Encrypt cloud data easily and securely with Cryptomator
Bottle It
Cloud storage services help with data synchronization across multiple computers, but they do not usually provide encryption. Cryptomator adds encryption to the cloud storage environment.
The IT world is subject to fashions, trends, and tendencies, such as the current hype surrounding blockchain technology. For example, by changing its name to Long Blockchain Corp., the US beverage manufacturer Long Island Iced Tea Corp. briefly increased its share price 289% [1].
One of the biggest trends in recent years is cloud storage. What used to be a pig in a poke suddenly became "the cloud" overnight. Everything has to be stored in the ominous cloud: applications, services, data. Cloud storage is practical for the user at first glance. You don't have to worry about the hardware, the provider takes care of security and backups, and you have immediate access from any device.
At second glance, however, many cloud users have concerns: Who can access the uploaded data? What data does the provider evaluate for advertising purposes? Do security agencies have access? In the end, anyone giving away personal data must always expect third parties to gain insight into their own digital life.
The problem could be solved if cloud storage services would let users protect the uploaded data with a personal key. However, very few storage providers offer this function. The list does not include the most popular services, such as Google Drive or Dropbox. As a user, you have to take care of your own privacy.
Applying conventional encryption techniques to the cloud storage process is typically inefficient and requires extra steps. For example, opening containers encrypted with the LUKS Linux standard on an Android smartphone involves a great deal of effort. Users who do not want to worry about such details can turn to Cryptomator [2].
Cryptomator calls itself "free client-side encryption for your cloud files." The open source program uses a 256-bit AES key and a MAC master key to encrypt data. When generating the keys, Cryptomator uses Scrypt technology, which makes brute-force attacks more difficult. (Scrypt is an approach to generating keys that uses a random value and a password to reduce the possibility of a successful dictionary attack.) A deliberately simple interface makes it easy to create and integrate the encrypted containers that Cryptomator refers to as "vaults."
Installation
In addition to the Cryptomator encryption tool, you need a cloud storage client and an account with the service. Which provider you choose is up to you – in theory, services that you integrate into the system via SSH or WebDAV are also suitable. It makes sense to install and set up these services before Cryptomator, as you will later be creating a vault in the cloud memory.
You can download the currently supported version of Cryptomator from the project homepage (see also the "Cryptomator Beta" box). The developers make a request for a donation before the download, but you can dismiss the request with a click. The program is available as a DEB package for 32- or 64-bit Debian/Ubuntu systems, or there are RPM packages for openSUSE and Fedora. In addition, the project maintains a PPA package source for Ubuntu users, which you can use to automatically install the program and keep it up to date (Listing 1). On the Arch system used for this test, the program is located in the Arch User Repository.
Cryptomator Beta
You can pick up the current beta version of Cryptomator from the project's GitHub repository [7]. The easiest way to set it up is to use the program's AppImage: All you have to do is download the AppImage file and make it executable. Then start the beta by double-clicking in the file manager. Since the AppImage comes with all necessary dependencies, you do not need to install a Java engine or other libraries.
Listing 1
Installing on Ubuntu
During the install, the package manager automatically adds a Java runtime engine to the system. The Java basis of the application makes it easier for developers to port the software to other operating systems. Cryptomator is therefore also available for Mac OS X and Microsoft Windows.
Creating a Vault
The Cryptomator application window is limited to a few widgets at first start. As your first step, create a vault by clicking on the plus icon bottom left and selecting the Create vault option (Figure 1). In the following dialog, you name the new vault and define a location for it. This should be in the path synchronized by the sync client, for example in ~/Dropbox/
for dropboxes. Cryptomator automatically creates a subdirectory with the name of the vault.
Then select the vault in the list and assign a password. A scale from very weak to very strong indicates whether the password you chose is a good choice. Click on Create vault to complete the configuration of the vault. To work with the vault, you now need to integrate it into the system. Select the vault entry from the page list and enter the previously assigned password (Figure 2).
Pressing the More options button gives you the possibility to change the name of the virtual drive. Two buttons, Save password and Auto-Unlock on Start (Experimental), are grayed in Linux: Although they are among the new features introduced in Cryptomator 1.3, they have not yet been implemented under Linux (not even in the first beta of Cryptomator 1.4) [3].
Also via FUSE
After unlocking the vault using the Unlock vault button, the file manager opens with the data encrypted in the container. Cryptomator 1.3 exclusively uses the WebDAV protocol to communicate with the service running in the background, which handles the encryption. The URL in the file manager therefore follows the pattern dav://localhost:42427/ID/Name
. Nautilus shows you the address when you press Ctrl+L to display the address bar (Figure 3).
Cryptomator 1.4 sees the developers taking a new path with support for Filesystem in Userspace (FUSE). (FUSE is a kernel module that shifts the filesystem drivers from kernel mode to user mode, which allows users without admin rights to mount filesystems.) Instead of a network protocol, the opened vault is directly integrated into the data structure. Use the gear icon to switch drive integration from WebDAV to Fuse in the application settings. Cryptomator then mounts the opened vault in ~/.Cryptomator/Name
, or, if so desired, you can choose another directory.
In the vault's "raw data," you can only see the master key of the application (and a backup), and the directories m/
and d/
are visible. Cryptomator uses the first directory to save metadata and the second for the actual data. The encryption algorithm used by Cryptomator divides the vault into several files: This approach prevents conclusions about the original directory structure, the unencrypted file names, and original file sizes. For the cloud storage sync client, however, it makes no difference whether it backs up data in plain text or encrypted data.
You can still see the vault via the provider's web front end, but you cannot unlock it or view or change the stored data (Figure 4). However, you do not have to do without the encrypted data on the road. The Cryptomator project has apps for Android and Apple devices on Google Play [4] and iTunes [5]. In contrast to the desktop programs for Linux, Mac OS X, and Windows, the apps cost EUR4.99, and the source code is not open [6].
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.
-
Hacker Successfully Runs Linux on a CPU from the Early ‘70s
From the office of "Look what I can do," Dmitry Grinberg was able to get Linux running on a processor that was created in 1971.
-
OSI and LPI Form Strategic Alliance
With a goal of strengthening Linux and open source communities, this new alliance aims to nurture the growth of more highly skilled professionals.
-
Fedora 41 Beta Available with Some Interesting Additions
If you're a Fedora fan, you'll be excited to hear the beta version of the latest release is now available for testing and includes plenty of updates.
-
AlmaLinux Unveils New Hardware Certification Process
The AlmaLinux Hardware Certification Program run by the Certification Special Interest Group (SIG) aims to ensure seamless compatibility between AlmaLinux and a wide range of hardware configurations.
-
Wind River Introduces eLxr Pro Linux Solution
eLxr Pro offers an end-to-end Linux solution backed by expert commercial support.
-
Juno Tab 3 Launches with Ubuntu 24.04
Anyone looking for a full-blown Linux tablet need look no further. Juno has released the Tab 3.
-
New KDE Slimbook Plasma Available for Preorder
Powered by an AMD Ryzen CPU, the latest KDE Slimbook laptop is powerful enough for local AI tasks.
-
Rhino Linux Announces Latest "Quick Update"
If you prefer your Linux distribution to be of the rolling type, Rhino Linux delivers a beautiful and reliable experience.