Blog / Cryptomator Hub 1.3.0: The Account Key Update

The release of Cryptomator Hub 1.3.0 marks an exciting feature update, which introduces an Account Key for users. This update, while necessary and beneficial, will require active participation from users. Here’s what to expect during the transition from version 1.2.x to 1.3.0.

ℹ Preparation is Key

Before we dive into the upgrade process, ensure every vault admin secures a backup of their Vault Recovery Keys and Vault Admin Passwords. ⚠️ Doubling down on this step is critical; your backups are your safety net. Without them, our hands are tied.

⬆ Updating Cryptomator Hub (Server) to 1.3.0

This section is only relevant for administrators who host their own Cryptomator Hub instance. If you’re using our managed service, you can skip this section. We will reach out to you to arrange a date and time to update your instance.

As mentioned above, if you’re an administrator of a self-hosted Cryptomator Hub instance, follow these steps to update Cryptomator Hub:

1. Back up the database. ⚠️ The importance of a working backup cannot be overstated.
2. Refresh your container image to the latest version: ghcr.io/cryptomator/hub:1.3.0
   • Skip this step if you’re using the stable tag. We will update the stable tag to point to the new version in a couple of weeks.
3. Implement the changes within your container orchestrator. Monitor for healthy pod statuses before proceeding.

⬆ Updating Cryptomator (Desktop Client) to 1.11.0

Updating the Cryptomator desktop application is recommended for all users, but not technically required for now. Vaults can still be unlocked using an old version. This backward compatibility provides flexibility for a gradual rollout of the updated app. Nevertheless, making changes to access, incl. adding new members to a vault and adding new devices, requires Cryptomator 1.11.0 or higher.

🔑 Introducing Account Keys

With the updated app, users will encounter a two-step migration on their first unlock attempt:

1. Secure and store their new personal Account Key. ⚠️ It’s crucial for future logins from other devices.
2. Use the Account Key to link their Cryptomator device to their account.

This procedure is a one-time requirement for every user. It allows users to self-manage linked devices and vault owners to more easily manage access without having to frequently regrant permissions each time a user logs in from a new device.

👤 Claiming Vault Ownership and Granting Access

After updating to Hub 1.3.0, vault owners (formerly known as vault admins) are prompted to claim their vault again using the Vault Admin Password. Initially, only one user can claim ownership. Subsequently, this primary owner can grant ownership rights to others, thus eliminating the need to share the Vault Admin Password.

Once vault members have navigated through the account migration, vault owners should refresh vault permissions. This action will securely distribute the necessary vault keys to the users.

❓ Frequently Asked Questions

Q: What exactly is my Account Key?
A: The Account Key is your personal secret, required for registering new devices and establishing your identity across different Cryptomator apps and browsers. Treat it with the same level of security as you would with any important password.

Q: How do I retrieve my Account Key if I lose it?
A: You can retrieve your Account Key by logging into your Cryptomator Hub account and navigating to the Profile page. There, you can view your Account Key. If your browser doesn’t have access and you can’t retrieve it anymore, you can reset your account. In this case, you will lose access to all your vaults and the vault owner(s) will have to grant you access again.

Q: Will the update affect my existing vaults and the data they contain?
A: No, the update will not affect your vaults or the data they contain. This update only affects the unlock process and access management, not the encrypted data itself.

Q: What happens to the Vault Admin Password after I reclaim ownership?
A: Upon reclaim, the Vault Admin Password becomes obsolete. You may destroy any copies of it. Compromised Vault Admin Passwords don’t pose a threat to the security of the vault.

Q: Is the process for adding new users to a vault different?
A: The difference is that you don’t grant access to each and every device, but to the user once, thanks to the Account Key. The user can link their devices to their account and access the vault from any of them without having to ask for permission again.

Q: What should I do if I encounter problems during the upgrade process?
A: If you encounter any problems during the upgrade process, please contact us at [email protected].

📋 Wrapping Up

The upgrade to Cryptomator Hub 1.3.0 and Cryptomator 1.11.0 is more than a routine update. It’s a shift towards greater security and user agency. Prepare for the update by backing up essential data, and follow the outlined steps to ensure a smooth transition. Embrace the change, as it brings forward a more robust and user-friendly way to manage your vaults.