Cryptomator

Cryptomator is a free, open-source tool that creates encrypted vaults on top of any cloud storage service. Instead of trusting Dropbox, Google Drive, iCloud, or OneDrive with your plaintext files, Cryptomator encrypts everything on your device before it syncs to the cloud. The cloud provider only ever sees encrypted blobs with randomized filenames — they cannot read your documents, see your folder structure, or even know how many files you have.

This approach is uniquely valuable for crisis privacy because it works with infrastructure you may already have. You do not need to migrate to a new cloud provider or convince your contacts to switch services. If you have a Dropbox account with 2 GB of free storage, Cryptomator turns it into 2 GB of zero-knowledge encrypted storage. This is especially useful in situations where setting up new accounts might attract attention, or where you need encrypted storage immediately without waiting for a new service to provision.

Cryptomator is ideal for people who want encrypted cloud storage without changing their existing setup, or who want a second layer of encryption on top of an already-encrypted service for defense in depth. It is also the best option for people in regions where services like Proton may be blocked — since Cryptomator works with any cloud provider, you can use whichever provider has the best availability in your location.

Cryptomator uses AES-256 encryption in GCM mode for file contents, with file names encrypted using AES-SIV. Each vault is protected by a master key derived from your password using scrypt, a memory-hard key derivation function designed to resist brute-force attacks. The vault key is then used to derive per-file encryption keys, so each file is encrypted independently.

The encryption extends beyond file contents. File names are encrypted and replaced with random strings, directory structures are flattened and obfuscated, and file sizes are padded to obscure the original size of each file. This means that even sophisticated analysis of the encrypted vault cannot reveal what you are storing. The cryptographic design was documented in a public security architecture paper and has been independently audited by Cure53, a respected German security firm, with the most recent audit completed in 2023.

Cryptomator itself requires no account, no registration, and no internet connection to function. You download the application, create a vault, set a password, and start encrypting. There is no telemetry, no usage tracking, and no phone-home behavior. The software operates entirely locally on your device.

The anonymity implications depend on which cloud provider you pair it with. If you use Cryptomator with an anonymous Proton Drive account, you get layered encryption with no identity exposure. If you use it with a personal Google Drive account, Google knows you are syncing encrypted files but cannot read them. For maximum anonymity, pair Cryptomator with a cloud account registered under a pseudonym through Tor. The encrypted vault files themselves contain no identifying information about the Cryptomator user.

Cryptomator is fully open source under the GPLv3 license, with all code — desktop clients, mobile apps, and the core cryptographic library — published on GitHub. The project has over 12,000 GitHub stars and an active contributor community. The cryptographic library (cryptolib) is a standalone package that can be independently reviewed without needing to understand the full application.

Cure53 conducted a comprehensive security audit of Cryptomator in 2017, with follow-up audits in subsequent years. The audit reports are publicly available on the Cryptomator website. The project also maintains a detailed security architecture document explaining every cryptographic decision. Reproducible builds are available for the desktop application, allowing anyone to verify that the distributed binary matches the published source code.

Skymatic GmbH, the company behind Cryptomator, is incorporated in Bonn, Germany. Germany has strong data protection laws under the GDPR and the German Federal Data Protection Act (BDSG). However, Germany is a member of the Fourteen Eyes intelligence alliance, which is a consideration for threat models involving state-level adversaries.

In practice, Skymatic's jurisdictional exposure is minimal because the company never has access to your data. Cryptomator operates entirely on your device — there is no Skymatic server that stores your files or keys. The cloud provider holds only encrypted blobs, and Skymatic has no relationship with your cloud account. Even a court order directed at Skymatic could not produce your data, because Skymatic never possesses it. The jurisdictional risk is effectively transferred to whichever cloud provider you choose.

Cryptomator has been in active development since 2016 and has built a strong reputation in the privacy and security community. It is recommended by the Electronic Frontier Foundation, multiple privacy-focused publications, and the German Federal Office for Information Security (BSI). The project has never experienced a known security breach or a critical vulnerability in its cryptographic implementation.

Skymatic GmbH has remained an independent, privacy-focused company without venture capital funding that might create pressure to monetize user data. The team is transparent about their development roadmap and security practices. The open-source model means that even if Skymatic ceased operations, the software would continue to function and could be maintained by the community — your encrypted vaults would remain accessible as long as you have the password.

Cryptomator is designed for non-technical users. Creating a vault takes three steps: choose a location in your cloud folder, name the vault, and set a password. After that, unlocking the vault presents it as a virtual drive on your computer — you drag and drop files just like any other folder. The encryption and decryption happen transparently in the background.

The mobile apps are similarly straightforward. On iOS and Android, you select your cloud provider, authenticate, and unlock your vault. Files can be viewed, edited, and added directly from the mobile app. The only usability friction is that Cryptomator adds a step to accessing your files (unlocking the vault), but this is an inherent tradeoff of client-side encryption. For someone under crisis pressure, the familiarity of the "virtual drive" metaphor makes Cryptomator far more approachable than command-line encryption tools.

Cryptomator is available on Windows, macOS, Linux, iOS, and Android. The desktop application is free on all platforms (with an optional donation). The mobile apps are paid — a one-time purchase of approximately $12 on iOS and available as a paid app or via donation on Android via F-Droid.

Feature parity is excellent across platforms. Vaults created on any platform can be opened on any other platform. The desktop apps integrate with system file managers (Finder, Explorer, Nautilus) via virtual drives or FUSE/WebDAV mounts. The mobile apps support all major cloud providers including Dropbox, Google Drive, iCloud, OneDrive, pCloud, and any WebDAV-compatible service. This broad compatibility is Cryptomator's defining strength.

The desktop application is completely free and open source — no payment required. The mobile apps require a one-time purchase, but this can be done with an anonymous Apple ID (funded with a cash-purchased gift card) or a Google Play account funded with a cash-purchased Google Play gift card. There is no subscription, no recurring payment, and no account linking after purchase.

For Android users who want to avoid Google Play entirely, Cryptomator is available on F-Droid, the open-source Android app repository, with a pay-what-you-want model through the Cryptomator website. Payment can be made with cryptocurrency (Bitcoin is accepted for license keys). The desktop version requires no payment at all — you can encrypt your entire document collection for free.

Download Cryptomator from cryptomator.org — always verify you are on the official site and not a phishing clone. Install the application on your computer. If you do not already have a cloud storage service set up, install one now — Dropbox, Google Drive, or any provider with a sync folder on your computer. For maximum anonymity, register the cloud account under a pseudonym using Tor.

Open Cryptomator and click "Add Vault," then "Create New Vault." Choose a name for your vault (this name will be visible as a folder in your cloud storage, so pick something innocuous if discretion matters). Select the location — point it to a folder inside your cloud sync directory (e.g., inside your Dropbox or Google Drive folder). Set a strong password with at least 20 characters. Cryptomator will offer to generate a recovery key — store this recovery key in a separate, secure location (your password manager, or written on paper kept in a safe). Without the password or recovery key, your files are permanently inaccessible.

Once the vault is created, click "Unlock" and enter your password. A virtual drive will appear on your system. Copy your critical documents into this drive — passport scans, financial records, legal documents, contingency plans. When you are done, lock the vault. The encrypted files will sync to your cloud provider automatically. Install the Cryptomator mobile app and connect it to the same cloud account to access your vault on the go. Test the full cycle: add a file on desktop, verify it appears on mobile, and vice versa. In a crisis, you need to know this works before you depend on it.