Locally Encrypt Files for Cloud Storage
Key to the Cloud
© Lead Image © Maksim Kabakou, 123RF.com
Cryptomator lets you encrypt your files on your computer before syncing to the cloud, keeping your data private even from your storage provider.
Most cloud providers encrypt data only in transit (i.e., while it's travelling from your computer to their servers). Some offer encryption at rest, while it's stored on their servers, but in most cases, the provider keeps the decryption keys to themselves. This means your files could theoretically be accessed by the cloud provider, a rogue insider, or anyone who manages to compromise the provider's systems.
If this arrangement has deterred you from using online data silos, you can use Cryptomator to encrypt your data before handing it over to the cloud. This crucial step, known as client-side encryption, ensures that only you hold the key to your data, which will remain indecipherable for anyone else, be it the cloud provider or a threat actor.
Because Cryptomator is built on principles of transparency and security, you don't have to trust the application blindly. As an open source app, Cryptomator's code is publicly available for community scrutiny. In fact, Cryptomator has been independently audited to ensure it doesn't contain backdoors.
How Cryptomator Works
At its core, Cryptomator acts as a transparent encryption layer for any folder you choose. You create an encrypted vault in your local filesystem, and Cryptomator mounts it as a virtual drive. Files that you add to this virtual drive are automatically encrypted before they're saved to disk.
Because the vault lives inside a directory that's synced to the cloud (e.g., your Dropbox or Google Drive folder), your encrypted files are automatically uploaded just like any other data. To your cloud provider, these encrypted files look like unintelligible blobs of random data. Only you, with the correct password, can decrypt them.
Cryptomator uses AES encryption along with a 256-bit key length to protect your data. It also encrypts file names and directory structures to prevent metadata leakage.
The best thing about Cryptomator is that it's cloud-agnostic, which means it works with any service that syncs a local folder, including Dropbox, Google Drive, OneDrive, MEGA, pCloud, Nextcloud, and more.
Install Cryptomator
Cryptomator is available in the distro-agnostic AppImage format. First, download the AppImage from Cryptomator's website [1]. After downloading, make the AppImage an executable with
chmod +x cryptomator-*.AppImage
You can also right-click on the file from the file manager and select the option to edit its properties. Then navigate to the section that lists the file's permissions, and select the option to allow executing the file as a program.
You can then double-click the file to launch the app or use
./cryptomator-*.AppImage
The best thing about the AppImage version of Cryptomator is that it doesn't require root access or installation, because it runs entirely from the file you downloaded.
In addition to an AppImage, you can also install Cryptomator as a Flatpak (if supported by your distro) with
flatpak install flathub org.cryptomator.Cryptomator
Once installed, you can fire it up either from the application launcher or with
flatpak run org.cryptomator.Cryptomator
The Flatpak version's advantage is that it automatically updates when a new version is released, and it also keeps Cryptomator fully sandboxed and isolated from the rest of your system.
Cryptomater is also available via an Ubuntu PPA or the Arch User Repository (AUR).
Using the App
When you first open Cryptomator, you'll be greeted by its minimal interface (Figure 1). Click the + button, which will reveal options to create, open, or recover a vault. For now, select the Create New Vault… option. You'll first be asked to name the vault before you choose a location for it.
By default, Cryptomator will put the vault under your home directory, but you should change it to ensure it resides inside of a folder that already syncs with your cloud storage service (for example, ~/Dropbox/). Cryptomator will create your new sub-folder inside this sync folder, which will house all of the encrypted files, and your cloud sync client will take care of uploading the files.
Next, you will be asked to assign a password to this vault. Cryptomator will use this password to generate your encryption key, so make sure it is long and unique. Also, remember there is no "Forget Password" option, because the app doesn't store or transmit passwords anywhere. This is why, right after setting the password, Cryptomator will give you the option to generate a recovery key. It is highly recommended that you generate and secure this key. If you ever forget your master password, the recovery key will be the only way for you to access your encrypted data.
The recovery key is a bunch of random words that you can copy to a password manager or USB stick, or even print out. You can also store the recovery key in a file inside of a separate encrypted vault, but do not make the mistake of storing it inside the same vault. Once it's been created, your vault will appear in the main window (Figure 2).
You can create as many vaults as desired. For example, you can maintain one for personal files in Dropbox and another for business documents that's synced via Nextcloud. Every vault you create appears along with its name, its mount point, and its current state (locked or unlocked).
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Kubuntu Focus Goes Ultra
The Kubuntu Focus team has upped the performance ante of its M2 and Zr laptops with the latest, greatest CPUs from Intel.
-
Linux Gamers May Soon See Less Mouse Lag in KDE Plasma
Gamers using KDE’s Plasma desktop have been suffering from a slight input delay in mouse movement that could lead to getting fragged.
-
Three Lines of Code Improve Linux Storage Performance
A developer changed three lines of code, giving Linux storage performance a 5% bump.
-
AUR Hit Again with Malicious Packages
Once again the Arch User Repository is plagued by a high volume of malicious packages.
-
Alpine Linux 3.24 Features Fresh Desktops and a Newer Kernel
If you're a fan of Alpine Linux, it's time to upgrade because the latest version has been released with KDE Plasma 6.6, Gnome 50, and Linux kernel 6.18 LTS.
-
EU Open Source Strategy Plays Key Role in Tech Sovereignty Package
Comprehensive measures adopted by the European Commission aim to reduce dependency on non-EU countries.
-
Linux Foundation Report Indicates AI Driving Tech Hiring
Within growing security and skills gaps, AI has been found to be a positive driving force behind tech hiring trends in Europe.
-
United Nations Open Source Portal Goes Live
A new open source portal seeks to coordinate and scale open source efforts across the United Nations system.
-
KDE Linux Drops AUR
KDE Linux developers have dropped the Arch User Repository from the build pipeline due to security concerns; other distributions should consider doing the same.
-
California May Exempt Linux from Its Age-Verification Law
After backlash from the Linux community, California may be backing off on its promise to force all operating systems to verify age, but one platform may still have to comply.
