Locally Encrypt Files for Cloud Storage
Key to the Cloud
© Lead Image © Maksim Kabakou, 123RF.com
Cryptomator lets you encrypt your files on your computer before syncing to the cloud, keeping your data private even from your storage provider.
Most cloud providers encrypt data only in transit (i.e., while it's travelling from your computer to their servers). Some offer encryption at rest, while it's stored on their servers, but in most cases, the provider keeps the decryption keys to themselves. This means your files could theoretically be accessed by the cloud provider, a rogue insider, or anyone who manages to compromise the provider's systems.
If this arrangement has deterred you from using online data silos, you can use Cryptomator to encrypt your data before handing it over to the cloud. This crucial step, known as client-side encryption, ensures that only you hold the key to your data, which will remain indecipherable for anyone else, be it the cloud provider or a threat actor.
Because Cryptomator is built on principles of transparency and security, you don't have to trust the application blindly. As an open source app, Cryptomator's code is publicly available for community scrutiny. In fact, Cryptomator has been independently audited to ensure it doesn't contain backdoors.
How Cryptomator Works
At its core, Cryptomator acts as a transparent encryption layer for any folder you choose. You create an encrypted vault in your local filesystem, and Cryptomator mounts it as a virtual drive. Files that you add to this virtual drive are automatically encrypted before they're saved to disk.
Because the vault lives inside a directory that's synced to the cloud (e.g., your Dropbox or Google Drive folder), your encrypted files are automatically uploaded just like any other data. To your cloud provider, these encrypted files look like unintelligible blobs of random data. Only you, with the correct password, can decrypt them.
Cryptomator uses AES encryption along with a 256-bit key length to protect your data. It also encrypts file names and directory structures to prevent metadata leakage.
The best thing about Cryptomator is that it's cloud-agnostic, which means it works with any service that syncs a local folder, including Dropbox, Google Drive, OneDrive, MEGA, pCloud, Nextcloud, and more.
Install Cryptomator
Cryptomator is available in the distro-agnostic AppImage format. First, download the AppImage from Cryptomator's website [1]. After downloading, make the AppImage an executable with
chmod +x cryptomator-*.AppImage
You can also right-click on the file from the file manager and select the option to edit its properties. Then navigate to the section that lists the file's permissions, and select the option to allow executing the file as a program.
You can then double-click the file to launch the app or use
./cryptomator-*.AppImage
The best thing about the AppImage version of Cryptomator is that it doesn't require root access or installation, because it runs entirely from the file you downloaded.
In addition to an AppImage, you can also install Cryptomator as a Flatpak (if supported by your distro) with
flatpak install flathub org.cryptomator.Cryptomator
Once installed, you can fire it up either from the application launcher or with
flatpak run org.cryptomator.Cryptomator
The Flatpak version's advantage is that it automatically updates when a new version is released, and it also keeps Cryptomator fully sandboxed and isolated from the rest of your system.
Cryptomater is also available via an Ubuntu PPA or the Arch User Repository (AUR).
Using the App
When you first open Cryptomator, you'll be greeted by its minimal interface (Figure 1). Click the + button, which will reveal options to create, open, or recover a vault. For now, select the Create New Vault… option. You'll first be asked to name the vault before you choose a location for it.
By default, Cryptomator will put the vault under your home directory, but you should change it to ensure it resides inside of a folder that already syncs with your cloud storage service (for example, ~/Dropbox/). Cryptomator will create your new sub-folder inside this sync folder, which will house all of the encrypted files, and your cloud sync client will take care of uploading the files.
Next, you will be asked to assign a password to this vault. Cryptomator will use this password to generate your encryption key, so make sure it is long and unique. Also, remember there is no "Forget Password" option, because the app doesn't store or transmit passwords anywhere. This is why, right after setting the password, Cryptomator will give you the option to generate a recovery key. It is highly recommended that you generate and secure this key. If you ever forget your master password, the recovery key will be the only way for you to access your encrypted data.
The recovery key is a bunch of random words that you can copy to a password manager or USB stick, or even print out. You can also store the recovery key in a file inside of a separate encrypted vault, but do not make the mistake of storing it inside the same vault. Once it's been created, your vault will appear in the main window (Figure 2).
You can create as many vaults as desired. For example, you can maintain one for personal files in Dropbox and another for business documents that's synced via Nextcloud. Every vault you create appears along with its name, its mount point, and its current state (locked or unlocked).
Buy this article as PDF
(incl. VAT)