Encryption with Cryptomator

By using Cryptomator for client-side encryption, you can ensure that your files remain confidential — even when stored on university servers or accessed via network shares. Although university storage systems offer security features like user authentication and permissions, they don’t always provide end-to-end encryption. This is where Cryptomator comes in. Cryptomator ensures that (even if for example unauthorized access to the Samba share or your sciebo account occurs) the files remain encrypted and unreadable without the vault password.

Note: In order to install Cryptomator, you need administrator rights on your computer. If you do not have these, please contact your administrator or IT support.

Download: cryptomator.org/downloads

  • Prerequisites

    There are two typical ways to use Cryptomator with university-provided cloud services: either OpenStack-based or with sciebo.

    1. OpenStack-based

    If you plan to use Cryptomator with the university’s OpenStack cloud storage (OpenStack documentation), we assume you have already created your usershares and can access them locally — e.g., via a mounted folder or sync client. Once the storage is accessible as a folder on your system, the Cryptomator workflow is the same across platforms. For platform-specific instructions, refer to the OpenStack access guide.

    2. sciebo

    Cryptomator is also compatible with sciebo. Store your Cryptomator vault inside a synced folder. Files are encrypted locally and automatically synced to the cloud.

    1. Install the sciebo client, which you can download from hochschulcloud.nrw, and set up your account.
    2. Select or create a folder to sync. The client creates a local folder (e.g., C:\Users\YourName\sciebo or ~/sciebo) which syncs with your sciebo account.

  • Getting Started with Cryptomator

    Once the storage is accessible via a mounted folder, the Cryptomator workflow is the same for OpenStack-based and sciebo cloud storage. Note, however, that the screenshots in this guide will demonstrate how to use Cryptomator on an OpenStack-based usershare.

    1. Download and Install Cryptomator

    Download the latest version for your operating system from the Cryptomator website. Install the software by the given instructions. After successful installation you can start Cryptomator directly.

    2. Create Your First Vault

    You need to take these steps to create your vault:

    1. Open the Cryptomator app and click on the "+" symbol.
    2. Choose "Create New Vault".
    3. Navigate to the mounted storage (sciebo folder or mounted usershares) and select it as the location for your vault.
    4. Set a name for your vault.
    5. Set a strong password to protect the vault.
    For more information see Create a New Vault.

    If you want to change a password for a vault, show its recovery key or reset a password see Password And Recovery Key.

    Important note: Only you know your password. We or Cryptomator cannot recover this password if lost. Without a valid password, your files can’t be decrypted and will become inaccessible. You can only reset a vault’s password by yourself if you have its recovery key. Therefore, it is recommended that you create your vaults with a recovery key and keep it as safe as your password.

    2. Create Your First Vault
    © CIT

    3. Open an Existing Vault

    You can also open an existing vault if, for example, you have created a vault somewhere else or you need to use a vault created by someone else. You need to take these steps to open an existing vault:

    1. Open the Cryptomator app and click on the "+" symbol.
    2. Choose "Open Existing Vault".
    3. Browse to the location of the respective vault and select the "vault.crytomator" file, as shown when you click.
    4. Done! Your vault is now added to the list of your vaults. Once you unlock the vault, the mounted folder is created and you can access the files inside.

    3. Open an Existing Vault
    © CIT

    4. Access Your Vault

    Once the vault is created, Cryptomator will mount it as a virtual drive on your computer as soon as you unlock your vault. Of course you need to give the password for that vault. You can do it immediately after creating your vault. Now you can see the respective mounted folder on your file explorer. You can also access the mounted folder through your cryptomator application by pushing "Reveal Drive".

    For more information see Accessing Vaults.

    4. Access Your Vault
    © CIT

    5. Use Your Vault

    Now you can add your sensitive files (e.g. "secret_file.txt") to this virtual drive/mounted folder. They will automatically be encrypted before being stored and synced on your usershare/sciebo folder and therefore on the cloud storage. Therefore, you make your changes to the files inside the virtual drive and Cryptomator encrypt the files on the fly.

    If you want to manage your vaults refer to Vault Management.

    Important note: You must add your sensitive files using either the mounted vault folder or the Cryptomator application. Avoid adding files directly in your mounted folder. Otherwise your files will not be encrypted! You can see this information inside a text file (IMPORTANT.rtf) when you go to your vault folder in your usershare, stating that you should not change the files in this folder. In order to access and work with the encrypted files, you have to unlock the vault via your Cryptomator application.

    5. Use Your Vault
    © CIT

  • Best Practices for Key Management and Data Security

    1. Use Strong, Unique Passwords

    Always use a strong, unique password for your vault, because your vault is only as secure as your password. It should be at least 12 characters long, include a combination of uppercase and lowercase letters, numbers, and special characters.
    Consider using a password manager to securely generate and store passwords.

    2. Backup Your Vault Keys and Passwords

    Since Cryptomator does not store your password, it is essential to have a secure backup method. Store recovery keys or passwords in a secure location (e.g., a password manager).

    3. Be Careful When Sharing Your Keys or Passwords

    Avoid sharing vault passwords over insecure communication methods. To securely share the password for the vault, you can use encrypted communication methods like:

    • Encrypted email: Use PGP encryption to send passwords or files securely via email.
    • Password managers with sharing features: Some password managers such as 1Password allow secure sharing of credentials with other users.
    • A messaging app that uses end-to-end encryption for secure communication.

    4. Regularly Update Cryptomator

    Ensure you are always using the latest version of Cryptomator to benefit from the latest security patches and features.

    5. Collaboration and Sharing Encrypted Data

    Researchers often need to collaborate with colleagues around the world. Cryptomator allows you to securely share files by providing encrypted access to vaults.

    Ways to Collaborate Using Cryptomator:

    • If you want to share a folder encrypted with Cryptomator with someone, that person must also have Cryptomator installed on their computer to open the encrypted folder.
    • Share the Encrypted Vault: Store the vault in your usershare. Only those with the correct vault password can access the files.
    • Individual File Sharing: After encrypting a file, you can share individual encrypted files with collaborators, ensuring that only authorized parties can access them.

    Important Considerations:

    • Ensure that collaborators also understand how to handle encryption keys securely.
    • As explained above, always use secure communication channels to share passwords or encryption keys (e.g., encrypted email, password managers with sharing features or secure messaging platforms).
    • When using a shared encrypted folder, it is not possible to work on the files stored there at the same time.
    • As mentioned above, it is possible to have a recovery key created, when you create your Vault. If you forget the password, this is the only way to regain access to your encrypted data. It is important that you keep this key safe and inaccessible to third parties.

  • Troubleshooting and Support

    Common Issues

    • Forgotten password: Cryptomator does not have a password recovery option. If you lose your vault password, you will lose access to your files. Always keep a backup of your password in a secure location like password manager.
    • File corruption: While rare, if you experience issues with corrupted files, ensure that the vault was properly dismounted and the cloud sync was complete before shutting down your device.
    • Unable to mount vault: Ensure that you have the necessary permissions to mount virtual drives on your operating system. Check that you have enough space on your device for the vault.
    • Changes are not visible: Sometimes you have to close the mounted folder and open it again in order to see the changes.