Cryptomator protects in the cloud
Simple but Safe
Make files fit for the cloud with Cryptomator by encrypting content and obscuring the name and size of each file.
Saving files in the cloud is convenient and cost efficient. However, many service providers do not place enough emphasis on data security, allowing content to fall into the hands of unauthorized third parties. Yet, with Linux and the program Cryptomator [1], you can slam the door on snooping.
How It Works
Most cryptographic programs require deep knowledge of encrypting methods and often a great deal of effort when integrating. Cryptomator, on the other hand, is aimed at users looking for a simple and practical approach. The software works transparently in the background, and the dialogs are simple.
The program encrypts data with a 256-bit AES key and a message authentication code (MAC) master key. Scrypt technology, a method for generating keys that uses a random value and a password to make a dictionary attack more difficult, is used to generate these keys, making brute force attacks difficult. The application comes with a graphical interface, from which you manage the encrypted data that you keep in vaults. From the outset, the software is reminiscent of the command-line program Tomb [2].
Technically speaking, the program functions as a server while encrypting and processing the available data locally on a virtual drive. The program only allows connections on the local system via the loop-back device, a file that provides a virtual block device that does not conform to any hardware on the system and allows you to combine files as a drive. The cryptographic processing of the individual files is not limited to the content but includes any meta-information and the file's name itself. Additionally, the software changes the size of the file, making it difficult to draw conclusions about the content.
Cryptomator then drops the processed files into the desired vault, which corresponds to the directory that synchronizes with the cloud service. The client for each respective service can then match the encrypted data without the potential need to transfer keys on the server. To use multiple services simultaneously, you will need an independent vault for each cloud service, which you create in the respective sync directory.
If you want to share data with others, they must have access to the relevant vault, know the password, and be able to send the password securely, such as by an encrypted email. On the other hand, it is not possible to share a single file from a vault with someone. If you have access to the container, you can see everything. If you want to control access in great detail, the only method at your disposal is to create a separate vault for each participant and work with copies of the files.
Unlike container-based programs, Cryptomator only encrypts files that you have changed and currently have loaded. As a result, you can only synchronize modified files. The software works quite quickly, which can pay off in hard cash, particularly in cases of data transfer over mobile devices by UMTS, HSPA, or LTE.
Installation
The Java-based software is available for different distributions on the project's website, where you can get an RPM package and 32- and 64-bit DEB packages. Despite being listed explicitly for Red Hat-based systems, in the test, the packages were also able to run on other distros that use the RPM package management.
Repositories also exist for Ubuntu, and packages for Arch Linux are in the Arch user repository (AUR), which has a collection of scripts that integrate additional software into an Arch installation. A portable version is available for all other systems. In all versions from 1.8 onward, Cryptomator is based on and requires a compatible version of the Java Runtime Environment.
During installation, the program ends up in the /opt/Cryptomator/app/
directory; in the Tools submenu, you will find a Cryptomator entry.
Clients exist not only for Linux, but for Mac OS X and iOS. An Android app is in the works according to the website, and the developers are planning a beta version for fall of this year. If you want to share your data outside the boundaries of the platform, you either need the right system or a measure of patience.
Getting Started
After the program first starts, a window opens; alongside a gear icon for adjusting the WebDAV, the only option it offers is a gear icon for adding a new vault (Figure 1).
Clicking on the plus button and then Create new vault in the context menu that pops up opens a file manager, where you create the directory for the encrypted files in the system's cloud folder.
In the next dialog, you set a password for the vault and verify by entering it a second time. The program shows the security of the selected string with a dashed bar colored red or green, depending on the strength of the password (Figure 2). Now your vault is fully ready.
If you click the program window at the bottom right next to the Lock vault button on the small triangle, and select the Reveal drive option, you can drag and drop the files you want to encrypt into the newly opened file manager window. After storing the files, a graph in the right pane of the program window shows the current throughput in megabytes per second during encryption (Figure 3).
The program stores the encrypted files in the destination folder, at which point the cloud service's original client software typically begins synchronization. Afterward, you can view the number of files saved and the disk space occupied in a conventional file manager like Dolphin (in the Properties dialog for the relevant folder), but not the individual files.
In the cloud service's web interface, you will recognize the individual files, but with obfuscated file names of no significance (Figure 4). You can then download the encrypted files individually from the web interface, although the system identifies them as binary files, which prevents conclusions from being drawn about file types, file names, or file size.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.