Cryptomator Blog

Security Vulnerability in Hub Vault Unlock: Update Required

Fri, 13 Mar 2026 00:00:00 +0000

We have released an important security fix for all Cryptomator client apps, which fixes a vulnerability affecting all users who unlock Hub-managed vaults.

Required Action

Please update all your Cryptomator client applications that access Hub-managed vaults immediately to the fixed versions:

You can also find all downloads on our downloads page.

After the update, Cryptomator clients connecting to self-hosted Hub instances will show a one-time “Trust this host?” dialog that must be confirmed individually. Before accepting, please verify that the displayed Hub URL is correct and matches your Cryptomator Hub instance. Clients connecting to Cryptomator Hub Managed are not affected by this dialog, as managed domains are trusted automatically.

Are my vaults safe?

Yes. Since Cryptomator Hub uses end-to-end encryption, vault data was never in danger.

Which vaults are affected?

The vulnerability lies within the unlock workflow of Hub-managed vaults. Local vaults are unaffected.

What data is at risk?

An attacker with write access to your encrypted data could tamper the vault in a way that makes Cryptomator send a session token to a malicious server. The exfiltrated token can then be used to impersonate a user to access unencrypted information like usernames, vault names, etc. in Hub.

Has this been exploited?

At this time, we have no evidence of active exploitation of this vulnerability.

Security Advisories

As part of responsible disclosure, the full security advisories will be published on March 20. Until then, the following links will not work yet — this is expected and intentional:

How can I get help?

If you have any further questions or need assistance during updates, don’t hesitate to contact us at hub-support@cryptomator.org.

10 Years of Cryptomator – Thank You All

Mon, 09 Mar 2026 00:00:00 +0000

Today, Cryptomator Turns 10

It feels surreal to read this sentence.

What once began as a small idea has become a tool trusted by millions of people worldwide. People from very different backgrounds and walks of life: journalists protecting their sources. NGOs securing sensitive information. Researchers, students, freelancers, companies—all united by a common need: to keep their data private in an increasingly connected world.

Today, we are not only celebrating an anniversary. We are looking back on the history of Cryptomator, saying thank you to all our supporters, and looking ahead to what the future holds for the Cryptomator project.

How It All Began

About ten years ago, cloud storage became part of everyday life. Dropbox, Google Drive, OneDrive, and many others promised convenience: anytime access to files, easy sharing, seamless collaboration. And they delivered exactly that—but at a hidden price: the surrender of your privacy – the analysis of uploaded data.

The only protection against this was encryption. But encryption was either non-existent, optional, or so complicated that it was not a realistic option for many people. Using the cloud often meant relinquishing control over your own data, often without really noticing.

Cryptomator was born out of this very tension.

“As is often the case with FOSS, it all started with my own needs, because existing tools did not meet my requirements. My motivation then changed significantly when it became apparent that others also had this need for a transparent, cloud-compatible encryption solution and were also dissatisfied with the existing tools (at that time, mainly Boxcryptor).”

— Sebastian Stenzel, CTO

From the outset, Cryptomator was developed as open-source software. Transparency was not a marketing promise, but a prerequisite. Anyone could understand how the encryption worked, check for vulnerabilities, and contribute improvements.

“At the beginning, open source was actually our most important unique selling point compared to our main competitor Boxcryptor – I simply didn’t want to trust blindly. In theory, open source means that you don’t have to trust us at all. And new processes such as provenance attestation—i.e., cryptographic evidence of how a build was created—can also ensure the integrity of software that has already been compiled by the manufacturer in the future.”

— Sebastian Stenzel, CTO

Grown With the Cloud

But time does not stand still. Over the past ten years, the world of work has changed fundamentally. Remote work has become the norm since the COVID-19 pandemic. International collaboration is now a matter of course. Entire organizations have moved their processes to the cloud. At the same time, the risks have also grown: data leaks, ransomware, surveillance, increasing regulatory requirements.

“Privacy has (unfortunately) become increasingly important: In the past, the main concerns were cybercrime and leaks – today, I am worried about the spread of authoritarian tendencies in so-called ‘democracies’. The demanded erosion of privacy can, in the wrong hands, become a means of control over us all; AI troll armies with access to private chats and data would be the most powerful propaganda tool in human history. If we allow this to happen, it will have serious consequences.”

— Sebastian Stenzel, CTO

Privacy is no longer a “nice-to-have.” It is a necessity. Cryptomator has evolved to meet these challenges.

A desktop application became a cross-platform solution. Mobile apps were added. New use cases emerged. Feedback from the community has significantly shaped usability, performance, and features.

Cryptomator Hub was the next step: secure collaboration for teams and organizations—without compromising on encryption or control.

Throughout all these developments, one thing has remained the same: security and user-friendliness should not be mutually exclusive.

Below, we have compiled a timeline showing the most important milestones of recent years.

Timeline

Evolution of an Icon: From the "Washing Machine" to the Cryptobot

2013–2014 – The idea is born, development begins
The vision arises from a very practical need: to be able to use the cloud without entrusting plain text data to the provider. Active development begins in 2014, with a focus on local encryption and ease of use.

2015 – First releases & initial recognition
Cryptomator takes shape: early GitHub releases create a stable foundation. The CeBIT Innovation Award (Usable Security & Privacy) gives the approach an early boost: security doesn’t have to be complicated.

March 9, 2016 – Cryptomator 1.0: the official launch
Cryptomator 1.0 is the first stable desktop version. Interest is so great that the website is temporarily overloaded on release day – an early sign of how great the demand for independent cloud encryption is.

2017 – Growth in the ecosystem: integration, community, Android
Cryptomator becomes more visible and suitable for everyday use: integration with Cyberduck brings the project closer to existing workflows. The community forum creates a central location for support and exchange. And with Android 1.0, mobile encryption finally becomes suitable for the masses.

2018 – Sustainability: the sponsor program
To ensure that Cryptomator can continue to be developed in the long term, a sponsor program is launched. It strengthens financing and enables open source to be operated professionally on a permanent basis – without abandoning the core values of the project.

2020 – A milestone: 1 million downloads & a big leap for desktop
Cryptomator reaches 1 million downloads. At the same time, a major update (including a new UI and vault format) marks the next level of maturity. At the end of the year, the Android app also becomes completely open source – a logical step towards transparency.

2021–2023 – More open source, more teams: iOS & Cryptomator Hub
The iOS app becomes open source and undergoes a fundamental technical overhaul with Cryptomator 2.0. At the same time, demand from companies and organizations grows: Cryptomator Hub 1.0 (2022) adds a solution for teams and institutions – including central administration and team vaults. Hub will be further expanded in subsequent versions (e.g., recovery keys).

2024–2025 – Reach & future viability Cryptomator reaches new target groups through greater media presence and recommendations. At the same time, the focus is clearly on the future: The post-quantum roadmap prepares for the long-term cryptographic future, and integrations (e.g., Mountain Duck) strengthen the ecosystem around encrypted cloud workflows.

What’s Next? – New Updates & Features

New Cryptomator Hub Features – Early Access / Anniversary Launch

As part of its 10th anniversary, several key enhancements for Cryptomator Hub are entering early access or being made publicly available for the first time. These are designed to give teams and organizations more control, security, and flexibility. To celebrate, we’re offering a special 100-day free trial (instead of the usual 30 days) for Cryptomator Hub Managed. For more details, check out the Early Access documentation.

User & Group Management

A key highlight of the new Hub version is User & Group Management.
This allows administrators to:

Manage users in a targeted manner
Create groups and assign roles
Assign rights in a more structured and granular way

This enables better control over access within teams and organizations, which is particularly important for larger groups or departments. This feature marks an important step from simple access control to true team and organizational role management.

Emergency Access

Another big step: Emergency Access is being introduced.
This allows you to:

Create security accounts for emergencies
Define trusted persons/administrators
Enable access in case of lost access data or keys

This improves reliability, especially in organizational contexts, and ensures that no data access is lost, even if individuals are no longer available.

Cryptomator Desktop and iOS

Files in Use

The desktop application also has a new feature in update 1.19.0 that is important for Hub vaults: “Files in Use.”

If a file is open in a Hub vault on one device, other users are notified when they open it on their devices.

This is particularly important for reducing conflicts or data loss when files are being edited simultaneously and improves collaboration in teams.

New Cryptomator logo for iOS (desktop & mobile)

To mark its anniversary, Cryptomator is also getting a minor visual update: A new Cryptomator logo is appearing on iOS—both in the mobile app and in the desktop application.

New Cryptomator App Icons for macOS and iOS

Voices From the Community

“Nowadays, I’m especially happy when I come across users in the wild or read reports.”
— Sebastian Stenzel, CTO

Over the past 10 years, Cryptomator has become much more than just an encryption tool. For many people today, it is an integral part of their daily work and security concept. Cryptomator gives you peace of mind when it comes to protecting your data. Here are some comments from our community:

“I just wanted to say thank you for this great tool!”
— Luke (@nuk3, Mastodon)

“This is why I love Cryptomator: the files are encrypted, and even if the cloud provider has a data leak, I know my files are safe.”
— mbeddedDev (Mastodon)

Again, Cryptomator is free to use. So if you can support the program, you should definitely do so. It’s a great piece of software.
— Techlore (YouTube)

For many users, it’s the combination of transparency and user-friendliness that makes the difference:

“Open source and widely used, tested and stable, with a beautiful and simple interface. It’s always my first general recommendation for cloud storage.”
— Fit_Flower_8982 (Reddit)

Organizations and companies also rely on our encryption solution, especially Cryptomator Hub:

“With Cryptomator Hub, we can securely manage sensitive company data while making it easy for our employees to use.”
— Andreas Cofalla, Application Manager IT, Walbusch GmbH & Co. KG

And for many users, Cryptomator has become part of their everyday lives:

“I sleep peacefully at night knowing that my files are private and secure, no matter where they are stored or backed up.”
— @paired_electron (X)

“Everything works effortlessly on my iPad… biometric login or password directly on the same screen is a great solution.”
— Jack Ouzzi (App Store)

Whether on desktop or smartphone, privately or in business, the trust, feedback, and support of our community have made Cryptomator what it is today. Thanks a lot for that!

10 Years of Cryptomator – Join Our Live AMA

As part of our 10th anniversary celebration, we are hosting an Ask Me Anything (AMA) on Reddit! We would love for you to join us.

📅 March 9, 2026
🕓 4:00 p.m. CET
📍 r/Cryptomator

Tobias Hagemann (CEO) and Sebastian Stenzel (CTO) will answer your questions live.

After ten years of working on privacy-friendly open-source encryption software, we are convinced that transparency and open exchange are more important than ever.

This AMA is our way of saying thank you and looking ahead together with you.

We look forward to your questions.

Can’t join us live? Don’t worry, we’ll make the questions and answers available afterwards, and of course, we’re always available via email, social media, or the community forum if you still have a burning question.

Special Anniversary Sale

Ten years of Cryptomator would not have been possible without you. To mark this anniversary, we would like to express our gratitude with a special thank you:

From March 9 through March 18, our mobile apps (iOS & Android) and the Supporter Certificate will be available for only €10*.

Whether you’ve been using Cryptomator since the early days or have only recently discovered it, now is the perfect time to support the project and secure your cloud on the go with client-side encryption.

*Note: The discount and price may vary depending on your region.

Here’s to the Next Ten Years of Cryptomator

What began as an idea over ten years ago has now become a globally used solution for secure cloud encryption. Millions of people use Cryptomator to protect their data—privately, in organizations, and in companies.

But Cryptomator is more than just software. It is an open-source project, a community, and a shared belief: privacy is not optional, but the standard.

None of this would have been possible without you—without your support, your contributions, your feedback, and your enthusiasm for secure and transparent software.

As we look back on the past ten years, we are also looking ahead. New features, new ideas, and new developments are already waiting in the wings.

One thing remains unchanged: our goal to make cloud storage more secure—and give people back control over their data.

Thank you for being part of this amazing journey.

BitLocker, the FBI, and the Illusion of Control

Sun, 15 Feb 2026 00:00:00 +0000

When it recently became known that Microsoft had helped the FBI decrypt BitLocker-encrypted data carriers, there was widespread outrage. People were quick to talk about “backdoors,” broken encryption, and how BitLocker was clearly unreliable. But as is so often the case, the real problem lies less in the technology itself than in who has control over the encryption key.

This case is a good opportunity to take a closer look: What really happened? Why was access possible? And what does this say about our understanding of encryption and cloud services?

What Happened?

The case that came to light involved a criminal investigation in which the FBI seized several laptops. These devices were encrypted with BitLocker, the hard disk encryption feature integrated into Windows.

The FBI was still able to decrypt the data because Microsoft was able to provide the corresponding recovery keys. These keys were stored in the Microsoft account of the person concerned. Microsoft was legally obliged to disclose this information by court order.

It is important to clarify one thing: Microsoft did not “crack” BitLocker. There was no security breach, no secret master key, and no technical backdoor into the encryption itself. Microsoft was able to help because they had the keys.

Bitlocker Is Secure—But Not Automatically Private

BitLocker is technically considered a robust encryption solution. The data on a device cannot be read without the appropriate key. The problem does not arise with encryption, but with key management.

By default, Windows offers to save the BitLocker recovery key in your Microsoft account. This is convenient because if you forget your password or change your hardware, you can simply retrieve the key online.

However, this convenience has a consequence: if Microsoft holds the key, Microsoft also has the ability to pass it on—for example, to law enforcement agencies with the appropriate warrant.

Encryption therefore only fully protects data from third parties if the key remains exclusively under the control of the user.

The Real Misunderstanding: Encryption ≠ Key Control

Many users equate encryption with complete control. In practice, however, this is often not the case.

A rough distinction can be made between:

Client-side encryption with external key management. This means that the provider has access to the key.
Zero-knowledge encryption. Here, the provider has no technical access to the key.

BitLocker with a cloud-backed recovery key clearly falls into the first category. The data is encrypted, but not exclusively for the owner.

The Microsoft case therefore does not demonstrate a failure of BitLocker, but rather a structural problem with modern cloud ecosystems. Convenience features often undermine data sovereignty without anyone noticing.

Why Many Are Surprised

The strong reaction to this case shows one thing above all else: many people do not know where their encryption keys are stored.

Cloud backups, automatic synchronization, and preset security options are standard today. They lower the barrier to entry, increase user-friendliness, and quietly shift responsibility from the user to the provider.

This leads to a misleading assumption:

“My data is encrypted, so no one can access it.”

Technically correct would be:

“My data is encrypted, but someone else has the spare key.”

Access by Authorities Is Not a Special Case

Another important point: Access by authorities is not an unusual scenario.

If providers have access to keys or unencrypted data, they are legally obliged in many countries to hand them over if ordered to do so. This applies not only to Microsoft, but also to other major cloud providers.

The crucial question is therefore not:

“Do I trust Microsoft?”

But rather:

“Do I want to give a provider the technical ability to decrypt my data?”

What Users Can Learn From This

The case offers a valuable lesson – regardless of the specific product:

Encryption is only as strong as key management
Cloud backups of keys always mean a loss of control
Security is not a default setting, but a conscious decision
If you want maximum privacy, you also have to take responsibility for keys

This does not mean that cloud services are fundamentally insecure. But it does mean that you should understand which security model you are using and what compromises it entails.

How Cryptomator Helps in Such Cases: Zero Knowledge Instead of Key Storage

This is precisely where solutions such as Cryptomator and Cryptomator Hub come in. Unlike many integrated encryption functions, Cryptomator consistently follows a zero-knowledge principle.

This means that data is encrypted locally on the device before it can even be uploaded to the cloud. The key difference lies in key management. Cryptomator does not store passwords, recovery keys, or master keys.

Neither cloud providers nor Cryptomator itself have technical access to the encrypted content or the keys required to decrypt it. Even if a cloud service—such as Microsoft OneDrive, Google Drive, or Dropbox—were required to disclose data, it would only contain unreadable, encrypted files.

The difference is particularly clear in the context of the BitLocker case:

With BitLocker and a cloud-backed recovery key, the provider can issue the key
With Cryptomator, this key only exists with the user themselves
Access by third parties is technically impossible, not just organizationally

This deliberately shifts responsibility back to the users. It requires a little more personal responsibility—for example, when it comes to handling passwords securely—but in return offers a significantly higher degree of control and privacy.

This model is particularly important for sensitive data of any kind. You can’t pass on something you don’t own yourself.

Conclusion: Encryption Is Not a Feature, but a Responsibility

The BitLocker-FBI case does not reveal a secret backdoor or a breach of modern cryptography. It reveals something much more fundamental: how easily we trade control for convenience – often without even realizing it.

True data sovereignty does not come from encryption alone, but from exclusive control over the keys. Anyone who relinquishes this control should at least be aware of what that means.

Or to put it another way: Do you know who has your encryption key?

Digital Independence Day: Why Digital Independence Is Important

Sun, 01 Feb 2026 00:00:00 +0000

Every first Sunday of the month this year, people around the world take a moment to reflect on their digital habits. The occasion is Digital Independence Day — a day of action for digital self-determination, privacy, and independence from tech monopolies.

But what does digital independence actually mean? And more importantly: How can you take your first steps without completely changing your digital everyday life or investing a lot of time and energy?

What Is Digital Independence Day?

Digital Independence Day is an initiative that encourages people to reduce their dependence on large, centralized tech platforms — especially those whose business models are based on data collection, lock-in effects, and a lack of transparency.

Instead of calling for radical change, the movement deliberately focuses on small, practical steps that are accessible to everyone.

On the official Digital Independence Day website, you’ll find ideas, tools, and easy guides to help you get started right away — from communication and social media to cloud storage and online services.

At its core, Digital Independence Day stands for:

less dependence on tech monopolies
more control over your own data
conscious use of privacy-friendly alternatives

Why Digital Independence Matters

Today, much of our digital lives takes place on just a few platforms. They store our documents, organize our communication, and influence which information we see.

This concentration of power has consequences:

loss of data sovereignty
opaque data usage and profiling
limited freedom of choice
political and economic dependencies

Digital independence does not mean rejecting technology. It means regaining agency and using tools that respect users, promote openness, and enable real control over data.

Digital Independence Doesn’t Have to Be Complicated

There is a common assumption that digital independence requires technical expertise or hours of research. In reality, many impactful steps can be taken in just a few minutes.

Here are a few examples inspired by Digital Independence Day:

1. Try decentralized social networks

Instead of relying on a centralized platform like Facebook or X, you can try decentralized networks such as Mastodon. Mastodon works similarly to traditional social networks, but it is not controlled by a single company. You can choose a provider, switch if needed, and still stay connected to the entire network.

The official Digital Independence Day website offers easy starting points and explanations.

2. Be more conscious about cloud storage

Cloud services are convenient, but they often mean that unencrypted data is stored with third-party providers. A simple first step toward digital independence is client-side encryption: your files are encrypted before they leave your device. This is exactly where Cryptomator comes in.

With Cryptomator, you can continue using your existing cloud provider while staying in control of your data. The provider stores only encrypted files — the keys remain with you. No provider switch. No complicated setup. But significantly more control.

3. Replace one tool at a time

You don’t have to change everything at once. Instead, start by focusing on one area:

messaging
cloud storage
social media
password management

Replace just one tool with a more privacy-friendly alternative. That alone is already a meaningful step. Digital independence is a process — not a to-do list. That’s why Digital Independence Day focuses on small actions that anyone can easily take in everyday life.

Why We Support Digital Independence Day

At Cryptomator, we believe that privacy and control should not be a luxury. They should be the standard and accessible to everyone. Digital Independence Day aligns perfectly with this belief. It empowers people to make informed decisions without pressure and without fear-mongering.

That’s why we support the initiative and invite our community to take part — not just for one day, but continuously.

Digital Independence Day Special — February Edition

To support your first (or next) step toward digital independence, we’re continuing our campaign: On the first Sunday of February, we’re giving away 100 Cryptomator voucher codes — for free.

The codes will be shared on our social media channels and are available on a first come, first served basis.

Our goal: to lower the barrier to entry and make digital self-determination accessible to as many people as possible.

Your Next Step

Digital independence doesn’t require perfection. It starts with awareness and grows with every conscious decision. If you’re looking for inspiration, practical guides, and simple alternatives: Visit the official Digital Independence Day website.

And if you want to take control of your cloud data today: Encrypt your files with Cryptomator before they go to the cloud.

Winter Is Coming: 50% off Cryptomator

Mon, 01 Dec 2025 00:00:00 +0000

Winter is Coming — and this time it brings not only cold, but also data security at half the price! From December 1 to 31, 2025, our Winter Sale is live, giving you 50% off* Cryptomator.

That means: only €9.99 instead of €19.99 — and as a one-time purchase, not a subscription, with no monthly fees.

Cryptomator Hub is also available at a 50% discount for the first year! Contact us for more detailed terms and conditions or take a look at our price list.

Pay Once, Stay Protected Forever

At Cryptomator, we strongly believe that privacy shouldn’t require a subscription.
While many apps rely on monthly or yearly fees, Cryptomator stays true to its one-time purchase model.

Once purchased, you can use Cryptomator indefinitely — with no recurring costs or hidden charges. Your data stays protected, free from subscription traps.

Price Change Coming in 2026

Starting January 1, 2026, the price of Cryptomator will increase to €29.99.
This ensures long-term investment in security standards, performance, and new features that will continue to protect you reliably in the future.

So if you’ve been thinking about getting Cryptomator, now is the perfect time. Secure not only the 50% discount but also the old price before winter ends.

Get Protected Before the Year Ends

“Winter is Coming” — but your data can be prepared. Use December to secure your digital information and benefit from our biggest discount of the year.

After December 31, the Winter Sale ends — and the price goes up. Buy now and stay protected for good.

Confidentiality Is a Must: Why Works Councils Need Encryption

Mon, 24 Nov 2025 00:00:00 +0000

Works councils play a central role in companies when it comes to protecting the interests of employees. In doing so, they process particularly sensitive data on a daily basis: personal complaints, election results, meeting minutes, or confidential agreements with trade unions. All of this information is not only subject to a moral obligation of confidentiality—it also falls under the strict requirements of the GDPR.

But how can a works council fulfill this responsibility in the digital age, when documents are often stored, shared, and edited collaboratively in the cloud? The answer lies in a combination of technical security, organizational processes, and the right tools.

Sensitive Data Requires Special Protective Measures

Personnel data, sick notes, conflict discussions, internal processes—works councils have deep insights into the innermost workings of the company. This information concerns not only labor law disputes or restructuring, but also very personal situations in the lives of employees.

The GDPR requires such personal data to be protected with appropriate technical and organizational measures. This explicitly includes encryption. This measure is not an optional extra, but a central component of works council work that complies with data protection regulations.

Why Encryption Is Not Always the Same

Many companies today already rely on cloud-based systems such as Microsoft 365 or Google Workspace. These solutions advertise built-in security and encryption. However, what many people don’t know is that this often involves server-side encryption, which means that although the data is encrypted, the provider or administrator has the keys. Anyone who has access to the system can also access the data. This applies in particular to internal company administrators or external service providers.

This is not sufficient for particularly sensitive information, such as that processed by works councils. End-to-end encryption is required here: only authorized persons can access the content – even cloud providers or central IT departments have no access. The key to access remains exclusively with the works council.

Digital Sovereignty With Cryptomator Hub

Cryptomator Hub provides works councils with a tool that meets precisely these requirements. The solution enables the creation of encrypted data rooms (known as vaults) that can be used on any common cloud platform – while remaining entirely under the control of the council.

Vaults can be structured according to topics, roles, or working groups – for example, for minutes, election documents, complaints, or legal advice. Access rights can be assigned granularly via a clear interface. For example, only the election committee is authorized to access election documents, while other members have access to general meeting minutes.

Another advantage: the Web of Trust principle allows the committee to integrate new devices and members on a trust basis – without any central IT management or external administration. This is how digital self-administration becomes a reality.

Integration Without IT Dependency

A common obstacle for works councils is their dependence on their employer’s IT infrastructure. What if the company itself provides the cloud platform? Or what if the works council does not operate its own technical infrastructure?

Cryptomator Hub works independently of the underlying cloud. This means that even if the company provides Dropbox, OneDrive, or Nextcloud, the works council can securely encrypt its content without the employer having access. Control over the key and access structure remains exclusively with the committee.

It can also be used on private devices, which is an important factor for smaller works councils or committees without their own office infrastructure.

Conclusion

Confidentiality is not a nice-to-have, but a legal obligation and a responsibility that must be upheld. Works councils facing digital transformation should view the protection of sensitive data as a key requirement—not only to comply with legal requirements, but also to maintain the trust of the workforce.

With end-to-end encryption and independent tools such as Cryptomator Hub, works councils can fulfill this obligation securely, easily, and independently. And in doing so, they can send an important message: for digital maturity, for data protection, and for modern co-determination on an equal footing.

Cryptomator Desktop 1.18.0 is here!

Wed, 19 Nov 2025 00:00:00 +0000

We are pleased to announce the official release of Cryptomator Desktop version 1.18.0. Following the beta phase, this version brings the full package of improvements, new features, and stability enhancements—now available for all supported platforms.

New Features: What’s New in 1.18.0?

Restoring the Vault Configuration File

The recovery key has been part of Cryptomator for some time, but with version 1.18.0, it is now significantly more powerful: You can now completely restore lost or damaged master key files and vault configuration files using your existing recovery key.

Whether accidentally deleted, overwritten due to a backup problem, or damaged by a memory error, the vault can now be reliably reconstructed.

This makes the recovery key a real emergency tool that secures access to the vault in case of an emergency and prevents complete data loss.

New Signature Certificates for Windows

The Windows installer and all binary files are signed with a new certificate. The old certificate is no longer valid, and the new certificate ensures smooth installation on modern Windows systems without disruptive warning dialogs.

Remembering the Last Vault Location

When creating a new vault, Cryptomator now automatically suggests the last location used. Users who create multiple vaults in similar folder structures benefit from a significantly faster setup process.

Bug Fixes & Platform Improvements

macOS 26: Correct Display of the App Icon – And No “Squircle Jail” for Cryptomator

On macOS 26 (codename “Tahoe”), the Cryptomator icon was put inside a generic grey squircle, which didn’t look right. This issue has been fixed in version 1.18.0, so the icon now appears as it should.

With Tahoe, Apple now enforces squircle-shaped icons for all macOS apps—similar to the strict guidelines that have always applied to iOS. Previously, macOS apps could escape the squircle more freely, and many apps used this playfully as part of their visual identity. But now, app icons must conform to the squircle shape. We’re joining the squircle resistance alongside other app developers who are keeping their distinctive icon designs instead of conforming to this new guideline.

macFUSE Detection on macOS 26

Some users experienced problems integrating vaults because macFUSE was not always recognized on macOS 26. This bug has now been fixed, so vaults can be opened reliably again.

Windows: Control Over Log File Sizes

In rare cases, log files on Windows could grow enormously and cause system problems. The size limit of the log files has been corrected so that Cryptomator runs reliably and conserves resources in the background again.

Linux/KDE: Cleaning Up QuickAccess Entries

Under KDE, the Dolphin file manager created a new QuickAccess entry every time a vault was unlocked—even if one already existed, for example after the app was unexpectedly closed. This behavior has now been corrected. Existing entries are reused, and unnecessary duplications are a thing of the past.

Further Changes & Technical Updates

Update of the UI framework to JavaFX 25: improved performance, modern graphics display, and long-term compatibility.
New “Share” entry in the context menu that explains how to share vaults.
Various security and library updates (including nimbus-jose-jwt, logback, commons-lang3, dagger) to keep the software up to date and secure.

Why This Update Is Important

Version 1.18.0 makes Cryptomator Desktop more robust, user-friendly, and better prepared for future operating system versions. The new recovery feature protects in critical scenarios (e.g., damaged configuration files), while UI and system improvements make everyday use of Cryptomator smoother.

What You Can Do Now

Install Cryptomator Desktop 1.18.0 for your operating system.
If you have been using the beta version, please be sure to update to the final release!
For businesses and security-conscious users, it’s worth taking a look at the new Windows certificate.
And remember: keep your vault recovery key safe.

Closing Remarks

Thank you to everyone in the community who tested the beta. Your feedback directly contributed to making 1.18.0 a strong, stable release. With this update, Cryptomator Desktop is more reliable than ever!

Thank you for using Cryptomator—and thank you for securely encrypting your data.
We look forward to your feedback on the new release!

Your Cryptomator Team

Two Years of Cryptomator Hub – Team Encryption Reimagined

Sun, 02 Nov 2025 00:00:00 +0000

On November 2, 2023, Cryptomator Hub 1.0 was released—our solution for secure, encrypted collaboration in the cloud. Two years later, Cryptomator Hub has become a central tool for companies, universities, and NGOs that want to protect their sensitive data while working efficiently as a team.

On this anniversary, we look back on two exciting years full of further developments, beta features, new areas of application—and what’s yet to come.

What is Cryptomator Hub?

Cryptomator Hub is the central platform for managing and sharing encrypted vaults.

While the classic Cryptomator app allows individuals to protect their cloud files, the Hub extends this principle to teams and organizations.

Cryptomator Hub offers a web-based dashboard that administrators and team members can use to manage users, assign roles, and control access rights—all fully encrypted and GDPR-compliant.

Cryptomator Hub thus bridges the gap between strong end-to-end encryption and user-friendly teamwork.

Features That Make the Difference

Centralized Management of Users and Permissions
Whether you’re a small team or a large organization, administrators can always keep track of who has access to which vaults. Role-based permissions make management easy and transparent.
Web of Trust
This security model enables secure key exchange between team members via digital trust relationships. No unencrypted data exchange and no complicated key files, as trust is mapped technically.
Create Vault Role
Teams can independently create new vaults without administrators having to accompany each step. This keeps collaboration flexible while maintaining a high level of security.
Self-Hosting & Data Protection by Design
Data protection is not an add-on, but a core principle: Cryptomator Hub can be operated locally (on-prem) or in private cloud environments. This gives companies and institutions complete control over their infrastructure and data.
Integration with Popular Cloud Services
Whether OneDrive, Google Drive, Dropbox, or Nextcloud, Cryptomator Hub integrates seamlessly into existing work environments and protects data regardless of the provider.

Typical Areas of Application

Companies and Public Authorities

Companies use Cryptomator Hub to implement zero-trust security strategies. Industries with high compliance requirements—such as healthcare, public administration, and legal services—benefit particularly from GDPR-compliant cloud encryption.

Companies such as Walbusch GmbH & Co. KG are already successfully using Cryptomator Hub and can report consistently positive results:

With Cryptomator Hub, we can securely manage sensitive company data while making it easy for our employees to use.

Andreas Cofalla, Application Manager IT, Walbusch GmbH & Co. KG

Universities and Research Institutions

Research teams secure their project data with Hub without sacrificing cloud collaboration. Sensitive research data remains protected while collaboration across departments or countries continues to function.

NGOs and Nonprofits

For organizations operating globally, Cryptomator Hub offers a secure way to share confidential documents—from grant proposals to personnel data—even with limited IT resources.

IT Teams and Data Protection Officers

Hub simplifies audits, role management, and verification of data protection-compliant working practices—a clear advantage in internal and external security audits.

Two Years of Further Development – And Looking to the Future

Since its launch in 2023, Cryptomator Hub has developed rapidly.

The 1.4.0 update in April 2025 brought two decisive milestones with the Web of Trust and the Create Vault role. Furthermore, everything is focused on optimization, scaling, and future-proofing—especially with regard to the upcoming standards of post-quantum cryptography.

But we are not resting on our laurels. Three new features are already in the pipeline to make Cryptomator Hub even more powerful and user-friendly.

User/Group Management

User and group management will become much more convenient in the future. With the new, integrated user/group management, smaller companies and organizations can create and manage their team structures directly in the hub—intuitively, clearly, and without detours.

In the background, we continue to rely on Keycloak—a proven, powerful solution for identity and access management.

Emergency Access

In companies, it can always happen that employees leave and access to important data is lost as a result.

The upcoming Emergency Access feature provides a remedy here: it allows you to designate a specific group of authorized persons who can restore access to a vault, either collectively or partially, in an emergency.

Even in critical situations or in the event of personnel changes, the company remains capable of acting.

Files in Use (in the Desktop App)

A frequently expressed wish of our Hub customers: better support for collaborating on Office files.

While LibreOffice, for example, already has a built-in locking system for open files, this has been missing in Microsoft Office until now. That’s why we are currently developing our own “locking system” in the Cryptomator desktop app that recognizes when a file is already open and informs other users.

This makes collaborating on documents more conflict-free, transparent, and secure—another step toward smooth teamwork.

Two Years of Trust, Cooperation, and Security

In two years, Cryptomator Hub has evolved from an idea into a reliable platform for secure teamwork.

We would like to thank all users, administrators, and testers who have helped to further develop Cryptomator Hub with their feedback—and we look forward to the next chapter.

OneDrive Security Breach Shows: Why Zero-Knowledge Matters

Fri, 17 Oct 2025 00:00:00 +0000

In May 2025, the Oasis Security published an analysis that caused a stir in the cloud world: a vulnerability in OneDrive File Picker allowed third-party applications to access files for which they did not actually have access rights. Millions of users were affected, both private individuals and companies.

What exactly happened, why is this incident so explosive, and what can you learn from it to better protect your own data?

What Went Wrong With OneDrive File Picker?

OneDrive File Picker is a popular interface that allows apps to access files from personal cloud storage. However, Oasis Security discovered that certain configuration errors allowed applications to view and download files that they did not officially have access to – even sensitive content such as tax documents, project plans, or confidential meeting minutes.

Worse still, the affected applications did not even need to use an exploit – all they had to do was use the File Picker correctly (or rather, incorrectly). The problem was not a targeted hack, but a design flaw in the system.

The Real Lesson: Trust Is Not a Security Concept

Many users trust cloud providers such as Microsoft, Google, and Apple to keep their data secure. But this incident shows that even large platforms make mistakes—with far-reaching consequences.

The real problem runs deeper:

Access rights are managed in the backend, not by the user(s) themselves.
Files are often stored unencrypted on servers—or only with a key that the provider itself controls.
Security vulnerabilities in third-party apps or web interfaces can be exploited without those affected even noticing.

In short: anyone who entrusts their data exclusively to the security promises of cloud providers is relinquishing control.

The Solution: Zero-Knowledge Encryption With Cryptomator

Cryptomator takes a fundamentally different approach: files are encrypted locally on your device before being uploaded to the cloud. This means your data remains protected even if the cloud provider is compromised—or, as in the case of OneDrive, simply makes a mistake.

This means:

No one but you can read your files—not Microsoft, not Google, not us.
Access rights are secondary, because without the key, all data remains unreadable.
Even compromised APIs or third-party apps only see encrypted garbage data.

Cryptomator Hub offers the ideal extension for teams, organizations, and companies:

Centralized management of encrypted vaults
IT administrators can preconfigure vaults and share them with specific users—all with end-to-end encryption.
Role-based access control
Thanks to the role-based system, you can specify exactly who is allowed to create, open, or manage vaults—without central key distribution.
Web of trust for secure collaboration
Team members verify each other, creating a trustworthy environment—without the need for external certificate authorities.
Seamless integration into existing cloud workflows
Cryptomator Hub can be easily combined with existing cloud storage solutions such as OneDrive, Google Drive, or Dropbox.

Cryptomator Hub enables highly secure and practical cloud usage within teams without the usual compromises in data protection and compliance. This is a future-proof solution, especially for organizations with increased requirements, such as NGOs, research institutions, or companies in regulated industries.

What You Can Do Now

Whether you use OneDrive, Dropbox, or another cloud service, this incident shows that no provider can offer 100% security on its own. However, you can drastically reduce your risks by taking a few simple steps:

Use client-side encryption with tools such as Cryptomator.
Do not store particularly sensitive documents unencrypted in the cloud.
Raise awareness among your team members or colleagues about cloud access rights.
Check which third-party apps have access to your cloud.

Conclusion: Safety Begins With Control

The OneDrive security breach is not an isolated incident—it is a symptom of a system that relies on trust rather than real control. But if you encrypt your files before uploading them, you remain protected even in the event of serious security breaches.

With Cryptomator, you retain full control over your data, your privacy, and your digital security.

Back to School – Data Security for Universities

Fri, 10 Oct 2025 00:00:00 +0000

With the start of the new winter semester, lecture halls are filling up again—as are the digital platforms of universities. Learning management systems, research platforms, cloud storage solutions, and digital administrative processes have long been part of everyday life at universities. But while digitalization opens up new opportunities, it also carries risks: cyberattacks, data breaches, and inadequately protected cloud data jeopardize the integrity and confidentiality of highly sensitive information. In this article, we show why encryption is essential for universities – and how it helps make research, teaching, and administration more secure.

Why Universities Are a Lucrative Target for Cyberattacks

Universities and colleges process a wide range of sensitive data:

Personal data of students, researchers, and employees (e.g., student ID numbers, transcripts, health information).
Research data, often related to third-party funding or government-funded projects.
International collaborations, which also require compliance with the regulations of other countries (e.g., FERPA, GDPR).
Login details and access keys for learning platforms, email services, and digital resources.

More and more attacks are targeting universities, for example through ransomware, phishing, or cloud leaks. According to the BSI Situation Report 2024, educational institutions are among the critical areas with a sharply increased threat level. This makes it all the more important for universities to make their digital structures resilient and encrypted.

Encryption: The University’s Digital Invisible Ink

Data encryption protects information using mathematical methods—it can only be read with the right key. For universities, this means:

Confidentiality of research results
Particularly in the case of sensitive basic research or cooperation projects with companies, it is crucial that only authorized persons have access to files. End-to-end encryption protects this data even if a cloud provider is compromised.
Data protection for students and teachers
The EU GDPR requires universities to comprehensively protect personal data. Encryption enables data processing that complies with data protection regulations—even when using the cloud, working from home, or using BYOD models.
Protection against ransomware and data loss
Encrypted backups and protected storage systems can greatly limit the impact of ransomware attacks. Attackers have no access to unencrypted original data, and recovery can take place without payment.

Practical Application: Where Encryption Makes Sense

Field of application	Recommended solution
Cloud storage (e.g., Nextcloud, OneDrive)	Client-side encryption with tools such as Cryptomator
Research data archiving	Zero-knowledge cloud or encrypted vaults
Administrative documents	Password protection and structured access controls
Mobile use & working from home	Container-based encryption on mobile devices

Conclusion: Set the Course Now for a Safe Semester

The digitization of higher education is unstoppable—but it is not defenseless. Those who encrypt today will protect the autonomy of research and teaching tomorrow. Universities that rely on simple, secure, and privacy-compliant encryption solutions build trust among students, employees, and partner institutions.

Now is the ideal time to evaluate existing systems, raise awareness, and integrate encryption solutions for the long term.