By Martin Stut, 2017-05-07

When you want to store confidential data on less trusted (cloud) storage, you need to encrypt it. Container methods, packing many files into one encrypted container file, like VeraCrypt or ZIP, have disadvantages. Cryptomator is a relatively new, free (pay what you want), open-source program that offers transparent, automatic, file-by-file encryption. Read on for more details.


Most likely, you have been looking into using cloud storage to synchronize, share or backup data. But you did not dare to use cloud storage, because your data is confidential and you don’t want the cloud storage provider to read it.

Using a VeraCrypt container or an encrypted ZIP file would solve the trust issues, but has disadvantages in handling:

The solution is an app that encrypts each file individually, transparent to the user.

Boxcryptor used to be known for this, but around 2012 a cryptographic flaw had been uncovered in the foundation (encFS) of their version 1. There is version 2 now, but it is relatively expensive, especially if you are using it in a business context.

In early 2016, a group of Germans (why so often them?) published Cryptomator, a free, open source app, to provide automatic, transparent, client-side file-by-file encryption of entire directories, including files, subdirectories etc.

Cryptomator is available for Windows, Mac and Linux. Beta versions are available for iOS and Android.

How it works

This is only a quick overview. For details see the project home page and the documentation. Be assured, using Cryptomator is easy. So easy, they won a special prize for Usable Security and Privacy on the CeBIT Innovation Award 2016 (“joint venture” of the German Federal Ministry of Education and Research and the large annual IT exhibition CeBIT Hannover) .

One time setup

At first you download and install the app from Only use this source, as there are malware-ridden fake copies around.

Then you set up a vault (or several vaults). A vault is essentially a directory, usually located inside your cloud app’s synchronization space. Within the app, you select that directory, assign a password and an optional drive letter. If someone (maybe you on a different device) is sharing a vault with you, you can’t create it (the other guy already did that), but instead “open” it, specifying the directory from your point of view.

Example (on Windows): the encrypted data will reside in C:\Users\Yourname\Dropbox\confidential_stuff\ with its decrypted version being visible (and editable) as drive X:

You can share a vault with others by sharing access to the (cloud) storage and telling them the password of the vault. There is only one password per vault. Every user is using this same password for this vault. So if you want to share a different set of files with a different group of people, you need to create/use a different vault with a (most likely) different password.

Daily use

When you want to access a vault’s data, you start the Cryptomator app, select your vault, enter the vault’s password and click on “unlock vault”. Then (obviously only if you got the password right) the decrypted version gets mapped to drive X: (or what ever you chose when setting up this vault on your computer) and a file explorer window opens, showing the vault’s decrypted content.

Then you can use drive X: as you would use a network drive. (Which in fact it is. Cryptomator internally uses WebDAV.)

You can edit, create, delete etc. files and directories to any nesting level. You can e.g. double click a text or graphics file residing within a vault to open it, using your default text or graphics viewer.

Some applications on some platforms don’t like the WebDAV network drive Cryptomator creates for the decrypted side. One example I frequently encounter is TaskCoach, my favorite self-management system. Version 1.4.3 can open a .tsk file on Cryptomator on Windows, but cannot on Linux. But TaskCoach version 1.4.2 on Linux was able to open a Cryptomator (Linux) stored tsk-file, because of different lock file handling that got “fixed” in 1.4.3.

I have not run into size limitations. One vault I’m using daily has more than 900 files in more than 300 folders, including a local Git repository of a small software development project, totaling more than 5 GB, synchronized to a NextCloud server.

Use Cases

Whether Cryptomator can be your tool of choice depends on your use case.

Cryptomator is great when used for the purpose it was intended: using a trusted computer to store files on untrusted (cloud) storage.

But you should not use Cryptomator if


Cryptomator is a great tool for encrypting your files on lesser trusted storage, as long as you don’t mind the locations of encrypted data being well visible. Using Cryptomator is so easy that they won a CeBIT 2016 special prize for Usable Security and Privacy.