Cryptomator protects in the cloud

Simple but Safe

© Lead Image © Kirill Makarov ,

© Lead Image © Kirill Makarov ,

Article from Issue 193/2016

Make files fit for the cloud with Cryptomator by encrypting content and obscuring the name and size of each file.

Saving files in the cloud is convenient and cost efficient. However, many service providers do not place enough emphasis on data security, allowing content to fall into the hands of unauthorized third parties. Yet, with Linux and the program Cryptomator [1], you can slam the door on snooping.

How It Works

Most cryptographic programs require deep knowledge of encrypting methods and often a great deal of effort when integrating. Cryptomator, on the other hand, is aimed at users looking for a simple and practical approach. The software works transparently in the background, and the dialogs are simple.

The program encrypts data with a 256-bit AES key and a message authentication code (MAC) master key. Scrypt technology, a method for generating keys that uses a random value and a password to make a dictionary attack more difficult, is used to generate these keys, making brute force attacks difficult. The application comes with a graphical interface, from which you manage the encrypted data that you keep in vaults. From the outset, the software is reminiscent of the command-line program Tomb [2].

Technically speaking, the program functions as a server while encrypting and processing the available data locally on a virtual drive. The program only allows connections on the local system via the loop-back device, a file that provides a virtual block device that does not conform to any hardware on the system and allows you to combine files as a drive. The cryptographic processing of the individual files is not limited to the content but includes any meta-information and the file's name itself. Additionally, the software changes the size of the file, making it difficult to draw conclusions about the content.

Cryptomator then drops the processed files into the desired vault, which corresponds to the directory that synchronizes with the cloud service. The client for each respective service can then match the encrypted data without the potential need to transfer keys on the server. To use multiple services simultaneously, you will need an independent vault for each cloud service, which you create in the respective sync directory.

If you want to share data with others, they must have access to the relevant vault, know the password, and be able to send the password securely, such as by an encrypted email. On the other hand, it is not possible to share a single file from a vault with someone. If you have access to the container, you can see everything. If you want to control access in great detail, the only method at your disposal is to create a separate vault for each participant and work with copies of the files.

Unlike container-based programs, Cryptomator only encrypts files that you have changed and currently have loaded. As a result, you can only synchronize modified files. The software works quite quickly, which can pay off in hard cash, particularly in cases of data transfer over mobile devices by UMTS, HSPA, or LTE.


The Java-based software is available for different distributions on the project's website, where you can get an RPM package and 32- and 64-bit DEB packages. Despite being listed explicitly for Red Hat-based systems, in the test, the packages were also able to run on other distros that use the RPM package management.

Repositories also exist for Ubuntu, and packages for Arch Linux are in the Arch user repository (AUR), which has a collection of scripts that integrate additional software into an Arch installation. A portable version is available for all other systems. In all versions from 1.8 onward, Cryptomator is based on and requires a compatible version of the Java Runtime Environment.

During installation, the program ends up in the /opt/Cryptomator/app/ directory; in the Tools submenu, you will find a Cryptomator entry.

Clients exist not only for Linux, but for Mac OS X and iOS. An Android app is in the works according to the website, and the developers are planning a beta version for fall of this year. If you want to share your data outside the boundaries of the platform, you either need the right system or a measure of patience.

Getting Started

After the program first starts, a window opens; alongside a gear icon for adjusting the WebDAV, the only option it offers is a gear icon for adding a new vault (Figure 1).

Figure 1: Cryptomator's user interface barely gives you the chance do anything wrong.

Clicking on the plus button and then Create new vault in the context menu that pops up opens a file manager, where you create the directory for the encrypted files in the system's cloud folder.

In the next dialog, you set a password for the vault and verify by entering it a second time. The program shows the security of the selected string with a dashed bar colored red or green, depending on the strength of the password (Figure 2). Now your vault is fully ready.

Figure 2: The software indicates whether your password is easy to break.

If you click the program window at the bottom right next to the Lock vault button on the small triangle, and select the Reveal drive option, you can drag and drop the files you want to encrypt into the newly opened file manager window. After storing the files, a graph in the right pane of the program window shows the current throughput in megabytes per second during encryption (Figure 3).

Figure 3: The software displays the throughput it achieves when encrypting the data.

The program stores the encrypted files in the destination folder, at which point the cloud service's original client software typically begins synchronization. Afterward, you can view the number of files saved and the disk space occupied in a conventional file manager like Dolphin (in the Properties dialog for the relevant folder), but not the individual files.

In the cloud service's web interface, you will recognize the individual files, but with obfuscated file names of no significance (Figure 4). You can then download the encrypted files individually from the web interface, although the system identifies them as binary files, which prevents conclusions from being drawn about file types, file names, or file size.

Figure 4: As you can see from the directory of encrypted files, the contents, real names, and actual sizes of these files cannot be identified.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More