Encrypt cloud data easily and securely with Cryptomator

Bottle It

Article from Issue 215/2018

Cloud storage services help with data synchronization across multiple computers, but they do not usually provide encryption. Cryptomator adds encryption to the cloud storage environment.

The IT world is subject to fashions, trends, and tendencies, such as the current hype surrounding blockchain technology. For example, by changing its name to Long Blockchain Corp., the US beverage manufacturer Long Island Iced Tea Corp. briefly increased its share price 289% [1].

One of the biggest trends in recent years is cloud storage. What used to be a pig in a poke suddenly became "the cloud" overnight. Everything has to be stored in the ominous cloud: applications, services, data. Cloud storage is practical for the user at first glance. You don't have to worry about the hardware, the provider takes care of security and backups, and you have immediate access from any device.

At second glance, however, many cloud users have concerns: Who can access the uploaded data? What data does the provider evaluate for advertising purposes? Do security agencies have access? In the end, anyone giving away personal data must always expect third parties to gain insight into their own digital life.

The problem could be solved if cloud storage services would let users protect the uploaded data with a personal key. However, very few storage providers offer this function. The list does not include the most popular services, such as Google Drive or Dropbox. As a user, you have to take care of your own privacy.

Applying conventional encryption techniques to the cloud storage process is typically inefficient and requires extra steps. For example, opening containers encrypted with the LUKS Linux standard on an Android smartphone involves a great deal of effort. Users who do not want to worry about such details can turn to Cryptomator [2].

Cryptomator calls itself "free client-side encryption for your cloud files." The open source program uses a 256-bit AES key and a MAC master key to encrypt data. When generating the keys, Cryptomator uses Scrypt technology, which makes brute-force attacks more difficult. (Scrypt is an approach to generating keys that uses a random value and a password to reduce the possibility of a successful dictionary attack.) A deliberately simple interface makes it easy to create and integrate the encrypted containers that Cryptomator refers to as "vaults."


In addition to the Cryptomator encryption tool, you need a cloud storage client and an account with the service. Which provider you choose is up to you – in theory, services that you integrate into the system via SSH or WebDAV are also suitable. It makes sense to install and set up these services before Cryptomator, as you will later be creating a vault in the cloud memory.

You can download the currently supported version of Cryptomator from the project homepage (see also the "Cryptomator Beta" box). The developers make a request for a donation before the download, but you can dismiss the request with a click. The program is available as a DEB package for 32- or 64-bit Debian/Ubuntu systems, or there are RPM packages for openSUSE and Fedora. In addition, the project maintains a PPA package source for Ubuntu users, which you can use to automatically install the program and keep it up to date (Listing 1). On the Arch system used for this test, the program is located in the Arch User Repository.

Cryptomator Beta

You can pick up the current beta version of Cryptomator from the project's GitHub repository [7]. The easiest way to set it up is to use the program's AppImage: All you have to do is download the AppImage file and make it executable. Then start the beta by double-clicking in the file manager. Since the AppImage comes with all necessary dependencies, you do not need to install a Java engine or other libraries.

Listing 1

Installing on Ubuntu


During the install, the package manager automatically adds a Java runtime engine to the system. The Java basis of the application makes it easier for developers to port the software to other operating systems. Cryptomator is therefore also available for Mac OS X and Microsoft Windows.

Creating a Vault

The Cryptomator application window is limited to a few widgets at first start. As your first step, create a vault by clicking on the plus icon bottom left and selecting the Create vault option (Figure 1). In the following dialog, you name the new vault and define a location for it. This should be in the path synchronized by the sync client, for example in ~/Dropbox/ for dropboxes. Cryptomator automatically creates a subdirectory with the name of the vault.

Figure 1: The Cryptomator interface contains just a few elements. Use the plus icon to create new vaults or integrate existing crypto containers.

Then select the vault in the list and assign a password. A scale from very weak to very strong indicates whether the password you chose is a good choice. Click on Create vault to complete the configuration of the vault. To work with the vault, you now need to integrate it into the system. Select the vault entry from the page list and enter the previously assigned password (Figure 2).

Figure 2: Entering the previously assigned password.

Pressing the More options button gives you the possibility to change the name of the virtual drive. Two buttons, Save password and Auto-Unlock on Start (Experimental), are grayed in Linux: Although they are among the new features introduced in Cryptomator 1.3, they have not yet been implemented under Linux (not even in the first beta of Cryptomator 1.4) [3].

Also via FUSE

After unlocking the vault using the Unlock vault button, the file manager opens with the data encrypted in the container. Cryptomator 1.3 exclusively uses the WebDAV protocol to communicate with the service running in the background, which handles the encryption. The URL in the file manager therefore follows the pattern dav://localhost:42427/ID/Name. Nautilus shows you the address when you press Ctrl+L to display the address bar (Figure 3).

Figure 3: After unlocking the vault, you do not need to change your habits: The encrypted data is shown on the system like any normal directory.

Cryptomator 1.4 sees the developers taking a new path with support for Filesystem in Userspace (FUSE). (FUSE is a kernel module that shifts the filesystem drivers from kernel mode to user mode, which allows users without admin rights to mount filesystems.) Instead of a network protocol, the opened vault is directly integrated into the data structure. Use the gear icon to switch drive integration from WebDAV to Fuse in the application settings. Cryptomator then mounts the opened vault in ~/.Cryptomator/Name, or, if so desired, you can choose another directory.

In the vault's "raw data," you can only see the master key of the application (and a backup), and the directories m/ and d/ are visible. Cryptomator uses the first directory to save metadata and the second for the actual data. The encryption algorithm used by Cryptomator divides the vault into several files: This approach prevents conclusions about the original directory structure, the unencrypted file names, and original file sizes. For the cloud storage sync client, however, it makes no difference whether it backs up data in plain text or encrypted data.

You can still see the vault via the provider's web front end, but you cannot unlock it or view or change the stored data (Figure 4). However, you do not have to do without the encrypted data on the road. The Cryptomator project has apps for Android and Apple devices on Google Play [4] and iTunes [5]. In contrast to the desktop programs for Linux, Mac OS X, and Windows, the apps cost EUR4.99, and the source code is not open [6].

Figure 4: The cloud storage provider – and thus also the web front end of the service (here Dropbox) – cannot do anything with the encrypted data.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Cryptomator

    Cloud services often place little value on data encryption. With Cryptomator, you can easily and transparently encrypt your data locally before uploading to the cloud.

  • Cryptomator

    Make files fit for the cloud with Cryptomator by encrypting content and obscuring the name and size of each file.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More