Attila Orosz
Clouded Security: Auto-Encrypt Anything Before Uploading, With Cryptomator

The recent scare of Meltdown and Spectre exploits has been echoing around the media for a while now. Virtually everybody is or has been talking about them, and how it makes all personal computers vulnerable, yet surprisingly little can be heard about the far greater threat: Cloud security.

Especially Spectre, which is also much harder to protect against, can negatively affect services that share processors and or memory, meaning virtually every business using mega cloud-providers, like Amazon, and Google Cloud and MS Azure. Naturally, the few that run dedicated servers and don't share hardware with others would be somewhat safer, but hey, the cloud is called "The Cloud" for a reason. Unfortunately, that the most popular consumer cloud services like Dropbox and Google Drive are among the affected ones.

Whatever the connection between the size/reach of said big providers, the fact that Google technically owns the web (and can have quite an impact on web traffic), and the lack of serious reporting thus far, the fact remains: The Cloud just became (even more) vulnerable, and nobody is really talking about it.

Whether the hype about personal computers being vulnerable, and cloud services portrayed to remain as safe as ever is meant to prevent a mass exodus from consumer cloud platforms and services, is a simple(?) journalistic oversight or something else entirely, does not change the fact that your data security and privacy mostly depend on you.

What to do about potentially unsafe services?

And by potentially unsafe, you might just mean any service that is out of your control, as you can never be sure what happens on some far away servers.

While the ideal solution would be to just stop using them, and look for saner, and safer alternatives, neither do we live in an ideal world, nor are most cloud consumers willing to give up the convenience these services provide.

The second-best solution, at least as far as cloud file storage goes, would be to protect your data before uploading it anywhere.

This is not to say that your home PC and smartphone are not vulnerable. They are. You should update, upgrade and patch as soon as you can. Yet, and this is important, your home devices are a lot less likely to get hacked than servers of businesses and cloud services if only because of the greater exposure and visibility (and promise of actual spoils) those have. Your data might only be part of the collateral, but it's still not quite worth risking.

Enter Cryptomator

Cryptomator Logo

Cryptomator is a Free and Open Source, cross-platform application, that offers both transparency and a convenient way of encrypting just about anything, before uploading to the cloud. It is convenient, because all you need to do is install, create a vault (or multiple vaults), put your local shared folders into the newly created virtual drive(s), and you're ready to go.

It is transparent, in two ways:

  • One is that you will not see encryption happen. You will work with your files as you normally would, the only difference being the storage location is now the Cryptomator vault's new mount.
  • The other is being open source, therefore auditable. This ensures there are no backdoors of any kind; whatever you encrypt, remains your secret.

Simplicity is key

In the Cryptomator developers' own words:

We understand simplicity as a key aspect of security. With Cryptomator you don't have to deal with accounts, key management, cloud access grants or cipher configurations. Just choose a password and you're ready to go.

You don't even need to specify what cloud you use. Cryptomator encrypts files and doesn't care where you store them. This makes it a lightweight application, which we believe is a huge benefit for reliability. Complexity would kill security.

In short, Cryptomator offers security through convenience, a novel idea in itself, and the polar opposite of what usually happens. If you're not excited yet, you're not paying attention.

Transparency is keyer

Besides the already quoted transparency of operation, the even more important transparency aspect of Cryptomator is that you know exactly what it does. The only secrets here are your own (whatever you encrypt).

If you're interested in the technicalities of how Crtyptomator works, a lot of information about its security architecture is available on the website, so you're not left guessing by looking at some obscure source code. After all, good, thorough documentation is as much a part of transparency as being open source. Transparency also leads to real open discussion, so you can evaluate anything based on more than one opinion (or some marketing/PR copy, as it goes with most commercial services). This Reddit thread is a great showcase of true openness at work, while Cryptomator's own security advice is also worth reading and considering.

What Cryptomator is not

Great as the software is, Cryptomator has its limitations, most of which are there by design. To be able to retain compatibility with cloud file storage, certain meta information does not get encrypted, namely:

  • access, modification, and creation timestamp of files and folders,
  • number of files and folders in a vault and in the folders, and
  • size of the stored files.

Cryptomator is perfectly open about this, and they advise the user that the software is not meant ot keep files safe on the local hardware, but specifically meant for cloud storage. The developers also advise that

Cryptomator does not provide protection if programs create backup copies of the encrypted files when working with them. Such files are not detected by Cryptomator and may remain on the computer even after unlocking a vault. Cryptomator cannot provide protection if the local computer is infected with malware which reads entered passwords and file contents (e.g., files in an unlocked vault).


You can download Cryptomator from their website: for free, but don't neglect to offer a donation. Great open source projects like this deserve any contribution they can get, so they can improve and further develop.

If you run Ubuntu 15.04 or later (or any of its derivatives), there is a PPA available, instructions for which can be found on the cryptomator download page.

Yes, it would be easier to just include those instructions here, but then I would rob you of a chance to donate, which would not be very nice of me. No pressure though...

To install on any other Debian based system, navigate to the folder where you've downloaded the deb file, and run (obviously replacing <version> with the actual version number, and <your-architecture> with whatever it says on the tin):

sudo dpkg -i cryptomator-<version>-<your-architecture>.deb

For example at the time of writing, the latest version was 1.3.2. To install it on a 64bit system, the command would look like this:

sudo dpkg -i cryptomator-1.3.2-amd64.deb

If you encounter any dependency errors during the instalaltion just do a

sudo apt -f install

...and you should be set. (You can find packages for many different OSes and package managers, of course, so the actual installation process may vary.)

Setting up a new vault

You can run Cryptomator from the application menu of your WM/DE like you would run any other app. When it first starts, it will look quite empty...

Cryptomator main screen

That is because it is. You'll need to create at least one vault to be able to use it. To do that, press the + button in the lower-left corner and select Create New Vault. (The other option would obviously allow you to import a vault if someone was kind enough to share one with you, along with its password.)

Cryptomator add button

In the popup window that appears, you will not only need to select a location for the vault but also specify a name for it. This latter might not be obvious at first sight, but the Name field at the top of the window will be used to refer your vault by.

Cryptomator new vault popup

The last step is to set a password, with which you can access your vault, and from which the encryption keys can be generated.

Cryptomator new vault set password

And your vault is set.

Using your new vault

What's a shiny new vault good for, if you never use it though, eh? When you've done setting up your vault (or you already have it and you start up Cryptomator), you will need to enter your password to start using it.

When you do, Cryptomator will create a virtual WebDAV drive from which your vaults contents will be accessible, mount it, and immediately open it in your default file manager.

If you press the More options button, you will also be given some additional fields. You can choose not to mount the drive, change its name, or chose not to auto-open it in the file manager. The two more interesting options, namely Save Password and Auto-Unlock on Start do not seem to be available just yet (both are greyed out).

Cryptomator unlock vault

As the vault unlocks, the scenery changes. Not that you would find heaps of gold and precious stones stashed away by the 40 thieves (unless, of course, you intend to store the digital equivalent of that in some weird and twisted way), but that the GUI changes to show an idle graph. Lo and behold! The Vault is now open!

Cryptomator vault unlocked

It will appear in your file manager as a WebDAV network drive, on account of Cryptomator acting as a WebDAV server, and the drive as a virtual network drive on localhost. Cryptomator uses WebDAV because that is the most portable technology, but the drive can be accessed from localhost only, with loopback connections.

It's an interesting idea, and rather neat as well. This way Cryptomator does not have to integrate with all sorts of systems and file managers but implement one protocol (WebDAV). When the file manager that is used to access the "network" drive tries to access files through it, Cryptomator decrypts the files and serves the unencrypted version.

To put files or folders into the vault, just drag and drop them into the WebDAV folder, (or perform the copy/move operation in whatever way you usually would). Cryptomator will encrypt every file individually, and place them into the scattered folder system of the vault. The progress can also be followed in the GUI.

Cryptomator vault encrypting

When tested with a folder containing approx 40000 subfolders and files, totalling approx 2GB, the copy process slowed down to about 8kB/sec, with an estimated time of 80 hours (!) to finish. (Whether it would have eventually worked out better, your not-very-humble author did not have the patience to wait out.)

On a somewhat more reasonable test, meaning ~180MB of approx 1300 folders and files (mostly documents and images, imitating a typical Dropbox scenario), the copy process finished at an average speed of 1.6 MB/sec which is not stellar, but taken into account that 1300 files of varying types and sizes had to be individually encrypted, it's more than reasonable.

Apart from accessing individual files, you can completely remove a file or folder from the vault, by simply moving it to another directory in your file manager. The process will once again be slower than usual because Cryptomator will need to decrypt and reassemble everything first.

Cryptomator vault decrypting

When you're done, you can just press the Lock Vault button at the bottom right, to unmount the WebDAV drive. (The drop-down arrow will also offer some additional options, which are rather self-explanatory, such as reveal the drive (in the file manager), etc.)

To use Cryptomator with a cloud service, just configure your client to point to the WebDAV address as local storage. It's that simple. It will work with every cloud client that accepts a network drive as a local folder, which would be approximately all of them. (If you do find one that does not work, please let me know in the comments below.)

Get Cryptomationg now! It's fun!

Really, if you use any cloud file storage, you should. While not fit for keeping your files safe offline (as there are much better ways to do that, as the developers themselves explain), you would be hard-pressed to find a simpler and more convenient way to keep files you store in the cloud safe and private, while preserving cross-device portability! Remember, the cloud might look safe, but your own security and privacy really depend on you the most. It is time to take responsibility and start securing your stuff properly. With tools like Cryptomator freely available, there are no more excuses not to.

Liked what you've read? Sharing this article on your favourite social medium helps a lot with discoverability. You know, sharing is caring.

Got something to add? Comment is free, so please leave your thoughts below, and don't forget to "like"/recommend it on Disqus.

Want to stay up-to-date? Subscribe to the RSS or Atom feed, so you will always know about new content first-hand.

Similar posts


Tell us what you think

Blog Comments powered by Disqus.