Locally Encrypt Files for Cloud Storage

Working with an Encrypted Folder

Before you can access the vault and place files inside it, you'll have to unlock it using your password. Once unlocked, Cryptomator mounts your vault as a virtual drive (Figure 3).

Figure 3: Note that the unlocked vaults are not mounted in the same location as the encrypted vault.

This virtual drive can appear as a WebDAV or Filesystem in Userspace (FUSE) volume, depending on your system configuration. Generally speaking, the vaults will be mounted as FUSE volumes on all Linux distros. You can change this in Cryptomator's Preferences, which I'll discuss later.

In the interface, click the Reveal Drive button to open the decrypted, mounted vault in your file manager. Anything you copy here is encrypted automatically when written back to disk.

Underneath the Reveal Drive button, you'll find the actual path of the mounted volume (e.g., ~/.local/share/Cryptomator/mnt/Eyes_Only).

As you can see, this is different from the original location where you created the encrypted vault that was inside your cloud sync folder (e.g., ~/Dropbox/Eyes_Only). While you can peek inside the cloud sync folder, remember to never alter or paste any files within this directory. Instead always interact via the mounted folder.

This unlocked virtual drive behaves just like any other storage device. You can drag and drop, edit, and delete files inside this drive. Every time you store something on this virtual drive, Cryptomator encrypts the data automatically.

When you're done, hit the Lock button to close the vault and unmount the virtual drive to ensure that none of its contents remain accessible in decrypted form.

As an added bonus, the encryption process doesn't just encrypt the file contents, but also the file names and the entire file structure. If you were to look directly at the folder in your cloud drive's web interface, you would see nothing but indecipherable files with no discernible file names or file types.

To access the contents later, simply head back to Cryptomator and unlock the vault again.

Vault Preferences

For convenience, you can configure Cryptomator to lock all open vaults automatically on exit by tweaking the app's preferences. Click the small gear icon at the bottom to open the multitabbed Settings panel.

From under the General tab, you can toggle the option to automatically lock all open vaults when you quit Cryptomator. While Cryptomator reminds you that there are open vaults when you exit the app, it's a good idea to have the vaults lock up automatically when you close the app.

Head to the Virtual Drive tab to change the default volume type. As I mentioned earlier, the drives will most likely be mounted as FUSE volumes by default on Linux. But if you know what you're doing, you can use the pull-down menu in this tab to switch to another volume type.

Besides these global preferences, you can also define per-vault preferences. Right-click on the vault (when it's locked), and click on Show Vault Options. This too is a multitabbed window, with the most useful options under the General tab (Figure 4). One interesting option here is the ability to autolock a vault after it's been idle for a certain length of time. Just toggle the option and specify the idle time in minutes.

Figure 4: It's a good idea to use the Health Check feature frequently to ensure that the vault structure is intact.

Also useful is the ability to automatically unlock and mount the vault every time you launch Cryptomator. These two options provide both security and convenience, especially when handling multiple volumes.

Besides these two options you can also change the name of the vault from here. To change the vault's password or reset it with the help of the recovery key, switch to the Password tab.

Share an Encrypted Vault

In case you need to share your encrypted vault, you do it just as you would share any other folder inside your cloud storage service. This means the sharing happens outside of Cryptomator, and the exact steps depend on your cloud sharing service. Of course, in addition to the encrypted folder, you'll also need to share the password for the vault.

Once shared, the vault will appear inside the cloud sharing service's folder for the person you've shared it with. If it doesn't show up, the issue lies with the cloud storage service and not with Cryptomator.

Once the shared folder appears in the recipient's filesystem, he or she will need to use Cryptomator to decrypt it. After installing and launching Cryptomator (which also works on Windows, macOS, Android, and iOS), the recipient will need to click the + icon and select the Open Existing Vault… option.

Then, the recipient will need to navigate to the shared vault inside the cloud sharing service's synced folder and select any file with the .cryptomator extension, such as masterkey.cryptomator or vault.cryptomator.

Cryptomator will then mount the shared vault. To view and interact with its contents, the recipient will need to unlock the vault using the vault's password, the same as you. Once mounted, the recipient can read and modify the contents of the vault, depending on the permissions you've defined while sharing the vault.

Buy this article as PDF

Download Article PDF now with Express Checkout
Price $2.95
(incl. VAT)

Buy Linux Magazine

Related content

  • Cryptomator

    Cloud storage services help with data synchronization across multiple computers, but they do not usually provide encryption. Cryptomator adds encryption to the cloud storage environment.

  • Cryptomator

    Make files fit for the cloud with Cryptomator by encrypting content and obscuring the name and size of each file.

  • Cryptomator

    Cloud services often place little value on data encryption. With Cryptomator, you can easily and transparently encrypt your data locally before uploading to the cloud.

  • Cloud Encryption Tools

    Synchronizing your data in the cloud is practical, but it's risky if you don't encrypt your data. Desktop encryption utilities offer various levels of security and ease.

  • FOSSPicks

    This month Graham looks at osci-render, Spacedrive, internetarchive, LibrePCB 1.0.0, and more!

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News