Privacy Tools #Cryptomator#encryption#cloud storage

Cryptomator: Encrypt Your Cloud Files Locally

How to use Cryptomator to encrypt files before they reach Google Drive or Dropbox. Setup guide for desktop and mobile with real steps.

7 min read

Cloud storage is convenient, but uploading unencrypted files to Google Drive or Dropbox means trusting those companies — and any government that can compel them — with your data. Cryptomator solves this by encrypting files on your device before they ever reach the cloud. The provider sees only encrypted blobs; you keep the keys. This guide walks through how Cryptomator works, how to set it up, and how to use it on mobile.

How Cryptomator Works

Cryptomator uses client-side encryption with a concept called a vault. A vault is a special folder that Cryptomator manages. When you drop a file into the vault’s virtual drive, Cryptomator encrypts it on the fly using AES-256 before writing the ciphertext to disk — which is already inside your Dropbox, Google Drive, or any other synced folder. The cloud provider syncs the encrypted files without ever seeing the plaintext.

Key design points:

  • Each file is encrypted individually. Modifying one file doesn’t require re-encrypting the entire vault, making cloud sync efficient.
  • File names and directory structure are also encrypted. Someone with access to your cloud storage cannot see what files you have, not just what they contain.
  • Zero-knowledge. Cryptomator has no servers, no account, no key escrow. The vault password is the only secret.
  • Open source. The code is publicly audited (NCC Group conducted a full audit). The desktop app is free; mobile apps have a one-time purchase.

The vault password is derived into an encryption key using scrypt, a memory-hard KDF. This makes brute-force attacks against the vault password expensive.

Setting Up Cryptomator on Desktop

Installation

Download Cryptomator from cryptomator.org for Windows, macOS, or Linux. On Linux, an AppImage and a Flatpak are available:

# Flatpak install
flatpak install flathub org.cryptomator.Cryptomator

On Windows and macOS, run the installer. No additional software is required.

Creating a Vault in Google Drive

  1. Make sure your Google Drive folder is syncing locally (via Google Drive for Desktop or Insync).
  2. Open Cryptomator and click + Add Vault → Create New Vault.
  3. Name your vault (this name will be visible as a folder in Google Drive — choose something neutral like Archive or Documents).
  4. Choose a location: navigate to your local Google Drive sync folder and select it.
  5. Set a strong vault password. This is the only protection for your files — use a passphrase of at least 20 characters or generate one in your password manager. Do not use this password anywhere else.
  6. Optionally, generate a recovery key — a long string that can unlock the vault if you forget the password. Store this in your password manager or a secure offline location.
  7. Click Create Vault.

Cryptomator creates a folder structure inside your Google Drive sync folder. The vault’s internal data lives in a d/ subdirectory; metadata lives in a masterkey.cryptomator file (encrypted with your vault password).

Unlocking and Using the Vault

  1. Select your vault in Cryptomator and click Unlock Vault. Enter your password.
  2. Cryptomator mounts a virtual drive on your system (on Windows it appears as a new drive letter; on macOS/Linux as a mount point).
  3. Open the virtual drive in your file manager. Drop files in, create folders, edit documents — it behaves like a normal disk.
  4. Cryptomator encrypts everything in real time and writes ciphertext to the Google Drive sync folder. Your Google Drive client syncs the encrypted files automatically.
  5. When finished, click Lock Vault in Cryptomator. The virtual drive disappears; only ciphertext remains on disk and in the cloud.

Creating a Vault in Dropbox

The process is identical. Sync Dropbox locally, create the vault inside your local Dropbox folder, and Cryptomator handles the rest. This also works with OneDrive, iCloud Drive, Nextcloud, Syncthing, or any folder-based sync solution.

Desktop Settings Worth Knowing

Auto-lock: In Cryptomator’s preferences, enable Lock vault when screen is locked or set an idle timeout. This ensures your vault locks when you step away from your computer.

Volume type (macOS/Linux): Cryptomator uses either FUSE (macOS: macFUSE, Linux: libfuse) or WebDAV to mount the virtual drive. FUSE is faster and more compatible. Install macFUSE on macOS for best performance.

Startup: You can configure Cryptomator to start with your system and optionally unlock specific vaults at startup (requires storing the password in the system keychain — acceptable for most threat models, not ideal for high-security use).

Using Cryptomator on Mobile

Android

The Cryptomator app for Android is available on Google Play and F-Droid. It costs a one-time fee (around $10 on Play Store; free on F-Droid if you build it). The app connects directly to cloud providers via their APIs — you don’t need a local sync client on Android.

  1. Open the Cryptomator app and tap + to add a vault.
  2. Choose your cloud provider (Google Drive, Dropbox, OneDrive, WebDAV, local storage).
  3. Authorize Cryptomator to access your cloud account via OAuth.
  4. Navigate to the vault folder and select masterkey.cryptomator.
  5. Enter your vault password.
  6. Your vault contents appear as a browsable file list. Tap any file to open it in a compatible app.

You can also enable biometric unlock (fingerprint/face) to avoid typing the full password on every access while keeping the vault key protected in Android’s hardware keystore.

iOS

The process is the same on iOS. The app is available on the App Store as a one-time purchase. It integrates with the Files app, so unlocked vaults appear as a Files location — you can open and edit documents directly from within other apps.

Threat Model Considerations

Cryptomator protects your files from:

  • The cloud provider reading your data
  • Breaches of the cloud provider’s servers
  • Unauthorized account access (if an attacker gets into your Google account)

Cryptomator does not protect against:

  • Malware on your local machine that reads the mounted virtual drive
  • An attacker who can see your vault password
  • Metadata like file sizes (individual file sizes are visible to the cloud provider, though names are encrypted)

For a higher threat model, pair Cryptomator with a strong, unique vault password and a VPN to hide the fact that you’re syncing to a cloud provider at all.

Cryptomator vs VeraCrypt for Cloud Use

VeraCrypt containers are an alternative — you encrypt a single large file (a container) and mount it. The problem with cloud sync is that any change to files inside the container changes the entire container file, triggering a full re-upload of potentially gigabytes of data. Cryptomator’s per-file encryption is designed specifically for cloud sync scenarios, making it far more practical for this use case.

If your goal is encrypting files before cloud sync, Cryptomator is the right tool. If you want a fully encrypted volume on a local drive or USB, VeraCrypt remains the better choice.

Final Thoughts

Cryptomator is one of the most practical privacy tools available. It integrates cleanly with the cloud services you already use, requires no accounts or subscriptions (desktop is free, mobile is a small one-time cost), and provides strong, audited encryption with a transparent open-source codebase. For anyone who uses Google Drive or Dropbox to store sensitive documents, setting up a Cryptomator vault is one of the highest-value privacy improvements you can make in under ten minutes.

#privacy #Google Drive #cloud storage #encryption #Cryptomator

// related articles

privacy-tools Self-Hosted Jitsi Meet: Encrypted Video Calls on Your Own Server 7 min read privacy-tools DNS over TLS Setup Guide: Linux & Windows 8 min read privacy-tools Encrypted Email Providers Compared 2026 8 min read