We all keep data in the cloud, so we can access it everywhere. Although Google, Microsoft and Dropbox promise to do their very best to ensure the security of your files on their bare knees, we constantly read about so-called ‘hacking incidents’. But before you send your files to the cloud, you can also encrypt them first. Cryptomator offers an encrypted cloud storage.
Cryptomator works with cloud services that synchronize data with the cloud. The application uses AES encryption (256 bit) and encrypts not only the files but also the file names and directory structure. on https://cryptomator.org/ you will find the downloads for Windows, macOS, Linux, Android and iOS. The latter are misfits, more on that in a moment.
Because the software works on all platforms, you know that you can decrypt the files that you have encrypted on Windows, for example, in Android. When you configure the program for the first time, we recommend that you do this with the computer version. The installation is self explanatory.
Add safe
Unlike for example VeraCrypt Cryptomator does not work with one vault, but with several vaults. Each vault can hold as many files and folders as you want. There is no limit. Click the button at the bottom left of the start window Add safe and then follow the wizard. Give this vault a name.
The tool then asks where to keep the safe. Cryptomator is specifically designed to protect data in the cloud. It is therefore the intention that you indicate a cloud service (Google Drive, Dropbox, OneDrive, etc.), but you can also store a safe locally on your computer’s hard drive if you Other location selects. Through Other location you can also navigate but the sync folder of another cloud service.
password
After you’ve marked the location, you’ll need to type in a password. The program tells you whether your password is strong enough on the basis of colored blocks. Encryption makes little sense with a bad password. The chosen password must contain at least eight characters.
Do not forget this password, otherwise you will no longer have access to the files and there is only one possibility to reset the password: the recovery key. The option to create a recovery key can be found under the box where you enter the password for the vault. That key is a list of words that you should keep in a safe location, for example in a password manager, on a USB stick or by printing the key on paper.
Open source and security
In the encryption process, security is solely dependent on the key. The encryption algorithm itself does not have to remain secret, on the contrary. It is open source software whose source code can be viewed by the community of programmers and security researchers.
This has the advantage that the source code is continuously adapted to the latest standards, without the security of the encrypted data ever being compromised. Moreover, there is no risk of your files being held hostage. You do have that risk if you use a file format in which a certain company has a monopoly.
A third, not unimportant advantage is that open source software is free. Cryptomator has no help desk and no contact details, but the community, forum and documentation are strong.
Unlock
Create as many safes as needed. If such a vault has not yet been unlocked and you access the content via the web interface, you will find meaningless files there. So never work in the safe’s folder without unlocking it first.
To find the real content, open Cryptomator, select the desired vault and use the button Unlock†In this pop-up window you can select the Save password enabling this key to be stored in the system’s key fob. Then type the password and you will receive a message that the safe has been unlocked.
This will open a virtual drive on the computer. If you don’t see it right away, use the command Show disc†The drive is given a drive letter in Windows, just like an external hard drive or USB stick, and in macOS you can recognize the virtual drive by the name of the vault.
When you want to upload files encrypted, you have to drag the files into the virtual drive of Cryptomator. If you then lock the vault and look in this folder, you won’t find any trace of the files you just added via Cryptomator.
Vault Settings
In Cryptomator it is possible to change some properties of the vault. The safe must be closed for this. In the application’s start window, select the vault and click the button at the bottom right: Vault Settingsâ€
In the tab General you can change the name of the vault and automate two things. You can have the safe lock automatically if you haven’t done anything with it for a certain amount of time (default 30 minutes). And you can have the safe unlock automatically whenever you start Cryptomator. In addition, you can hide the notifications that the safe is locked.
drive letter
In the tab Connect you can make the contents of the virtual disk always read-only. That way no one can copy, modify or delete the files.
Normally, the system itself assigns a drive letter to the virtual drive, but in this tab you can go to the option coupling point assign a particular drive letter that will always be assigned to the virtual drive.
You use the third tab to change the password, to record the recovery key or to recover the password with the recovery key.
Share safe
If you’ve given someone else access to the cloud location, you can also share a vault. You must share the vault folder that contains the file masterkey.cryptomator contains. The person you share the files with must be in Cryptomator with the command Open existing safe use the same password as you. It is not possible to share only a few files from the same vault.
If you want to revoke the access of others to the safe, it is not enough to change the password. The other can still get into the vault with the recovery key from an old key. It is better to create a new vault with a password that only you know, and then transfer the contents.
Not open source on mobile
Contrary to what is stated online, the mobile versions are closed source and therefore not free. Only the desktop versions of Cryptomator are open source. For Cryptomator and Cryptomator 2 you pay 11.99 euros in the App Store and in Google Play. You can download the apps for free and then try it for 30 days, complete with all functionality. After that, you can only use the read-only mode without paying.
According to Skymatic, a start-up from Bonn, the encryption technology is open source, but the apps themselves are not. It’s not clear why the company differentiates between the desktop and mobile versions.
Statistics
When a safe is open, the button changes Vault Settings on the home screen in Vault stats†With this button you can follow real-time how much data is read and written.
Although Cryptomator’s emphasis is on online protection, it is a completely local application. The password is never sent over the internet and even if the files are mounted on the virtual drive, Cryptomator never leaves unencrypted files on the hard drive.
The tool can discover vaults stored on other machines. If you move to another computer, you can unlock the encrypted folders with each installation of Cryptomator.
Vault Management
In the Cryptomator home screen, change the order of the different vaults by grabbing them with the mouse pointer and dragging them up or down.
You can of course also delete a safe. To do this, the safe must be locked. In the start screen, right-click on the safe you want to get rid of and choose the command remove†This does not actually delete the folder containing the files. All that happens is that Cryptomator will no longer encrypt this folder. To actually delete the files, use the system’s file manager.
KEK
The password you set produces a KEK (Key Encryption Key): that is a cryptographic key that encrypts other keys. Changing the password changes the KEK, but the keys encrypted with the KEK remain the same.
In concrete terms, this means that your files will not be re-encrypted when you change the password. You also cannot replace a weak password with a stronger one. Cryptomator will refuse this. If you want to protect the files with a new, much stronger password, you’d better create a new vault and drag the data from the old one to the new one.
Would you like to know more about the encryption of digital data? Order the course bundle Safe with Encryption!
AES encryption
256bit AES is currently the most popular and arguably the most secure encryption method. This encryption was developed by the United States government as a successor to the Data Encryption Standard (56 bit), which has been around for thirty years and could be cracked within 22 hours by brute guesswork in the 1990s.
AES uses symmetric encryption. This means that both the sender and the receiver must have the same keys. If we were to use the 2 billion computers on this planet to brute force crack AES 256 bit, it would take 13,669 trillion trillion trillion trillion years. Or to be more precise: 13,668,946,519,203,305,597,215,004,987,461,470,161,805,533,714,878,481 years.
Biometric Security
If you know how the desktop version works, you can also work with the mobile versions. In iOS, Cryptomator works together with the Files app to access the encrypted data that way.
An advantage of the iOS and Android versions is that the app supports biometric security, so that you can access the vaults not only with your password, but also with your fingerprint or facial recognition.
Request recovery key
Many users start with Cryptomator without committing a recovery key. No problem, you can do this at a later time as long as you know the password.
From the home screen, select a vault that is still locked. Then click on the button Vault settings and there you use the tab password†In this pop-up window, click the button Show recovery key†Cryptomator first asks for the password of this vault. After you’ve entered that, you’ll be presented with a 40-word text field. That’s the recovery key. You can copy this text to the clipboard and save it in a secure location and/or print it on paper.
Using recovery key
Have you forgotten the password for a safe? Then go to the Vault Settings and choose in the tab password for the button Reset password†Then you can paste or type the recovery phrase.
In addition, Cryptomator has a feature to autocomplete the words. Type some letters and select the correct word from the suggestions. you can then tab or the right arrow key use to autofill the word.
If the program accepts your recovery key, you’ll need to assign a new password to the vault. Cryptomator will not generate a new recovery key, it will remain the same.
dark mode
In the program’s toolbar, use the gear to open the preferences. Allows you to display the program’s icon in the system tray or let the application start automatically with the system.
Finally, it is also possible to view the program in dark mode, but only if you have a supporters certificate. Such a certificate is a code that you receive by e-mail if you support the development of the product by depositing at least 15 euros.
â€