Keep your Google Drive data secure in the cloud.
Whenever I talk about cloud storage, I get questions about data security. People worry that their data could be stolen if they lose access to their account; accessed by rogue employees; or even viewed by the storage provider for unknown purposes such as AI training.
While I don’t believe these security breaches are common, there’s a solution for all of them: encryption.
Cryptomator is a tool designed for encrypting files stored in cloud services. It will work on many platforms; let's set it up for Google Drive.
Become a Patron of Ask Leo! and go ad-free!
Cryptomator and Google Drive
Cryptomator encrypts your cloud-stored files to ensure data security and privacy. You can use Google Drive’s Mirror setting and create a secure vault to have easy access to encrypted files across multiple devices and platforms while protecting against unauthorized access.
An important Google Drive setting
Before we start, there’s one crucial setting in Google Drive to adjust. Click the Google Drive icon in the taskbar notification area; click on the gear icon and then Preferences. Under Google Drive, enable Mirror files syncing.
The default setting -- Stream files -- keeps your files online and streams them as needed, which can create issues with tools like Cryptomator1. By choosing Mirror files, your files are downloaded and stored locally so Cryptomator works seamlessly.
Installing Cryptomator
Visit Cryptomator’s website and download the installer. Run the installer, agree to the terms, and follow the installation steps. The process is pretty typical, including a User Account Control (UAC) prompt.
Once installation is complete, run Cryptomator by clicking on the Start button, searching for "cryptomator", and clicking on the icon when it appears.
It will ask if you want it to check for updates.
I recommend clicking on Yes, Automatic... so as to stay up to date in the future. The setting can be changed later should you want to.
Set Up a Vault
A "vault" is a secure folder managed by Cryptomator. It consists of two parts:
- The actual files on disk that are encrypted.
- The files made visible in unencrypted form when the vault is "mounted".
We'll start by creating and setting up a new vault.
In the lower left corner of Cryptomator, click on Add, and then New Vault...
This will open the New Vault wizard. First, you'll name your vault.
You can name it whatever you like. In the example above, I've typed in MyGoogleSecureVault.
Click on Next to select the location of your vault.
Choose Custom location and click on the Choose button. This will open a "Select Directory" (aka folder) dialog.
This is where we specify where the encrypted files will reside within our Google Drive.
A couple of things to note in this example.
- The location I've chosen is a folder called "CryptoMatorData" within my Google Drive "My Drive".
- The full path to that location would be C:\Users\askle\My Drive\CryptomatorData.
- The full path to the vault contained in that location is C:\Users\askle\My Drive\CryptomatorData\MyGoogleSecureVault.
Click on the Select Folder button (not shown above, but at the lower right of the dialog) to confirm your choice, and then Next.
Now it's time to secure your vault with a password.
While the dialog says to set a password, what you really want to set is a passphrase: something long and secure that you'll remember and type in later to access the contents of your vault.
It's important to understand that without your passphrase, you cannot recover your data. There's no back door.
However, Cryptomator does allow you to set up a recovery key just in case. Particularly if this is your first time using Cryptomator, I recommend you do so. You should keep that recovery key (a collection of seemingly random words) in a safe place since anyone with the key will be able to access your vault.2
Once you click Create Vault (and possibly Next if you create a recovery key), its initial (encrypted) files will appear in your Google Drive folder.
Using Cryptomator
Your files are visible only in encrypted form if any of these are true:
- Cryptomator is not running.
- The vault is not mounted.
- You're viewing the vault on Google Drive online.
To unlock a drive when Cryptomator is running, click on the Cryptomator icon in the taskbar notification area, click on the name of the vault you want to unlock, and click on Unlock.
This brings up the password entry dialog for the vault.
Enter the password and click Unlock. (You can also check "Remember password", but only do this if you're certain the computer you're using is secure. Once remembered, the vault can be unlocked without needing to know the password.)
Assuming you entered the password correctly, Cryptomator opens Windows File Explorer showing you the unencrypted contents of the vault.
Note that the vault has been assigned a drive letter -- "F:" in the example above. You can now access anything in the vault using any program you like via drive F:.
Meanwhile, in Google Drive online, the encrypted vault will be updated and re-encrypted appropriately as you make changes via the mounted drive.
When you’re finished, lock the vault by clicking on the Cryptomator icon in the taskbar notification area, on the name of the vault, and then on Lock. This unmounts the virtual drive, leaving only the encrypted files visible in Google Drive.
Multi-machine, multi-device access
Google Drive is often used to synchronize data across multiple machines. Each device must have Google Drive installed and be signed into the same account. This synchronization includes, of course, the folders containing your Cryptomator encrypted data.
You can install Cryptomator on those other machines as well to access the existing vault (assuming, of course, you can enter the correct password). This allows you to work on the unencrypted data on multiple machines.
Cryptomator is available for Windows, macOS, and Linux, meaning you can access your files across all those platforms. Cryptomator is also available on mobile devices.
There is one place Cryptomator is not.
Web access is denied
Online access is one of the features of Google Drive. If you visit your Google Drive online in a web browser, you can access all your files -- as long as they're not encrypted.
Therefore, files encrypted by Cryptomator are not accessible online via the Google Drive website. You must use a computer or mobile device with Cryptomator installed and type in the appropriate password in order to access your secured files.
Do this
I’ve used Cryptomator extensively for years for storing sensitive information. I trust it completely. By encrypting your data, you ensure that nothing stored in the cloud is readable by anyone else. Your data remains yours: secure and private.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Related Video
“You can also check “Remember password”, but only do this if you’re certain the computer you’re using is secure.” if you use whole disk encryption such as Bitlocker or VeraCrypt, generally fine to have Cryptomator remember the password.
I always watch your YouTube videos, love them all, thank you. I would be really anxious about encrypting the data just in case anything went wrong with the PC, if Windows updated in the future and Cryptomator suddenly wasn’t compatible, Windows stopped the virtual drive loading for some reason, or something else went wrong (faulty hard drive etc), then I would still like to keep an unencrypted copy backed up somewhere else (but even hidden places people can find if the break in). However, this sort of defeats the object as I would want to encrypt the backups too in case it got into the wrong hands, or someone broke in and found the hiding place etc etc, so catch 22 for me, not sure what to do. I already have all my OneDrive data backed up on three external hard drives as my data is valuable and irreplacable to me (years of family photos etc) but want to encrypt them. Kind regards.
I do exactly what you propose: I back up the UNencrypted Cryptomator contents, but then I ENcrypt that using a different technology. “Zip” encryption is great for this, as it’s ubiquitous.
I’m not sure ‘Zip’ encryption is that secure, there are sites what will decrypt zip files for a small fee. And they work…
Older ZIP encryption was poor and easily cracked. As long as you’re using a strong password, you should be fine. (Most cracks just try common and/or short passwords).
7-Zip, Cryptomator, and VeraCrypt all use AES-256 encryption, so their level of protection are similar. Veracrypt has additional security features but the encryption is the same strength.
I highly recommend to update the 7-Zip program if you do use this free and useful program.
The current updated version is 24.09. It gets updated regularly for security reasons. It is always advisable and smart to use the latest version to stay safe.
You can get this program and also check its latest version here:
https://7-zip.org/
An important and useful FYI …. you can use 7-Zip as a portable program by just copying the installed folder to your external drive, like a USB flash drive, so you can use this program quickly and easily without installing it. The regular default location is here:
“C:\Program Files\7-Zip
Good luck and Happy New Year to you all.
FYI: 7-zip File Archiving Utility
I’ve been using the spin-off of TrueCrypt (Veracrypt) for a few years for similar purposes. – And have vaults stored in Drop-Box and PCloud.
Could you explain the advantages / benefits of Cryptomator vs VeraCrypt?
Thanks!
and Merry Xmas and Happy Holly Daze!
This compares BoxCryptor and VeraCrypt: https://askleo.com/boxcryptor_secure_your_data_in_the_cloud/, but the concept applies equally to Cryptomator (which is covered here: https://askleo.com/cryptomator-encryption-cloud-storage/ )
TL;DR: When you change even one small file in a Veracrypt volume, the entire volume is uploaded to the cloud and downloaded to every computer connected to that service. That’s a lot of bandwidth. Cryptomator only syncs the changed files.
Your –
‘run Cryptomator by clicking on the Start button, searching for “cryptomator”, and clicking on the icon when it appears.’
– made me think, not long ago all that was needed was to look in ‘Programs’ for a program we might have installed, now it seems we have the additional step of having to ‘search’ for it, with additional typing and clicking !
The way you mentioned still works, but it’s much faster, in most cases, to press the Windows Icon key or click the Windows Start Icon and typing crypt and clicking Cryptomator when it appears.
I use an end-to-end encrypted cloud service, Mega. With it, you’re able to select any one or more directories for syncing to the cloud storage. Any changes to any of the synced directories are instantly encrypted and copied to cloud storage on a file-by-file basis. The local files in the synced directories are always available unencrypted and can be used just like there was no synced cloud account. Mega has clients for Windows, Linux, MAC, Android, Ios and extensions for Chrome and Firefox (and their forks) https://mega.io/syncing
Leo,
Your instructions for Mirroring files do not agree at all with what appears on my screen. Could it be that my version of Google Drive is not the same as yours? I hesitate to go any further with mirroring on my PC until I hear from you or someone on your staff.
Without knowing a lot more, and in particular what it is you see, it’s impossible for me to say.
Submit a question over at https://askleo.com/ask, and then you can respond to the first automated response you’ll get with screenshots.
I fully understand the desire to retain an unencrypted version of sensitive data locally. If for example one were to die your executor (who may have no knowledge of encryption ) will have the problem of accessing your financial / personal data so they can deal with your will. I use two Secure USB flash drives (such as those by Datashur and others) which require one to set a 15 digit pin as the key to access the contents. This allows the Secure USB flash drive to be left with your solicitor while the access code is left with a trusted relative. While alive you also have access control to update your sensitive data locally. This is not an advert for Datashur or others