How to Encrypt Your Data with Cryptomator: A Simple Guide

By Owen PatelCryptography Tutorial

How to Encrypt Your Data with Cryptomator

If you know how to copy a file from one folder to another, today you’ll learn how to securely encrypt your data.

Introduction

Almost everyone uses cloud storage—it’s really convenient. But you should know that Google, Dropbox, Microsoft, Yandex, and similar providers regularly scan what you store with them. If law enforcement requests your data, it will be handed over immediately. 🙂

The best option is to store your data on your own server using NextCloud or other open-source alternatives. However, the goal of this article is to teach you how to reliably encrypt your data so that no one but you can access it—not Google, Dropbox, Yandex, or anyone else.

Installing Cryptomator

Installing Cryptomator is as simple as it gets—just a few clicks. Download Cryptomator for your operating system and install it.

Website: https://cryptomator.org/

About Cryptomator

Cryptomator is a completely free and open-source program for client-side encryption. In 2017, Cure53 conducted a security audit, and all bugs found were fixed in version 1.1.0.

Key advantages of Cryptomator:

  • Uses AES encryption with a 256-bit key
  • Vault password is protected from brute-force attacks using scrypt
  • Supports creating and managing multiple vaults at once
  • Works with cloud storage (as long as the cloud folder is mounted on your computer)
  • Uses WebDAV or FUSE (for macOS and Linux) and Dokany (for Windows)
  • Easy to install and use

With Cryptomator, you can securely protect your data by placing it in encrypted vaults. Only someone with the vault password can access the data.

When you open a vault with Cryptomator, it appears as a virtual drive. You can use it just like a regular USB flash drive.

The encrypted data is stored in a regular folder. If you open the vault folder without Cryptomator, you’ll only see a bunch of folders and files with random names. You can recognize a Cryptomator vault by the masterkey.cryptomator file inside the folder.

The program is very easy to use. On first launch, you’ll see an empty list and a prompt to create a new vault:

Creating a Vault

Just four steps:

  1. Click the “+” button
  2. Select “Create New Vault”
  3. Choose a location for the vault, give it a name, and click “Save”
    (For example, select “Desktop” and name it “TEST”)
  4. Set a strong password for the vault and click “Create Vault”

Important: If you forget or lose this password, you will permanently lose access to your data! The password cannot be reset or recovered.

Congratulations, you’ve created your first vault.

Inside the Vault

If you open the vault folder, you’ll see:

  • d — where encrypted data is stored
  • m — metadata (currently used for name shortening)
  • masterkey.cryptomator — contains encrypted data needed to derive the master key from your password. This file does not contain the decrypted master key, so it’s safe to store it in the cloud along with your vault. It also stores some vault metadata (like the Cryptomator version used to create it) and allows easy access to the vault on different devices.
  • After you start using the vault, a .bkup file will appear, which is a backup of your master key file. It’s created after each successful unlock.

All of the above are part of the vault. Do not rename, move, or delete anything in this folder. If you need to delete data from the vault, open it through Cryptomator and delete the files there.

As a test, let’s add an mp3 file to the vault and see how it looks to an outside observer.

To open the vault, select it from the list, enter your password, and click “Unlock Vault.”

Once unlocked, your file manager will open automatically and your vault will be mounted as a drive. Now you can add files, such as an mp3:

Cryptomator encrypts the file in less than a second. When you’re done, click “Lock Vault” to secure it.

Note: Always lock the vault after you finish working with it.

Now your test vault is ready to upload to the cloud. This is what your cloud provider will see—a folder with files that don’t reveal their contents or file types.

Cryptomator Vault vs. VeraCrypt Container

Note: If you’ve been using VeraCrypt for years, that’s a great choice! I use VeraCrypt too. The point here isn’t to say one is better than the other—they’re just different tools.

With VeraCrypt or other container-based encryption software, all files are stored in a single large container file. This can be inconvenient for cloud use, because to change any file, you have to download the entire container, make changes, and re-upload it.

Also, with VeraCrypt, if you have a 1GB container and want to add 500MB of new data, you can’t expand the existing container. You’ll need to create a new one and move all your data over.

Another limitation: if more than one computer needs access to the encrypted container at the same time, VeraCrypt doesn’t support this.

Cryptomator is optimized for cloud storage but can also be used locally. Each file is encrypted separately, so only changed files are re-uploaded to the cloud. Cryptomator also has built-in change detection and conflict resolution, making it convenient and safe to use with cloud storage—even from mobile devices. The vault grows dynamically as you add files.

However, because each file is encrypted individually, Cryptomator cannot hide file modification dates or sizes.

Which Is Better? Cryptomator vs. VeraCrypt

There are many debates online about this. Personally, I think it depends on your needs—they’re different tools for different tasks.

Some technical differences:

  • VeraCrypt lets you choose ciphers and key lengths, which is useful for advanced users.
  • Cryptomator uses a pre-selected set of ciphers and configurations that are known to work well together, making it simpler and safer for most users. If AES is ever broken, Cryptomator users will have to wait for a new release to switch algorithms, unlike VeraCrypt, where you can just pick a new one.
  • VeraCrypt creates a single container, so an observer can’t tell how many files are inside. You can also disguise a VeraCrypt container as an mp3/mp4/dat/dll file, making it less obvious. However, some file types have characteristic binary headers, so a disguised file might still be detected as suspicious.
  • Cryptomator encrypts each file separately, making it easy to sync only changed files to the cloud, but the total size of the vault is visible to outsiders.
  • VeraCrypt is great for encrypting entire USB drives or system disks (Cryptomator can’t do this). VeraCrypt also supports “hidden containers,” where entering one password opens one container, and another password opens a different one. This can be useful if you’re forced to reveal a password.
  • Cryptomator is more convenient for syncing encrypted files to a server or cloud, or for offline use.

Potential Risks with Google Drive, OneDrive, Dropbox, Yandex Disk, etc.

Is there a backdoor in Cryptomator for law enforcement? No, it’s much simpler than that. When using Google Drive, OneDrive, Yandex Disk, or similar services, there’s always a chance your account could be blocked—especially if they don’t like that they can’t see your data.

Dropbox, in particular, has had several notable incidents over the years (see news from 2014, 2016, 2017).

Conclusion

Thank you for reading. Share this article and follow my channel: @DrHerbertWest

If the channel gains an audience, I’ll publish more articles about open-source tools.

Leave a Reply