DEV Community

Cover image for Storing confidential data in the cloud securely with Cryptomator
Ivan Dlugos
Ivan Dlugos

Posted on • Originally published at Medium on

Storing confidential data in the cloud securely with Cryptomator

TL;DR: If you have some data you need to store safely in your cloud folder (OneDrive, Google Drive, Dropbox, etc.) jump directly to the Cryptomator setup.

I’ve been slacking off on backups of my personal things for quite a while, despite being a software engineer who knows the importance of backups and a working restore process and have been doing it on work-related stuff (sources, databases, etc.). I’ve had some backups on CDs & DVDs like ten years ago, then moved the “important” stuff to the cloud (Dropbox at first, then OneDrive, Google Drive), but it’s been inconsistent and disorganized. Still, lot’s of stuff have only been transferred from an old hard drive to a new one when changing PCs, without any backup at all.

Lately, I’ve finally decided to clean things up, removing all the unnecessary mess and archiving the rest in a cloud storage. However, I’ve ended up with a few documents & contracts that necessitated keeping, but I’ve not been content having them just sit there in a cloud folder, however trustworthy and secure the provider seems to be. I’m not so afraid of them getting attacked but of someone getting hold of my account through more usual means, such as social engineering, for example. What I’m looking for is a way to password-protect my data whenever I don’t need to access it.

End-to-end encryption (E2EE)

In plain English, this means that all your data is encrypted with some kind of password/key before it departs from your device (be it desktop, laptop, smartphone), is transferred and stored encrypted and then is only decrypted after you download it back to your device with the same password/key. Therefore, only a person who has the password/key can read that data, even if they get access to the encrypted version in the cloud. Of course this doesn’t protect you from someone who has access to your device but that is a different topic altogether.

See wiki on E2EE or google it for a more complete and correct explanation. I have considered a few options how to store my confidential files in the cloud:

VeraCrypt

Based on the TrueCrypt, VeraCrypt allows you to create an encrypted container/partition which you can then connect as a local drive and store data in it as if it was just another disk. While this is great and quite fast locally, the problem is that the container is a single file (e. g. 1 GB) and any change in it causes a full synchronization event — obviously very inefficient to upload the whole container each time you update a single file inside it.

E2EE cloud storage provider

There are providers that seem to address my concern by providing E2EE as a part of their storage offering, e. g. Tresorit or MEGA. However, I don’t really need so much storage to justify paying for it, if there are other, cheaper (free) options which I can use with my existing cloud providers.

Boxcryptor

Boxcryptor seemed interesting, doing the encryption on your device and storing the individual encrypted files inside the local synced folder of a cloud storage you are already using (Dropbox, OneDrive, etc.). However, I’ve been put off by a few things:

  • During installation, you need to accept a Data privacy license/contract in German. I’m not saying I fully read all those licenses we accept during software installation, but I’d at least like to be able to do so, without speaking German or depending on machine translation. I know not everyone knows English either but then they are not reading this article :)
  • Despite having a free tier, you need to register and login. I’m not sure why that would be necessary and honestly, I’m not willing to try and find out.

Cryptomator

Similar to Boxcryptor, Cryptomator stores your encrypted files in your local cloud folder (or any folder for that matter, you can use floppy disks if you still fancy those) in a so-called Vault. It ticks the boxes for what I’ve been looking for:

  • the files are stored separately, so there’s only need to synchronize the changed/added/removed files, not the whole vault,
  • client-side: no accounts, no data shared with any online service,
  • AES encryption with 256-bit key length,
  • file names get encrypted & folder structure gets obfuscated,
  • unlimited number of vaults, each with an individual password,
  • the vault’s size is flexible (unlike with VeraCrypt which can grow but doesn’t shrink back), limited only by the size of the underlying storage, with only a negligible overhead.

To be completely frank, there is one problem I’ve encountered and depending on the way you work it might affect you considerably. Working with the drive it attaches is not really transparent for some programs — they seem to have a problem opening the file directly from the drive. As an example, I can open a PDF file in Acrobat Reader but not in Edge. Or a video won’t play in the PotPlayer. I don’t see a clear pattern but I think it’s related to how that program implements file operations. I’d just have to file an issue on the project’s GitHub but for the time being and for my use-cases, I’m OK with this limitation.

Setting up Cryptomator

The setup is quite simple but the UX of the app is not that good at the moment, especially for the first time user, so here you go:

  1. Download from the cryptomator.org and install
  2. Launch the app and you are “greeted” with the following window:

  1. Click on the plus button and select “Create new vault”

  2. Browse to the folder where you want to create your vault (e. g. OneDrive folder) and write a name of the vault (e. g. _Confidential) — _it will be the name of a folder Cryptomator creates for you in the current directory.

  1. After hitting save, you are prompted to create a password for the vault. This should be quite strong (long and complex) because if someone gets hold of your encrypted data, they have a lot of time to try to brute-force decrypt it (using dictionary attacks and other techniques). There are guides on how to create such a password all over the internet. By the way, maybe you might want to use a password manager if you like.

  2. After your vault is created, you can choose how you want to work with the vault, most importantly whether to save the password locally and auto-unlock (only do this if you trust the security of your device) or you want to unlock it manually, entering the password each time. The latter might be safer, depending on your situation, whether you trust everyone who has access to your computer.

  3. Now you just open the Cryptomator drive, copy files over and to be sure, you can take a look at your encrypted data in the vault.

Unlocked vault automatically mapped by Cryptomator as a network drive

Encrypted Vault as visible in the target folder (OneDrive in this example), already synced to the cloud

The file path, name and contents are all encrypted when stored

Don’t forget you can’t just copy files directly to the vault (e. g. on OneDrive) — they won’t magically get encrypted. You always need to work with an unlocked vault, i. e. inside the network folder Cryptomator attaches for you.

That’s it, from now on, your confidential files are much more secure with a little upfront and a minimum ongoing effort. Cryptomator supports all the major platforms — Windows, Linux, macOS, Android, iOS so you can even access the files on other devices, synced automatically through your cloud provider. I personally will also take a look on how to have the data automatically backed up to another cloud storage in an unlikely situation that it is lost by one provider for some reason.

All of the mentioned approaches have some issues, be it performance, ease of use, price, etc. Ultimately it’s your choice which one you choose, if any, but do yourself a favour and take at least some precautions; better safe than sorry. And remember:

“Just because you’re paranoid doesn’t mean they aren’t after you.”

― Joseph Heller, Catch-22

Top comments (1)

Collapse
 
vguarnaccia profile image
Vincent Guarnaccia

ProtonMail user here. How would he use the service to encrypt files on his hard drive? Or do you mean to look into PGP?