Cryptomator — Open Source Client-Side Cloud Encryption

Introduction

Cryptomator provides transparent client-side encryption for files stored in cloud services like Dropbox, Google Drive, and OneDrive. It creates encrypted vaults that appear as virtual drives on your system, so every file written to the vault is encrypted with AES-256 before syncing to the cloud. The cloud provider never sees plaintext data.

What Cryptomator Does

• Creates encrypted vaults inside any cloud-synced folder with zero-knowledge encryption
• Mounts vaults as virtual drives via FUSE (Linux/macOS) or WinFsp (Windows) for transparent access
• Encrypts each file individually so cloud sync only transfers changed files, not entire archives
• Obscures file names and directory structures to prevent metadata leakage
• Works offline with no account or server required

Architecture Overview

Cryptomator uses a vault format where each file is encrypted with AES-256-GCM and stored as a separate ciphertext file. File names are encrypted with AES-SIV and encoded as Base64. A master key derived from the user's password via scrypt protects the vault. The virtual filesystem layer uses FUSE on Linux and macOS or WinFsp/Dokany on Windows to intercept file operations and decrypt on the fly. The vault directory structure is flattened to prevent directory-tree correlation attacks.

Self-Hosting & Configuration

• Download from cryptomator.org or install via system package managers
• Create a vault by choosing a folder inside your cloud sync directory and setting a password
• Mount the vault to access decrypted files through a virtual drive letter or mount point
• Optionally store a recovery key in a secure location in case the password is lost
• Mobile apps for iOS and Android integrate with cloud provider apps

Key Features

• Zero-knowledge encryption: data is encrypted before it reaches the cloud
• Per-file encryption allows efficient cloud sync of changed files only
• Filename and directory structure obfuscation for metadata privacy
• No account, server, or subscription required for desktop use
• Audited open source code with a published security architecture

Comparison with Similar Tools

• VeraCrypt — full-disk or container-based encryption; Cryptomator is file-based for cloud sync
• Boxcryptor — proprietary cloud encryption with similar goals; Cryptomator is fully open source
• rclone crypt — CLI-based remote encryption; Cryptomator has a GUI and virtual drive
• age — file encryption CLI tool; Cryptomator provides transparent filesystem-level encryption
• LUKS — Linux disk encryption; not designed for cloud-synced folders

FAQ

Q: Does Cryptomator slow down file access? A: Encryption and decryption add minimal overhead. Modern CPUs with AES-NI hardware acceleration make the performance impact negligible for typical file sizes.

Q: Can multiple people share an encrypted vault? A: Yes, if the vault folder is shared via a cloud service. All users need the same password. There is no built-in multi-user key management.

Q: What happens if I forget my password? A: Without the password or recovery key, the vault contents are unrecoverable. Store the recovery key in a secure, separate location.

Q: Is Cryptomator free? A: The desktop app is free and open source. The mobile apps on iOS and Android are paid to fund development.

Sources

• https://github.com/cryptomator/cryptomator
• https://docs.cryptomator.org/