Most cloud providers encrypt data only in transit (i.e., while it's travelling from your computer to their servers). Some offer encryption at rest, while it's stored on their servers, but in most cases, the provider keeps the decryption keys to themselves. This means your files could theoretically be accessed by the cloud provider, a rogue insider, or anyone who manages to compromise the provider's systems.

If this arrangement has deterred you from using online data silos, you can use Cryptomator to encrypt your data before handing it over to the cloud. This crucial step, known as client-side encryption, ensures that only you hold the key to your data, which will remain indecipherable for anyone else, be it the cloud provider or a threat actor.

Because Cryptomator is built on principles of transparency and security, you don't have to trust the application blindly. As an open source app, Cryptomator's code is publicly available for community scrutiny. In fact, Cryptomator has been independently audited to ensure it doesn't contain backdoors.

How Cryptomator Works

At its core, Cryptomator acts as a transparent encryption layer for any folder you choose. You create an encrypted vault in your local filesystem, and Cryptomator mounts it as a virtual drive. Files that you add to this virtual drive are automatically encrypted before they're saved to disk.

Because the vault lives inside a directory that's synced to the cloud (e.g., your Dropbox or Google Drive folder), your encrypted files are automatically uploaded just like any other data. To your cloud provider, these encrypted files look like unintelligible blobs of random data. Only you, with the correct password, can decrypt them.

Cryptomator uses AES encryption along with a 256-bit key length to protect your data. It also encrypts file names and directory structures to prevent metadata leakage.

The best thing about Cryptomator is that it's cloud-agnostic, which means it works with any service that syncs a local folder, including Dropbox, Google Drive, OneDrive, MEGA, pCloud, Nextcloud, and more.

Install Cryptomator

Cryptomator is available in the distro-agnostic AppImage format. First, download the AppImage from Cryptomator's website [1]. After downloading, make the AppImage an executable with

chmod +x cryptomator-*.AppImage

You can also right-click on the file from the file manager and select the option to edit its properties. Then navigate to the section that lists the file's permissions, and select the option to allow executing the file as a program.

You can then double-click the file to launch the app or use

./cryptomator-*.AppImage

The best thing about the AppImage version of Cryptomator is that it doesn't require root access or installation, because it runs entirely from the file you downloaded.

In addition to an AppImage, you can also install Cryptomator as a Flatpak (if supported by your distro) with

flatpak install flathub org.cryptomator.Cryptomator

Once installed, you can fire it up either from the application launcher or with

flatpak run org.cryptomator.Cryptomator

The Flatpak version's advantage is that it automatically updates when a new version is released, and it also keeps Cryptomator fully sandboxed and isolated from the rest of your system.

Cryptomater is also available via an Ubuntu PPA or the Arch User Repository (AUR).

Using the App

When you first open Cryptomator, you'll be greeted by its minimal interface (Figure 1). Click the + button, which will reveal options to create, open, or recover a vault. For now, select the Create New Vault… option. You'll first be asked to name the vault before you choose a location for it.

Figure 1: Cryptomator's clean main interface when first launched.

By default, Cryptomator will put the vault under your home directory, but you should change it to ensure it resides inside of a folder that already syncs with your cloud storage service (for example, ~/Dropbox/). Cryptomator will create your new sub-folder inside this sync folder, which will house all of the encrypted files, and your cloud sync client will take care of uploading the files.

Next, you will be asked to assign a password to this vault. Cryptomator will use this password to generate your encryption key, so make sure it is long and unique. Also, remember there is no "Forget Password" option, because the app doesn't store or transmit passwords anywhere. This is why, right after setting the password, Cryptomator will give you the option to generate a recovery key. It is highly recommended that you generate and secure this key. If you ever forget your master password, the recovery key will be the only way for you to access your encrypted data.

The recovery key is a bunch of random words that you can copy to a password manager or USB stick, or even print out. You can also store the recovery key in a file inside of a separate encrypted vault, but do not make the mistake of storing it inside the same vault. Once it's been created, your vault will appear in the main window (Figure 2).

Figure 2: When added, all new vaults are locked. You'll have to unlock the vault to be able to interact with the files inside.

You can create as many vaults as desired. For example, you can maintain one for personal files in Dropbox and another for business documents that's synced via Nextcloud. Every vault you create appears along with its name, its mount point, and its current state (locked or unlocked).