder in your cloud service will only reveal a handful of files, a few which start with the word “masterkey” and the others starting with the word “vault.” There should be one folder with a single letter (like “d”). This is where all your encrypted content sits. Again, don’t save anything directly into it – always use your vault to access your stuff.
    I speak from experience that if you have a problem, the CR forum has a lot of users willing to help and they provide great support even for a free app.

    Reply
  8. I have been using Cryptomator for some time with pCloud. I am happy with it but there is one thing that puzzles me: At some point developers introduced an option to save password for the vault. To my simple mind it seems to encourage people to take a step that makes it less secure.

    Reply
  9. I have an Open Document (LibreOffice Writer) file I use to keep track of my monthly bills. I tried using Cryptomator to encrypt it for storage on OneDrive (changing the desktop icon I use to open it in LibreOffice accordingly, since its location changed). When I had the ‘vault’ mounted with Cryptomator, all worked as expected, but after a re-boot, I’d often forget to re-mount the vault in Cryptomator, making it less than convenient for me. If there was an option to auto-mount the vault in Cryptomator on system startup, I’d be using it today. If anyone can tell me how to set this up, I’d appreciate it,

    Ernie

    Reply
    • First, set Cryptomator to launch automatically with Windows. It’s a Cryptomator setting.
      Then, next time you mount your vault, check the settings for that vault. Remember password, and auto-mount should be available options.

      Reply
  10. Before attempting to use Cryptmator, I am curious what happens if my computer that Cryptomator is installed on crashes, what is the recovery process to setup on a new computer. Having never used an encryption software, I’m sure it’s a fairly easy process but want to be sure before attempting. Thank you!

    Reply
  11. Good morning Leo,
    I am wondering if I could use the mklink /j to redirect the Windows Folders (Desktop, Documents, Downloads, Music, Pictures and Videos) to the OneDrive Folder being encrypted (to use your example C:\Users\leon\OneDrive\EncryptedFiles — of course I would create my own OneDrive folder) before going to my Unlimited Sync.com Cloud Storage?

    I really enjoy your YouTube videos and am thrilled I stumbled across this article.

    Thanks for any time and help you can offer.

    John Levesque

    Reply
    • I would be shocked if it worked, and would expect it to be fragile if it appeared to. The mounted Cryptomator drive doesn’t have all the characteristics of a “real” hard drive, and Windows treats those folders so specially in so many nuanced ways that I suspect it’d just be a mess. (Remember also, Windows will run and expect those folders to be present before you even have a chance to mount them.)

      If it’s an issue, I’d keep sensitive files out of the Windows standard folders, and set up your own elsewhere.

      Reply
  12. Thanks Leo,

    Yes you are correct it didn’t work. What I ended up doing was just creating Folders of the same same in my Crytomator folder. I then removed the Quick Access pins from all the System folders in the Windows Explorer and add Quick Access pins to my newly created folders inside the crypto folder.

    I noticed an issue that I will just ignore pertaining to screen shots. When I tried relocating the target it seemed to be recreating the Camera Roll and Screenshots folder, over and over again, so I just removed them.

    I am about to try this new arrangement which I actually installed to my PCloud which has an empty 16TB of storage being used, except for a few files that only amount to less than 1GB currently.

    I am now going to install TickTick using my newly created Quick Access Folders and see what happens as far as speed (especially since I purchased the migration of my PCloud to Switzerland).

    Thanks again for your time and help. Love your program.

    John Levesque

    Reply
  13. I should have mentioned that I am in Florida and switched from US PCloud to EU because I am looking forward to a day I can trust our government again.

    Also, I have the Lifetime 16TB with Lifetime Crypto but I enjoy the idea of being in control of my encryption. I purchased enough Lifetime Storage and eventually got PCloud to consolidate it all into one 16TB drive with another 4TB leftover for my wife under her ID.

    Love your show Leo.

    Thanks,
    John

    Reply
    • “I am looking forward to a day I can trust our government again.” It’s legal according to American law to spy on the EU. It’s illegal for the US to spy on domestic servers. although as Ed Snowden pointed out. The only way to protect your data is via encryption, and of course, backing up.
      (This isn’t legal advice. It’s just an observation)

      Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.