Help Me Understand The Cryptomater Process Please!
Help Me Understand The Cryptomater Process Please!
So, I want to encrypt my files with Cryptomater before they go to my cloud based backup service. Lets say I use Dropbox.
So I know I create a Cryptomater vault and give the location as a folder in Dropbox.
I can't see that Vault until I open it in Cryptomater, right? This means I can't add anything to that Vault unless its open on my machine. As its open, I'm assuming that the data I'm adding is unencrypted until I close the Vault?
Lets say I add a plain text file to an open Vault.
So, at what point does Dropbox upload that file? Is it the minute its added to the Dropbox environment? Because that would mean its unencrypted.
Or is it not uploaded until the moment the Cryptomater vault is closed? Because that would mean I'd either have to leave the Vault open the entire time I was on my device and possibly have to do one (potentially) big upload at the end of the day maybe or keep opening and closing the Vault every time I wanted to work with the Vault (edit an existing document, add a new one, delete one etc).
Or have I misunderstood the process? I hope so because it either sounds not very secure or not very usable.
You're viewing a single thread.
at what point does Dropbox upload that file
You can't know that because it is closed-source but it's irrelevant because the files are encrypted already. Cryptomator is fun because each file has its name and content encrypted separately which means that you only need to upload what changed, compared to Veracrypt that has to send everything every time. I guess Dropbox is smart enough to notice small changes and send them immediately. As a comparison, OneDrive (by Microsoft) is full of bugs and is sometimes stuck and won't sync for days unless you fix the broken mess with a specific obscure command.
Is it the minute its added to the Dropbox environment
The file is never added to Dropbox. It is added to the virtual drive of Cryptomator which encrypts everything before saving it. Then Dropbox can see that a change has happened in that file (that is encrypted but it's irrelevant to Dropbox) and it is sent whenever Dropbox wants to.
Because that would mean its unencrypted
It's like: open Cryptomator as fake drive -> drag and drop file -> it is encrypted and then saved -> Dropbox sees change -> encrypted file is sent. The file is encrypted in memory before reaching the hard drive. Storing it before would be a huge security bug.
that would mean I’d either have to leave the Vault open
I know it's a privacy community, but what's wrong with leaving the vault open in the background? On the phone the application can be protected with a PIN or a fingerprint, and on your desktop you can have a hard drive encrypted locally and a user password. It never crossed my mind to close such "small" vaults because it's only for a small number of files that you use daily. You must never rely on solutions such as Dropbox to store all your files forever.
And for the record, I do trust Cryptomator because they make Cyberduck and their code is open-source, and also because you can support them by buying a license which is useful for them to keep on working on that. In the past few years, I have never read bad things about them.
it either sounds not very secure or not very usable
It is secure because it basically encrypts AND THEN store that in a tree of files, nothing else, and so far they do it well. No plaintext file is stored. It is usable for what it is: synchronization of a lot of small files which expects that the vault stays open, but most people do that anyway, it's still secure as long as you don't give your phone to strangers.
If you need a stronger solution, use Veracrypt but you will lose the ability to use it easily and fast, and the whole blob (multiple gigabytes for me) will have to be copied every time you need to sync anything. Both usages are legitimate.
Thanks for your answers :)
because the files are encrypted already
So its the case then that the minute I add/amend a file to a Cryptomater Vault its encrypted immediately? Not when the Vault is closed? Because you then say:
It’s like: open Cryptomator as fake drive -> drag and drop file -> it is encrypted and then saved -> Dropbox sees change -> encrypted file is sent.
Which tends to indicate the opposite - that the encryption only occurs when the Vault is saved/closed.
I guess I'm confused about Vaults. Are you saying Cryptomater stores the Vault until the moment its closed/encrypted and ony then moves those encrypted files to Dropbox?
I know it’s a privacy community, but what’s wrong with leaving the vault open in the background?
Well, because the upload only happens when the Vault is closed (I think?) and seeing that Dropbox/OneDrive users (whom Cryptomater specifically targets) normal expectation is that files are uploaded immediately I think its worth them understanding that that's not what happens.
So I have about 2gb of various files that I backup to an external drive using a bash script that detects changes and makes a copy and moves it but I'd also like to have a backup offsite copy. If I used Dropbox or OneDrive or whatever my expectation - because it doesn't seem to claim otherwise in Cryptomaters documentation - would be that it does that same thing, but now encrypted. If thats wrong, as seems to be the case, people should be made aware of that don't you think?
The files are encrypted in the RAM of the computer and stored immediately, you can see the changes in your Dropbox folder where they are stored (encrypted).
the upload only happens when the Vault is closed (I think?)
There is no vault with Cryptomator! Yeah, it's annoying and I understand your concerns now. They call it that but it's only a background service that encrypts files when you copy them in the virtual folder (of Cryptomator, not Dropbox). What they call the vault is that service, but the files are there and you can see it with their names scrambled in the real directory of Dropbox.
The upload happens when Dropbox sees a change in its own directory. For example, you copy "hentai.png" in Cryptomator, Cryptomator will encrypt and save it to the local Dropbox as "aiernstaernst.xyz" and then the Dropbox service will see that "aiernstaernst.xyz" has changed and will upload it immediatly (or maybe with a few seconds of differences but we can't know this).
On Windows you would have:
F:\Vault\hentai.pnglinked toC:\User\Dropbox\aiernstaernst.xyz. Cryptomator shows you the fakeF:\Vaultdrive when it's running (the so-called vault) while Dropbox only seesC:\User\DropboxI backup to an external drive using a bash script
As long as your bash script copies the files to the Cryptomator directory, they will be encrypted before being stored as this service acts as a fake driver pointing to your Dropbox directory. But I agree that the term "vault" is really confusing. It's only a fake hard drive that detects copies and modifications, and encrypts and decrypts files in that fake drive, which is linked to the real Dropbox drive that only sees scrambled content.
It's a neutral process that only stores files wherever you want, it's independent on any cloud or solution. You can even use it with a USB key without any cloud at all. I happen to use Veracrypt for my weekly backups (emails, some texts) but I could replace all that with Cryptomator and I'm sure it would be easier since I wouldn't have to change one big 2GB file every time.
Thanks very much for the time you've taken to explain this to me, I really appreciate it :)
So, just to recap so I'm sure I've understood....
- I drop a file into an open Vault (which is really a service which runs in an allocated part of RAM) and it gets encrypted immediately
- That encrypted file is then placed into Dropbox immediately?Or is the file placed there when the 'Vault' is saved/closed?
Yes, the encrypted file is then placed immediately into the local Dropbox folder. Once again it's all very confusing but if I can sum that up, Cryptomator is not there to sync things, it's only there to show you a virtual hard drive.
Sure, I get that :) I'm not thinking that Cryptomater should be responsible for the syncing of anything but I was unclear that at what point in the process the encrypted file would be uploaded. Now obviously that will vary depending on the sync service you use but the important point (for me) was when the file was encrypted and moved i.e. immediately or when the Vault was saved/closed.
Thanks again to you for the explanation, I feel I understand the process much better now :)