I regularly hear concerns about using cloud storage — the biggest being that online files are at higher risk of compromise should your account or the storage be hacked. There are also concerns that your storage provider could be required to hand over your files to law enforcement agencies under certain circumstances.
Those are all valid concerns.
Cryptomator is a free encryption solution that addresses them.
Become a Patron of Ask Leo! and go ad-free!
Don’t the providers encrypt?
Many online cloud storage providers do encrypt your data. The problem is that since they encrypted it, they can decrypt it.
And while the folks at major online storage providers are professionals (with no interest in snooping around in your data), there have been rare instances of the so-called “rogue employee” poking around. The service providers also have the ability to turn your unencrypted data over to the authorities should that ever be required of them.
In addition, should your account be hacked, the data in your account would be available to the hacker in its unencrypted form, just as it’s available to you.
Provider-supplied encryption is nice, but it doesn’t protect us as well as we’d like.
The solution is simple: encrypt the data yourself. If you encrypt your data before it’s uploaded to any online storage provider, you, and only you, control access to it.
The hidden cost of doing your own encryption
There’s one good reason not to encrypt your data yourself: web access.
Unencrypted files are accessible via your service provider’s web interface. Dropbox, as just one example, allows you to log in to your account from any machine and access the files stored in your account via the web.
If you encrypt the data yourself, only encrypted data is available to you via a web interface. If you ever want to access your unencrypted data from another place — you can’t.
The Cryptomator model
Cryptomator encrypts file-by-file, perfect for cloud storage providers like Dropbox, OneDrive, and others, that upload and download individual files as they change.
You select a folder to be encrypted by Cryptomator, and assign it a passphrase to encrypt its contents.
When you “mount” this folder using Cryptomator — providing the passphrase to do so — another drive letter appears, which I’ll call L:. Anything written to drive L: is encrypted and written to the folder you specified. Anything read from that drive causes the corresponding encrypted file in the source folder to be read and decrypted on the fly. There’s little, if any, noticeable impact on performance, since accessing the disk, not performing the encryption, is generally the slowest part of the operation.
The files in the original folder are always encrypted. It’s only when the folder is mounted using Cryptomator that the files are visible in their decrypted form in the virtual drive.
An example of Cryptomator in use
Let’s say I use OneDrive1. On my machine, there’s a folder:
It contains all the files and folders that are part of my OneDrive cloud storage. I have many files and folders that automatically synchronize with the OneDrive servers, as well as all other machines on which I have OneDrive installed.
One of the folders in my OneDrive folder is:
I don’t place any files in this folder directly. It starts out empty.
Next, I install Cryptomator and configure it to mount “C:\Users\leon\OneDrive\EncryptedFiles” as drive L:. I set up the passphrase required to mount it again in the future.
Drive L: appears on my machine.
I create a Word document on drive L:
As soon as I save that document to drive L:, new files and folders appear within the EncryptedFiles folder:
The file that was saved to L: was automatically encrypted and placed in the EncryptedFiles folder. This extremely obscure filename (along with others) is Cryptomator’s encrypted version of my document. This is the only representation of the file that is written to disk.
Next, OneDrive notices a new file has appeared on disk. This encrypted file is then uploaded and distributed to all my machines running OneDrive. Note that only the encrypted version of the file has been uploaded.
I can continue to work on the file on L: to my heart’s content. In a very real sense, it’s just a file, and can be manipulated like any other. As changes are saved to disk, the corresponding encrypted version of the file is updated appropriately.
Once I dismount the EncryptedFiles folder, its corresponding drive, drive L:, disappears. The unencrypted versions of the files are no longer accessible. All that remains are the encrypted versions stored in the EncryptedFiles folder within the OneDrive folder, both online and on your hard drive.
It’s for more than Windows
Cryptomator is available for:
And there are also apps available for:
That means you can continue to share your documents across all the platforms and devices supported by your online storage provider, but now you can easily encrypt the data you share.
What about BoxCryptor?
Long-time readers may remember a similar utility called BoxCryptor. I still recommend both BoxCryptor and Cryptomator; use whichever you feel most comfortable with.
BoxCryptor is a commercial product. There’s a free tier, which has some limitations, and paid tiers that provide more, including support.
Cryptomator is free2 and open source, with no limitations on use.
My bottom line is that Cryptomator is a convenient solution for making sure the data you place in cloud storage services remains secure and is accessible only by you.
I recommend it.