From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search


The open-source tool Cryptomator is an application for client-side encryption. This concept is applied when you want to upload your own data to a cloud service that needs to be protected, but you also want to ensure security. Client-side encryption refers to the concept of encrypting your own data on your own computer before uploading it to a cloud service.[1] Cryptomator is a free tool due to its open-source nature, which allows you to quickly and independently protect your own data and documents regardless of the price. [2]


The operation of the application is relatively simple. You can quickly download the .exe file from the Cryptomator website. A page on the website that opens automatically after downloading provides an introduction to using the tool. [3]
If the application is opened, a window appears with the option to create a new folder, a so-called “vault,” with protected data. To do this, you must select a storage location, such as Google Docs, where the encrypted data should be stored. Then a password must be set for it. After successfully creating the folder and unlocking it by entering the password, a virtual drive is created in the file manager for each unlocked vault. The decrypted documents stored there are located in this virtual drive. In the meantime, only encrypted data can be found in the cloud service folder. Any number of vaults can be created.


At no time are decrypted data stored on the hard drive of your own computer. These are decrypted on-the-fly when accessed. [4]


Without the use of client-side encryption, data in cloud services would only be encoded during transmission and otherwise potentially stored in plaintext. This would allow attackers to read, steal, or manipulate personal data stored in the cloud in the event of a successful cloud hack. Cloud service providers also have the ability to read the data they are given if it is not passed on in an encrypted form. Cryptomator is a tool for greater security, both against hackers and cloud service providers themselves. The encryption is performed using the AES method and a key length of 256 bits. [5]


The documentation of the tool provides a comprehensive description of how file encryption works. Cryptomator is not a complete replacement for other encryption measures. To ensure functional synchronization with the cloud, some metadata is not encrypted. These include access, modification, and creation timestamps of files and folders, the number of files and folders in a vault and in the folders, as well as the size of the stored files. [6]


The preferred frontends for accessing files in cloud storage are WinFsp for Windows, macFUSE for macOS, and FUSE for Linux. If not available, Cryptomator will use WebDAV (an HTTP-based protocol) because it is mainly supported on every operating system. [7]