Posts

Cryptomator Hub Celebrates Its Second Anniversary – Test New Features in Beta Now!

It’s hard to believe that Cryptomator Hub is already two years old! As a central management platform for encrypted cloud storage solutions, Cryptomator Hub enables businesses and organizations to securely and efficiently manage access and permissions. Since its release on November 2, 2022, we’ve worked hard with our community to develop an even stronger and more secure tool to meet your needs. First of all, a huge thank you to the community! To celebrate this milestone, we’re introducing exciting new features – and the best part: you can test them now in a beta version!

Identity verification by confirming fingerprint characters in Cryptomator Hub 1.4.0

“Web of Trust” – Enhanced Security through Mutual Verification

Our brand-new “Web of Trust” feature adds an extra layer of security to your Cryptomator instance. Until now, users could verify others, but now we’re taking it a step further: once a verification is made, it’s automatically signed and shared, making it possible for others to see when someone has been marked as trustworthy. This creates a network where trust and authenticity become visible.

This feature allows teams to see at a glance how trustworthy someone is within the network, based on prior verifications by other users. It’s especially beneficial for organizations that prioritize secure collaboration and high authenticity, as it makes trust visible and traceable within the platform.

“Create-Vaults Role” – Precise Control Over Vault Creation

With the “Create-Vaults Role,” admins now have the ability to precisely control who can create their own vaults within the Hub. Previously, anyone in the Hub could create new vaults, but now, permissions can be finely configured. For instance, admins can decide that only certain departments, such as IT or HR, can create new vaults. This function ensures clear structure, prevents unwanted vaults, and adapts to your organization’s unique needs. This flexibility is particularly beneficial for larger teams.

Test the Beta Now!

These features are available in the beta version and are waiting for you to try them out. Give us your feedback and help us fine-tune these functions before the official release. The full rollout is planned for the coming weeks – until then, we look forward to your support and insights!

Cryptomator 2.6.3 for iOS: New Features and Bug Fixes

We’re excited to announce the release of Cryptomator iOS version 2.6.3! This update mainly contains important bug fixes to improve your user experience. However, you can also look forward to a small new feature. Let’s take a look at everything in detail!

Key Updates at a Glance

  • New variants of app icons.
  • More comprehensible error dialog introduced when re-authentication is required.
  • Missing lock symbol restored.
New variants of app icons in Cryptomator 2.6.3 for iOS

What’s New?

New App Icons

In this update, we’ve added new app icon variants for dark mode and tinted mode, offering a more personalized look depending on your preferences and environment. Whether you prefer a sleek dark interface or a touch of color, Cryptomator now adapts to your style!

Bug Fixes

Clearer Error Screen for Re-Authentication

Additionally, we’ve made a significant improvement to the error screen. If access to a vault is denied due to authentication issues, the app now provides a clearer message that re-authentication is required in the main app.

Lock Icon in Vault List

Lastly, we’ve addressed an issue many of you reported: the missing lock icon in the vaults list. With this bug fix, you can now quickly see which vaults are unlocked at a glance and easily lock them again using the lock icon.

Final Thoughts

We’re always working to enhance your privacy and security, and this update is no exception! As always, we look forward to your feedback and continue to thank you for your ongoing trust and support.

Cryptomator 1.10.3 for Android: What’s New?

After releasing updates for iOS and the desktop version of Cryptomator last week, it’s now time for Android! The new 1.10.3 update is now available, providing even stronger protection for your data. Let’s take a closer look at the key improvements.

Key Updates at a Glance

  • Migrating vault passwords to GCM
  • Thai as a new language option

What’s New?

Migrating Vault Passwords to GCM

We’ve improved the encryption for vault passwords and cloud credentials! From now on, we’re using AES-256 GCM instead of AES-256 CBC to provide even stronger protection. Passwords and credentials are still securely stored in the Android Keystore, and your data remains protected in internal storage thanks to Android’s sandbox model.

With the app update, existing cloud credentials and vault passwords will automatically migrate to the new format. You may opt out of migrating vault passwords, but if you do, the passwords will be deleted from the app for security reasons.

New Language: Thai

Another exciting update: The Cryptomator app is now available in Thai! We’re thrilled to make our app accessible to even more users around the world and grow our community. This new language option makes it easier and more comfortable for Thai users to enjoy Cryptomator.

A big thank you goes out to our dedicated community for helping us optimize Cryptomator for more countries and languages. If you’d like to contribute to translations, feel free to join us here: https://translate.cryptomator.org.

Conclusion

While the 1.10.3 update for Android might seem small at first glance, the improvements are crucial for the protection of your data. Even though the previous implementation was already secure within the Android ecosystem, we’ve enhanced it to meet the latest security standards.

We appreciate your ongoing feedback and support. Try out the new version and let us know what you think!

Cryptomator 1.14.0: What’s New?

With the 1.14.0 update, Cryptomator introduces exciting new features and important bug fixes, making working with the app even more efficient. In this article, you’ll find all the essential details about the latest features and bug fixes.

The most important updates at a glance:

  • Quick Access feature for faster access to vaults.
  • Bug fix in CryptoFS regarding file modification dates.
  • Bug fix for using Dropbox vaults and Microsoft Office on Windows.

What’s new?

Quick Access Features

Speed and efficiency are crucial for productive work. With the new “Quick Access” feature, Cryptomator now simplifies direct access to vaults in the file manager.

The new “Quick Access” feature provides quick vault access directly in the file manager and is enabled by default. “Quick Access” is available for Windows and all major Linux distributions; however, macOS support is currently unavailable due to missing system interfaces.

Check out the new feature in action in the following video.

Ubuntu(Linux):

Windows:

Auto Start on Linux

Some apps are needed as soon as the computer is ready. Now, this is also possible with Cryptomator on Linux! In the app’s settings, you can configure whether Cryptomator should start automatically when you log in. This feature supports the GNOME and KDE desktop environments and is available when installed via AUR, PPA, or DEB.

Auto Start on Linux

Bug Fixes

Cryptofs, lastModified & pCloud

Good news for all pCloud users! Previously, pCloud users encountered the issue where the “last modified” date was incorrectly set to “today” whenever a file was copied into a vault. We’ve fixed this problem in Cryptomator’s native file system, CryptoFS. The fix also addressed issues with other cloud providers/storage locations (including FAT32-formatted USB sticks).

Microsoft Office and Dropbox

Editing Microsoft Office documents in a Dropbox vault on Windows occasionally led to data loss. The reason: The “WinFsp” drive type is incompatible with both Microsoft Office and Dropbox, but “WinFsp” is the default on Windows. From now on, the correct type, “WinFsp (Local Drive),” is automatically selected when you create or import a new Dropbox vault. Existing vaults can be switched to the correct type in the vault settings under the “Mount” tab.

You can find further changes in the latest Cryptomator release notes.

Closing Remarks

Cryptomator 1.14.0 not only introduces helpful new features but also resolves critical bugs, making your work more secure and efficient. Update to the latest version now and take advantage of these improvements!

We look forward to your feedback and, as always, thank you for your continued support.

Cryptomator 2.6 for iOS: What's New?

All users of our iOS app can look forward to a new release, as version 2.6 is now available! Cryptomator 2.6 not only brings a much-needed bug fix for OneDrive but also introduces exciting new features and improvements that enhance the user experience. Let’s take a closer look at the most important changes.

Key Updates at a Glance

  • Introduction of support for the cloud service Box, enabling secure access to vaults stored in Box.
  • Added translations for Slovenian and Ukrainian.
  • Fixed a bug causing the “Unauthorized” error when uploading files to OneDrive.
  • Removed the “Change Password” option for Hub vaults.
Cryptomator 2.6 for iOS

What’s New?

Support for Box

One of the most significant changes in this version is the introduction of support for box.com. Users who securely store their data on Box can now manage encrypted vaults directly within the Box cloud using Cryptomator. Until April 2023, access to Box was possible via WebDAV, but this connection was discontinued by Box. With this update, access to Box is now available again, with a direct and native integration.

New Language Support

Cryptomator 2.6 is becoming even more international and user-friendly: the app is now available in Slovenian and Ukrainian. Expanding language options reflects our commitment to providing simple and secure access to people worldwide. With this update, we aim to offer the best possible user experience to users from various regions.

A big thank you goes to our community, which constantly supports us in making the app accessible to more countries. If you’re interested in contributing to translations, feel free to visit: https://translate.cryptomator.org/

Bug Fixes

OneDrive: “Unauthorized” Error Fixed

A bug affecting many OneDrive users has finally been fixed. When uploading files, some users encountered the “Unauthorized” error, which caused significant disruptions. This issue has been resolved in version 2.6, and uploads should now work smoothly.

Removed Option: “Change Password” for Hub Vaults

The “Change Password” option for Hub vaults has been removed, as Hub vaults do not have individual vault passwords. However, users can still change their passwords for password-based vaults.

Final Thoughts

Cryptomator 2.6 for iOS brings several important improvements and new features designed to help you manage your data more securely and efficiently. Whether it’s the new support for Box, international translations, or bug fixes – this update is focused on optimizing the use of Cryptomator on iOS.

We greatly appreciate your ongoing feedback and support. Try out the new version and let us know what you think!

Current Issue with Google Drive Connection in Cryptomator for Android and iOS

Update 2024-08-22

We’re thrilled to announce that the issue with Google Drive connectivity in Cryptomator for Android and iOS has been fully resolved. Google has accepted the Letter of Approval from our auditing company.

As a result, Google Drive access has been restored, and you can now use Cryptomator as usual without any restrictions.

We deeply appreciate your patience and understanding throughout this period.


Update 2024-08-19

We’re pleased to share a positive update regarding the ongoing issue with Google Drive connectivity in Cryptomator for Android and iOS.

We have just received confirmation from the auditing company that the Letter of Approval (LOA) is set to be submitted to Google within the next 1-2 business days. This is the final step in the verification process, and once submitted, we anticipate that Google Drive access will be restored shortly thereafter.

We are cautiously optimistic that full functionality will be available again within the next few days. We sincerely apologize for the inconvenience this has caused and appreciate your continued patience and understanding as we work through this final stage.


Hello Community!

We would like to inform you about a current issue that some of you may be experiencing while using our Cryptomator apps for Android and iOS. It involves difficulties in connecting to Google Drive that have arisen in the past few days. Here, you will find all the details and updates on our progress in resolving the issue.

What Happened?

Google recently introduced significant changes to its app verification system. These changes particularly affect how apps access services like Google Drive. As a result of this update, you may encounter an error message when trying to connect Google Drive with Cryptomator, stating that Cryptomator is blocked because it is an “unverified app”.

Why Is This Issue Occurring?

Google has substantially tightened the requirements for app verification, especially for apps that access sensitive user data. This not only affects Cryptomator but potentially all apps that integrate with Google services. The aim of these changes is to enhance user security and protect their data. However, as a consequence, apps that have not yet fully adapted to the new system may be temporarily blocked.

What Are We Doing to Resolve the Issue?

We are fully aware of the problem and are working diligently to find a solution. Our team is in close contact with Google to complete the necessary verification processes and re-certify Cryptomator as a trusted app. Unfortunately, this task is more complex than initially anticipated. Google’s new requirements necessitate additional adjustments to our app, which must be carefully implemented and tested.

We want to emphasize that the security of your data is our top priority. Therefore, we are taking the time to thoroughly implement these changes to ensure that Cryptomator remains a secure and reliable solution for your encrypted data.

What Can You Do?

We understand that this issue is frustrating for many of you, and we sincerely apologize for the inconvenience. In the meantime, there are a few things you can do to avoid interrupting your workflow:

  1. Use Alternative Cloud Services: If you cannot use Google Drive at the moment, you have the option to integrate alternative cloud services like Dropbox, OneDrive, or WebDAV-based services in Cryptomator.
  2. Local Decryption: You can still decrypt your encrypted vaults using the desktop application. If the vault is not that large, you can also download it to your mobile device and decrypt it locally.
  3. Monitor Updates: We will keep you regularly informed about the progress of our work. As soon as the issue is resolved, we will promptly notify you with the corresponding updates. Keep an eye on our social media accounts on X and Mastodon for updates.

Outlook

We are confident that we will be able to provide a solution soon. Our goal is to restore full functionality to Cryptomator as quickly as possible. We greatly appreciate your patience and understanding during this time.

Once again, thank you for your support and trust in Cryptomator. We are working tirelessly to provide you with the best possible experience with our app, and we will keep you informed as soon as there are any updates.

Best regards,
The Cryptomator Team

FAQ: Google OAuth Issues in Cryptomator for Android and iOS

Q1: What is the issue with Google Drive and Cryptomator for Android and iOS?
A1: Users are experiencing issues with Google blocking access to your files when using Cryptomator for Android and iOS during the sign-in process.

Q2: How can I access my files? Is there a workaround?
A2: You can always access your files on your Desktop computer or by copying your vault from your Google Drive to your phone’s harddrive and then using Cryptomator for Android and iOS to access them locally.

Q3: Are my files safe? Is my account safe?
A3: Yes. Your files and account both are safe and at no risk of being deleted or accessed by malicious actors. They are not any less safe than they were a week ago. Also your files are still encrypted.

Q4: Is there a problem with my Google account?
A4: No. This is not a problem with your Google account and this should affect all users of Cryptomator for Android and iOS and Google Drive.

Q5: Is Cryptomator for Android and iOS safe?
A5: Yes. Cryptomator for Android is safe and we are currently not aware of any security issues. Also see Q7.

Q6: Which “sensitive info” is Cryptomator for Android and iOS trying to access?
A6: To allow access to the files you have stored in Google Drive and to enable the associated functionality, the Cryptomator app needs access to your Google Drive. Even if the message from Google sounds scary, this is nothing new and nothing to worry about. Also see Q7.

Q7: Why is this happening? Why is Google blocking Cryptomator for Android and iOS?
A7: To enable access to your files stored in Google Drive, Cryptomator needs both your permission and Google’s consent. Google has recently adopted newer and stricter security policies that we must adhere to in order to continue to provide access to your Google Drive in the app. If we don’t prove to Google in time that we comply with these guidelines, access will be blocked, which is what is happening right now. We are currently in the middle of this verification process to regain access, but this is quite time-consuming and labor-intensive, all of which has led to this situation.

Q8: What about Cryptomator for Desktop?
A8: The affected functionality is not offered by Cryptomator for Desktop, so there currently is no problem there.

Cryptomator Hub 1.3.0: The Account Key Update

The release of Cryptomator Hub 1.3.0 marks an exciting feature update, which introduces an Account Key for users. This update, while necessary and beneficial, will require active participation from users. Here’s what to expect during the transition from version 1.2.x to 1.3.0.

ℹ️ Preparation is Key

Before we dive into the upgrade process, ensure every vault admin secures a backup of their Vault Recovery Keys and Vault Admin Passwords. ⚠️ Doubling down on this step is critical; your backups are your safety net. Without them, our hands are tied.

⬆️ Updating Cryptomator Hub (Server) to 1.3.0

This section is only relevant for administrators who host their own Cryptomator Hub instance. If you’re using our managed service, you can skip this section. We will reach out to you to arrange a date and time to update your instance.

As mentioned above, if you’re an administrator of a self-hosted Cryptomator Hub instance, follow these steps to update Cryptomator Hub:

  1. Back up the database. ⚠️ The importance of a working backup cannot be overstated.
  2. Refresh your container image to the latest version: ghcr.io/cryptomator/hub:1.3.0
    • Skip this step if you’re using the stable tag. We will update the stable tag to point to the new version in a couple of weeks.
  3. Implement the changes within your container orchestrator. Monitor for healthy pod statuses before proceeding.

⬆️ Updating Cryptomator (Desktop Client) to 1.11.0

Updating the Cryptomator desktop application is recommended for all users, but not technically required for now. Vaults can still be unlocked using an old version. This backward compatibility provides flexibility for a gradual rollout of the updated app. Nevertheless, making changes to access, incl. adding new members to a vault and adding new devices, requires Cryptomator 1.11.0 or higher.

🔑 Introducing Account Keys

With the updated app, users will encounter a two-step migration on their first unlock attempt:

  1. Secure and store their new personal Account Key. ⚠️ It’s crucial for future logins from other devices.
  2. Use the Account Key to link their Cryptomator device to their account.

This procedure is a one-time requirement for every user. It allows users to self-manage linked devices and vault owners to more easily manage access without having to frequently regrant permissions each time a user logs in from a new device.

👤 Claiming Vault Ownership and Granting Access

After updating to Hub 1.3.0, vault owners (formerly known as vault admins) are prompted to claim their vault again using the Vault Admin Password. Initially, only one user can claim ownership. Subsequently, this primary owner can grant ownership rights to others, thus eliminating the need to share the Vault Admin Password.

Once vault members have navigated through the account migration, vault owners should refresh vault permissions. This action will securely distribute the necessary vault keys to the users.

❓ Frequently Asked Questions

Q: What exactly is my Account Key?
A: The Account Key is your personal secret, required for registering new devices and establishing your identity across different Cryptomator apps and browsers. Treat it with the same level of security as you would with any important password.

Q: How do I retrieve my Account Key if I lose it?
A: You can retrieve your Account Key by logging into your Cryptomator Hub account and navigating to the Profile page. There, you can view your Account Key. If your browser doesn’t have access and you can’t retrieve it anymore, you can reset your account. In this case, you will lose access to all your vaults and the vault owner(s) will have to grant you access again.

Q: Will the update affect my existing vaults and the data they contain?
A: No, the update will not affect your vaults or the data they contain. This update only affects the unlock process and access management, not the encrypted data itself.

Q: What happens to the Vault Admin Password after I reclaim ownership?
A: Upon reclaim, the Vault Admin Password becomes obsolete. You may destroy any copies of it. Compromised Vault Admin Passwords don’t pose a threat to the security of the vault.

Q: Is the process for adding new users to a vault different?
A: The difference is that you don’t grant access to each and every device, but to the user once, thanks to the Account Key. The user can link their devices to their account and access the vault from any of them without having to ask for permission again.

Q: What should I do if I encounter problems during the upgrade process?
A: If you encounter any problems during the upgrade process, please contact us at [email protected].

📋 Wrapping Up

The upgrade to Cryptomator Hub 1.3.0 and Cryptomator 1.11.0 is more than a routine update. It’s a shift towards greater security and user agency. Prepare for the update by backing up essential data, and follow the outlined steps to ensure a smooth transition. Embrace the change, as it brings forward a more robust and user-friendly way to manage your vaults.

Cryptomator 1.10.0 Release

We’re happy to announce the release of Cryptomator 1.10.0. 🎉 Let’s dive into what this new release has to offer!

Expert Settings During Vault Creation

We understand that expert users desire more control and would like to override some default values in the vault configuration file. That’s why the new version brings the addition of expert settings during vault creation. For now, you can set the maximum length of encrypted file names. This feature ensures that Cryptomator adapts to the peculiarities of various cloud storage systems. 🛠️

Expert Settings During Vault Creation

Proper Tray Menu Support on Linux

A huge shoutout to Ralph (purejava on GitHub) for his open-source contribution once again! 🙌 Thanks to his efforts, we now have proper tray menu support with AppIndicator integration. It’s yet another step towards making Cryptomator feel native and fluid for Linux users.

Proper Tray Menu Support on Linux

AArch64 Build for AppImage

Good news for Linux users on AArch64 architectures! 🎉 Cryptomator 1.10.0 includes an AArch64 build for AppImage. With this addition, we’re expanding our reach and welcome more Linux users.

Improved Error Dialog

Encountering an error can be frustrating 😓, especially when you’re not sure what to do next. We’ve redesigned our error dialog to focus on solutions. Now, when you run into an error, the dialog will guide you to a potential solution if it exists in our error database. This enhancement aims to make troubleshooting more user-friendly and efficient. ✅

Improved Error Dialog

Refreshed macOS App Icon

Mac users, we haven’t forgotten about you! 🍏 Aesthetics matter, and with this update, Cryptomator boasts a brand-new app icon for macOS. How do you like Cryptobot in a squircle?

Refreshed macOS App Icon

Conclusion

Cryptomator 1.10.0 brings a mix of enhancements and several bug fixes to ensure a smoother user experience. As always, your feedback is welcome. For a detailed list of all changes, please check out the release notes.

A special thank you to Bas (Rexbas on GitHub) and Sebastian (sschuberth on GitHub) for their open-source contributions as well. :glowing_star:

Thank you for your continued support and trust in Cryptomator. ❤️ Update to 1.10.0 now and let us know what you think!

Happy crypting! 🔒

Cryptomator Hub 1.2.0: More Control and Flexibility

We’re excited to release Cryptomator Hub 1.2.0, featuring essential updates for both administrators and users. 🎉 Let’s dive into what’s new.

🗒️ Audit Logs (Premium Feature)

Our new Audit Logs feature, available with a paid license, empowers administrators with insights into user activities. Monitor vault changes, key retrievals, and other essential activities, providing an extra layer of transparency and accountability within your organization.

⚙️ Improved Vault Management

With the “Edit Vault Metadata” action, customizing vault details is now possible. You can now change the name and description of your vaults, helping you keep your vaults organized and easily identifiable. Plus, vault names no longer need to be unique, offering more flexibility.

We’ve also added the “Archive Vault” action, allowing you to remove vaults from your list. Easily reactivate archived vaults whenever needed.

👤 Streamlined User Profile Page

Our new “User Profile” page centralizes device management and user settings in one convenient location. Additionally, we’ve integrated a “Manage Account” link for users to be able to change their password and configure 2FA via Keycloak.

⬆️ Upgrade Info

Upgrading to 1.2.0 is simple. If you are on the stable lane, you just have to pull the image and restart the service. Otherwise, update the version number in your Docker Compose or Kubernetes spec file before you restart the service. Remember to always back up your data, especially before upgrading. For managed instances, rest assured, you’re already on the latest version.

⏭️ What’s Next

We’re embarking on a significant refactoring journey for our key management system in the next feature update. This update will introduce “user keys” as intermediary key pairs between vault keys and device keys. Vault owners will then grant access to users and not individual devices, which allows users to manage their devices independently.

This refactoring will deprecate vault admin passwords and introduce the vault owner role, providing a more secure and efficient way to manage your vaults.

Stay tuned for more exciting updates!

Cryptomator 1.8.0 for Android

As you may have already noticed, we released Cryptomator 1.8.0 for Android last month! It contains a lot of internal changes, a bunch of new features, and some bug fixes.

This release took quite some time, but we finally made it. 🎉 In addition to the release notes, we’d like to give you more details about some changes.

Material 3 Design

The most obvious change in this release is the migration to Material 3, which modernizes the user interface.

Cryptomator Lite: Reproducible Build and F-Droid

A less obvious change is that we now offer a new flavor: Cryptomator Lite.

This version is built using a reproducible build technique, which has two advantages: You as a user can verify that the published source code matches the published binary, which in turn means that we didn’t and couldn’t add anything during build time.

The other advantage is that this technique allows us to publish our app to stores like the main F-Droid repository, but sign it with our keys, which means we still have control over the signing keys.

Cryptomator Lite can be built using the following Docker image and then compared to the corresponding releases: https://github.com/cryptomator/android/blob/main/buildsystem/Dockerfile

AES-GCM: New Default for Content Encryption

Starting with Cryptomator 1.8.0 for Android, we will follow our Desktop application: All newly created vaults will use AES-GCM instead of AES-CTR+HMAC for file content encryption.

You can continue to use your existing vaults as before, no action is required on your part. Cryptomator for Android will support both modes of operation.

Read more about this in the Cryptomator 1.7.0 blog post.

Cryptomator Hub: Managed – Request Access Now

We are happy to announce that managed instances of Cryptomator Hub are now available! 🎉 And we have released Hub 1.1.0 with recovery key support.

Request Access

First things first. 🚀 To get started, you can now request access to a managed instance of Cryptomator Hub. After your request, we will get back to you as soon as possible. Currently, some of the steps we take internally to create a managed Hub instance are still done “manually”. We are working on automating this process, but we didn’t want to delay the release any longer.

Managed vs. Self-Hosted

Managed instances of Cryptomator Hub are a great way to start using Cryptomator Hub right away without having to deploy and maintain your self-hosted instance.

Until now, you could only use the self-hosted version of Hub. This requires a lot of knowledge about how to deploy a software container using Kubernetes or Docker Compose. And if you have the knowledge, you still have to maintain the instance yourself. This includes updating the software, monitoring the instance, and keeping it secure.

With managed instances, we will take care of deploying and maintaining your Hub instance, while ensuring that your instance is highly available. You can focus on your work and your team.

This is all possible because of the underlying zero-knowledge key management. Cryptomator Hub doesn’t store unencrypted keys. All key material remains locally on the client. We can’t decrypt your data. It also helps that Hub is independent of your cloud storage provider, which means we have no access to either the key material or the cloud files.

Release 1.1.0: Recovery Key

We didn’t stop there and released Cryptomator Hub 1.1.0 with recovery key support. This allows you to access your data in case of disaster. Not only that, the recovery key is compatible with Cryptomator’s recovery key. This means you can convert your existing vaults to Hub vaults and vice versa.

What does that mean for your managed instance? If we cease to exist (we get asked this a lot, thanks to Boxcryptor 😉), you can convert your Hub vaults to “regular” password-based vaults, completely offline, so that you always have access to your data under any circumstances. This is also great for your self-hosted instance if something happens to your server.

Cryptomator 1.7.0: What You Need to Know

If you’re subscribed to our releases on GitHub, this is already old news for you: We have released the first beta of the upcoming Cryptomator 1.7.0! It contains a lot of internal changes and a bunch of new features, some of which are almost as old as Cryptomator itself.

We are very proud of this release, as it eliminates technical debt, delivers long-awaited features, and prepares Cryptomator Desktop for the future. But putting aside about 3,000 lines of code changes and a 4-month development iteration (not counting work in our libraries), let’s dive into this release to see what you, the user, will get out of it.

Cryptomator 1.7.0 Release

Locate Encrypted File

As already mentioned, Cryptomator 1.7.0 includes a feature that has been requested for a very long time: Locating the encrypted counterpart of a file. Sounds complex, but once you remember that Cryptomator encrypts filenames and obfuscates the directory structure (see our docs), it is easy to understand.

Prior to 1.7.0, you had to guess which encrypted file corresponds to which cleartext file based on the exact timestamps. Now, once the vault is unlocked, the encrypted counterpart of any file in the vault can be revealed by clicking on the “Locate Encrypted File” button and selecting a file in the vault. Or you can simply drag and drop the files from your vault onto this button. See for yourself in this short video:

Experimental Support for FUSE-T

On macOS, Cryptomator can use two different technologies to integrate your vault into the system: macFUSE and WebDAV. Unfortunately, the WebDAV implementation on macOS is not the most reliable one. Starting with Apple Silicon Macs, it became unusable for some users who reported system freezes. To make matters worse, macFUSE, which has been the preferred option for at least 3 years, is also on its last legs. Apple has deprecated the OS APIs used by macFUSE since macOS 12.3.

For the past year, we have been desperately searching for an alternative. Our proof of concept using Apple’s File Provider framework was not very convincing and would basically require a whole new architecture. Fortunately, you, our community, informed us about an alternative: FUSE-T.

FUSE-T is a young project that does not rely on deprecated macOS APIs and can be used as a drop-in-replacement for macFUSE. It requires a much less deep system integration than macFUSE while offering a similar performance. This makes Cryptomator ready for the medium-term future on macOS. But since FUSE-T is quite young, support for it is experimental for now. We encourage you to try it though!

Experimental Support for FUSE-T

So, while the File Provider extension is not out of our sight, we are relieved to be able to offer you a stable system integration of your Cryptomator vaults.

Volume Types Overhaul

Looking at the screenshot above, you might have noticed: The volume types have changed, too. That’s right, and that’s because we rewrote the entire volume type selection and internal wiring logic. It was a huge development effort, but it resulted in a less complex and easier to maintain architecture under the hood. It also resulted in more options for you.

More Options

The old implementation basically offered 3 (or 2) options: WebDAV, Dokany, and FUSE. Now, specialized implementations are offered for each OS. For example, on Windows you can select between WinFsp, WinFsp (Local Drive), Dokany, WebDAV (Windows Explorer) and WebDAV (Fallback).

But don’t worry, this selection is only important if you have special requirements for the virtual drive. Otherwise, Cryptomator has a new “Automatic” option and is set up to choose the best suited option for you, and you don’t need to worry about it.

We have even added an emergency option: The aforementioned “WebDAV (Fallback)”. If you can’t mount your vault at all, it makes your vault accessible via a local-only server using the web standard WebDAV. We’ll have a guide describing this in more detail soon.

WinFsp Change: Local vs. Network Drive

Windows users may notice that their vault is now mounted as a network drive by default. This has the advantage of better performance when listing large directories. The disadvantage is that it cannot be mounted into a directory. Accessing the vault as a privileged user is still possible by using the UNC path.

WinFsp Change: Local vs. Network Drive

If you really need a local drive, you can always change the volume type in the preferences.

Dokany Deprecation

With the release of Cryptomator 1.7.0, we will officially deprecate Dokany support.

Dokany, like FUSE, provides a file system interface to mount virtual drives without requiring elevated privileges. We started supporting Dokany 3 years ago with version 1.4.0. But things didn’t go as smoothly with the Dokany volume as we had hoped, so we decided to focus our development efforts on a single file system interface. All Dokany-related issues on GitHub will be closed, and our general recommendation is to use WinFSP which comes with the EXE installer of Cryptomator. You will still be able to use Dokany, but it won’t get any updates and support will eventually be removed.

It was a great time, and we wish the Dokany project all the best!

Linux AArch64 Builds

With Cryptomator 1.7.0, we’ll finally ship AArch64 builds of Cryptomator via Flatpak and PPA.

One big obstacle was the aforementioned FUSE file system API on Linux. We were using a rather old project to build the bridge between Cryptomator and FUSE. Thanks to a fantastic development effort started by our lead architect, we now use state-of-the-art technology to implement this bridge. The result is bundled in the library called jFUSE. Not only were we able to change the bridge, we were also able to update to a new major version of FUSE and pave the way to support features like extended attributes.

The AppImage is still x86_x64 only, but we plan to deliver it also in AArch64 architecture eventually.

AES-GCM: New Default for Content Encryption

Starting with Cryptomator 1.7.0, newly created vaults will use AES-GCM instead of AES-CTR+HMAC for file content encryption.

Nowadays, almost all non-embedded devices offer hardware acceleration of the Galois/Counter Mode of operation, so encryption and decryption should be significantly faster than in the old mode of operation. The support in our underlying cryptographic library cryptolib was already added in June 2021 with version 2.0.0. But instead of jumping the gun, we gave it a proper testing period and are now confident to ship this improvement to you.

Of course, our mobile apps also support AES-GCM, although vaults created in iOS or Android will continue to use AES-CTR+HMAC for the time being. The mobile apps are scheduled to switch in their next minor release.

You can continue to use your existing vaults as before. There are no vault upgrades and there is no action required on your part. Cryptomator will support both modes of operation.

Boxcryptor Shuts Down – Here is Your Cloud Encryption Alternative

As mentioned in the last blog post, Dropbox has acquired Boxcryptor’s key technology. This means that Boxcryptor’s services will no longer be available to new users and existing users will likely have to migrate when their contracts expire.

We are here to stay and offer you the chance to try our open-source software. Cryptomator is free and can be used without an account. Just download and get started.

If you’re looking for a replacement, you’ve come to the right place. We compare the features of Boxcryptor with those of Cryptomator. See for yourself!

Cryptomator is constantly analysed by experts using modern tools.

Features of Boxcryptor

  • Encryption of all major cloud providers
  • Was available on Windows, macOS, Linux (portable only), iOS, and Android
  • End-to-end and zero-knowledge encryption
  • Filename encryption was only available in a paid plan
  • Plans start with €36 per year, business plan for €72 a year
  • Closed-source software
  • Software “Made in Germany”

Features of Cryptomator

  • Encryption of all major cloud providers (no restriction on Desktop app; mobile apps compatible with Dropbox, Google Drive, OneDrive, pCloud, iCloud Drive on iOS, and any cloud via WebDAV and S3)
  • Available on Windows, macOS, Linux, iOS, and Android
  • Both for personal use and for businesses: Cryptomator Hub
  • End-to-end and zero-knowledge encryption
  • Free Desktop app, one-time purchase (€15) for the mobile app, no subscription
  • Maximum transparency through open-source software
  • Unlimited number of devices
  • Password recovery through offline key recovery
  • Software “Made in Germany”
Cryptomator allows you to access your cleartext data without the need to remove encryption protection.

How to Migrate From Boxcryptor to Cryptomator

Switching from Boxcryptor to Cryptomator is simple. Boxcryptor provides an off-migration guide on their website to decrypt all Boxcryptor encrypted files. Make sure that your sensitive data is at no point unencrypted in the cloud. Then, you set up Cryptomator so you can encrypt and securely sync those files back to the cloud.

How to Easily Set Up Cryptomator

  1. Download and install Cryptomator.
  2. Once Cryptomator is installed, you can create a new vault.
  3. Give your vault a name.
  4. Now select a cloud storage of your choice as the storage location of your vault.
  5. Enter a password.

And you have successfully created your first vault.

If you want, you can unlock it immediately and reveal the virtual drive. From now on, you can store your sensitive files here, e.g., the data that you previously encrypted with Boxcryptor, in order to encrypt them in the cloud with Cryptomator from now on. Detailed instructions are available here.

Congratulations Boxcryptor & Dropbox! – We Are Here to Stay

You may have heard that Boxcryptor’s IP technology has been acquired by Dropbox. Congratulations to both companies and we wish them all the best for the future! 🎉

For quite some time, Cryptomator has been seen as an alternative to Boxcryptor and you can bet that we were very surprised by this news. On today’s Computer Security Day, we want to take the opportunity to let you all know that Cryptomator is here to stay. ❤️

What does this mean for Cryptomator?

Obviously, we are not affected by this acquisition. We are still the same team, with the same goals, and the same vision. Skymatic GmbH will continue to develop and maintain Cryptomator and we will continue to provide you with a free and open-source solution for end-to-end encryption. 🚀

The concept behind Cryptomator does not depend on any single cloud provider and we will continue to support as many cloud providers as we can.

Cryptomator is an application that runs solely on the device and does not require any infrastructure from the vendor. This means that even if Skymatic GmbH ceases to operate, existing and new users can continue to use Cryptomator.

Again and again, we have observed many times how proprietary services can be influenced by acquisitions in a very sensitive manner. Our belief is that the right to digital self-defense cannot simply be sold. This is not the only reason why Cryptomator relies on open-source licenses. GPLv3 (a copyleft license) guarantees that even in the event of an acquisition, the technology cannot be taken off the market.

With open-source tools, it has been shown in the past that a fork of the application can coexist or replace the actual app if it no longer exists. This means that even if Skymatic GmbH, together with the community, stops developing Cryptomator or sells Cryptomator to a third party, it is very likely that one of the many forks of Cryptomator will continue to be actively maintained and developed by the community.

What does this mean for Dropbox users?

It’s probably too early to tell but Dropbox plans to offer end-to-end encryption to its business users only. We are happy to see that Dropbox is taking end-to-end encryption seriously.

Cryptomator works very well with Dropbox and for now, encrypting your Dropbox with Cryptomator is the best option.

What does this mean for Boxcryptor users?

We are very sorry to hear that Boxcryptor is going to end its existing service. It is no longer available for new users and existing users will likely have to migrate when their contracts expire. If you are affected by this, we welcome you to give Cryptomator a try. 😉 Feel free to check out our community for help and support.

Cryptomator can be downloaded for all major operating systems and is ideal for personal use out of the box. The Desktop app is free to use and the mobile apps can be purchased for a one-time fee.

If you are looking for a team and enterprise solution, check out Cryptomator Hub, which is open source as well. 🎉

Thanks

Cryptomator started almost nine years ago as a side project. We are now a team of passionate developers and are happy to be able to work on Cryptomator. Kudos to all of our open-source contributors, translators, and testers! We are grateful for all the support we have received from the Cryptomator community over the years and for the trust you have placed in us. Special thanks to our sponsors and supporters!

We feel like that we are just getting started and have great updates coming up! To support the ongoing open-source development of Cryptomator, consider donating or sponsoring. ❤️

Cryptomator Hub 1.0 Release

We are happy to announce that Cryptomator Hub, the team and enterprise solution for Cryptomator, is now ready for production use! 🎉 Huge thanks to our testers that participated in our open beta over the last 3 months for their feedback. ❤️

What is Cryptomator Hub?

In short: Cryptomator Hub adds access management for your Cryptomator vaults. It enables a secure way for you to work in teams with confidential and sensitive files for any cloud storage.

Check out our quick introduction video to learn more about the basics.

How does Cryptomator Hub work?

Cryptomator Hub is based on the same concept of a vault, a secure file storage for syncing to the cloud with end-to-end encryption. New is that Hub replaces the vault password with a central access management.

Individual access to Cryptomator vaults is secured through server-side authentication and key management. Hub manages key material based on a zero-knowledge solution without getting in touch with unencrypted keys. Learn more.

How can I get started?

The self-hosted solution is delivered as a software container and can be deployed using Kubernetes or Docker. Vist the landing page of Cryptomator Hub to get started.

Hub can be used for free for up to 5 team members. For larger teams and companies, an annual license can be purchased through the website at $6.00 per seat per month. Until the end of the year, there is a promotional discount that gives 25% off for the first year. 🎊

And as always, Cryptomator Hub is fully open source. If you have more questions, let us know in the discussion below or contact us. We are looking forward to your feedback! 🤖

Cryptomator Roadmap Early 2022

There have been a lot of changes in the past year. With this roadmap, we want to give you an overview of what has changed in Cryptomator and what you can look forward to in the coming months.

iOS Version

At the end of last year, we were finally able to introduce our new iOS app. One of the main features is the full integration with Apple’s own Files app. We also made it possible to offer you a “freemium” version of the app. If you want to know even more about the new features, check out this blog post. Since then, we’ve been working on bringing you more features through several updates, such as the auto-lock feature that came with version 2.1.0. With the just released version 2.2.0, we integrated pCloud and added support for shortcuts in Google Drive.

We have a lot more planned for the app in the coming months. We will integrate Cryptomator into Shortcuts so that automation processes such as “auto photo upload” are possible. We also plan to integrate S3, as we did with our Android app.

Android Version

Over the past few months, we have been working on increasing the compatibility of Cryptomator. This includes the fact that we now support pCloud, S3, and Vault Format 8. Thanks again Manuel (mjenny on GitHub) for contributing support for pCloud and S3. Also, Cryptomator can now be installed and updated via F-Droid. Vaults in Google Drive can now be used via shortcuts in locations outside of “My Drive”. This works in “Shared with Me”, “My Computer”, and “My Drive” for example. With OneDrive, it is possible to use multiple accounts at the same time. We will make this feature available for Dropbox and Google Drive in the future. In addition, a “real” auto photo upload is available in the Android version, meaning new pictures and videos are now uploaded not only after unlocking the vault, but directly when it is unlocked.

In the coming months, we will switch the Android app to a freemium model, as we did with iOS, and continue to work on the long-awaited document provider.

Desktop Version

With version 1.6.0 announced in the last roadmap, we introduced Vault Format 8 for our Desktop version. You can read more about it here. For better usability, we have introduced error codes and a knowledge base of those, where you can look up solutions for the issue you’ve encountered. We also introduced an auto-lock feature that automatically locks the vaults after a self-defined inactivity time as well as a plugin API. The first plugin for Cryptomator is the KeePassXC plugin via an open-source contribution by Ralph (purejava on GitHub). Furthermore, we improved our build systems so that applications/installers for all operating systems are automatically built and signed (instead of manually).

Two years ago, one might remember that we announced to focus our efforts on Flatpak distribution. However, that didn’t go as planned and progress on it came to a halt… until recently. Our regular open-source contributor Ralph (purejava on GitHub) once again came to our rescue. And we actually did it! Cryptomator is now available on Flathub as a Flatpak app. Again, huge thanks to Ralph for his amazing contribution!

For the Desktop version of Cryptomator, we have some major topics coming up in the near future. On the one hand, we are working on a major FUSE refactoring. Among other things, this is necessary to be able to offer ARM64 support on Windows and Linux as well. On Apple Silicon Macs, we have already supported this for a few releases. On the other hand, we want to address the open issues related to extended attributes. More precisely, we are talking about additional file attributes that enable tagging and fix compatibility issues. Of course, these attributes will be encrypted just like the filename.

If you read this far, we’d like to share a secret with you. We are currently working on Cryptomator Hub. That’s it for now but you’ll definitely hear more about it this year.

Cryptomator 1.6.7 Release: Major Changes on Windows

Hello Community!

The last blog post is already a while ago. We hope you’re all doing fine. Cryptomator 1.6.7 for Desktop is out now and let’s explore the changes together since it’s more than just a “patch”! The update contains some noteworthy changes, especially for Windows users.

New Installer

With Cryptomator 1.6.0, instead of delivering a “regular” executable for installation, we provided a Windows Installer package to allow easier scripted deployment of Cryptomator. But this approach also had drawbacks: We couldn’t bundle third-party drivers (i.e., Dokany) leading to inferior user experience.

These dire times are over! When you head over to downloads and select Windows, you’re getting an executable again that bundles the MSI installer as well as additional dependencies. Furthermore, it supports command-line parameters (e.g., /quiet). For a complete list, run the installer with the /? parameter.

If you want to download the “pure” MSI installer without dependencies, it’s also available on the downloads site or head over to the release on GitHub.

New Default VFS Driver (Virtual Volume)

As already mentioned, the new EXE installer can include dependencies again, so we added one right from the start: WinFsp.

This decision is mainly based on the long-term maintenance effort. The integration of a vault into the OS currently supports WebDAV (legacy), Dokany (Windows), and FUSE (all systems). FUSE support (provided by WinFSP) on Windows is now available for quite a while and feedback was very promising. The time has come to make this the default choice so we can focus on a common code base.

WebDAV and Dokany will remain part of Cryptomator, should you prefer it in your individual setup. Please note that Dokany 2.x is not yet supported and our existing Dokany 1.x glue code requires a migration.

There are some known issues with WinFsp though:

  • If you are logged in to Windows via an AzureAD account, vaults can only be accessed read-only.
  • Access with the admin rights is only possible when the vault is mounted into a directory (as opposed to a drive letter).

If you aren’t affected by any of these issues, we encourage you to use WinFsp/FUSE.

Those were the two major changes you should know about. For all changes, have a look at the changelog.

We hope you are enjoying this Cryptomator update.

Vulnerability in iOS Version 2.0.0–2.0.3 (Please update to 2.0.4)

We always claimed that if there once were a security issue with Cryptomator, we’d be unable to hide it. Now it happened: A user reported an issue in our iOS app that we consider severe.

While such issues can happen in any type of project (as recently demonstrated by infamous bugs in log4j and Exchange), users of open-source software can at least rely on known vulnerabilities not being kept secret for marketing purposes.

In this spirit, we want to share with you all the details of this vulnerability.

What happened?

When decrypting files for the iOS Files app, the cleartext file needs to be physically stored on the file system and a path leading to this file is handed over to the Files app.

If iCloud Backup is enabled on this device, the cleartext file is included in the backup, effectively leaking it to Apple.

What files are affected?

Only files that you actually opened from within the Files app have been decrypted. All remaining vault contents are unaffected.

Furthermore, the device needs to have made an iCloud Backup while a vulnerable version has been in use (2.0.0 released 2021-12-21, fixed in 2.0.4 released 2021-12-26).

If iCloud Backup is disabled, no decrypted files left your device.

Can leaked files be deleted from existing backups?

While we don’t know how reliably Apple erases data, you can in fact exclude individual apps from iCloud Backup and remove existing backups.

When was the vulnerability reported?

The issue was reported by a community member on 2021-12-25 at 13:15h UTC.

When was the vulnerability fixed?

We committed a fix two hours later at 15:28h UTC and submitted the app to Apple immediately. Apple released the fixed version 2.0.4 on the next day.

Are vaults located on iCloud still encrypted?

Yes, the vaults themselves are still fully protected, regardless of which cloud storage is being used.

Why is there decrypted data in the first place?

At some point, you need to have cleartext data, otherwise you can’t work with them. Cryptomator is fully integrated into the Files app, which means that it is bound to and limited by the File Provider Extension API. It requires to have readable (cleartext) data readily available. Keep in mind that Cryptomator’s target is to ensure privacy in the cloud and not on the device itself.

Are there any other plans regarding the local cache?

We are currently investigating if we can shorten the lifetime of decrypted data. As mentioned before, mechanisms that affect the File Provider Extension are out of our hands. But for example, clearing the cache after the vault has been locked in combination with auto-lock can certainly be helpful if you’d like to tighten the longevity of decrypted data.

How does the development team make sure to avoid issues?

While claiming to write bug-free software would be a blatant lie, we can promise to do our best to avoid such vulnerabilities.

But all the best practices, automated code analysis, highest test coverage and consulting external experts doesn’t help to rule out all possibilities, especially when caused by interaction with a third-party tool.

The rewritten iOS app has been tested by more than 2,300 beta testers over a period of half a year. After all, it was just very bad luck that this issue has not been discovered during this beta.

Cryptomator 2.0 for iOS Release

We are happy to announce that Cryptomator 2.0 for iOS is now available in the App Store! 🎉 We’d like to express our gratitude to our over 2,300 TestFlight users for testing the app over the last 6 months. ❤️

Cryptomator 2.0 for iOS

Last year in April, we started to rebuild our iOS app from scratch. That’s why we decided to develop Cryptomator 2.0 in Swift. This will make it easier for us to maintain the app in the future.

Of course, the new app also comes with some new features. With Cryptomator 2.0, you get an app that is completely integrated into Apple’s own Files app. This means that your vaults are directly accessible from there. For example, you can now save and edit a Word document directly in an encrypted vault via the Files app. In addition, features like thumbnails, grid view, swiping through images, and drag & drop are possible with the new app.

Transparency is also very important to us with Cryptomator 2.0. Therefore, the entire Cryptomator family, including the new app, remains fully open source. You can check out the repository on GitHub here.

But we didn’t stop there. For the first time, the new app is available as a “freemium” app. This means that in the free version, you can access your vaults in “read-only” mode. If you only need quick access to your vaults on the go, which were created with the Desktop application, then this is the perfect “companion” app. If you don’t want to miss out on write access to your vaults, you can unlock the full version via a one-time purchase for $11.99 after a 30-day trial.

As promised, users of our old Cryptomator app can switch to the new app for free. We have tried to make the upgrade as easy as possible for you. All you have to do is make sure that the previous app is up to date when you start the new app so that you can select the upgrade option. To make the transition easier for you, the previous app will be available in the App Store for a short transition period.

At this point, we would like to thank you once again for your support, without which the project would not have been possible. 😊

We are already looking forward to your feedback! 🤖

Cryptomator 1.6.0: What You Need to Know

Hello Community!

In this blog post, we’d like to give you some news about the upcoming major update of Cryptomator to version 1.6.0. We’ll be highlighting the most significant changes and new features and make sure that you are ready for the update.

Cryptomator 1.6.0 Release

Changes and Features

The two most important changes are the usage of a new vault format (version 8) and a long promised integration of the Sanitizer (now called Vault Health Check). For a more complete list, read the release page of Cryptomator.

Auto Lock

A feature already wished in its earliest days will be present: Auto Lock – the automatic locking of a vault. For every vault you can set up an idle timer after which the vault is automatically locked. If any write or read happens during the time span, the timer is reset.

Redesigned Error Dialog

After a lot of indirect feedback from you about the error dialog, we decided to change its design to fit more of your needs. The most obvious and important change is the new error code. It might be as cryptic as the already existing stack trace, but it speeds up the search for solutions or workarounds for your specific problem in our error code database. Along with the error code the dialog also provides links to quickly query the database. And if the error is not yet known, it’ll make it easier for you to report it in a format that helps us understand the problem.

Vault Format 8

The big change behind the scenes is a new vault format. Starting with 1.6.0, it will be used by default and enforced. The new format prepares Cryptomator for future features and corrects inconsistencies in former versions. For more details, check out the more-in-depth article about it.

Vault Health Check

We added an integrated tool to detect and fix structural problems of a vault (e.g., missing directories). Until Cryptomator 1.5.0, this task was done by the so-called Sanitizer. But the tool was hard to maintain and hard to use so that it was abandoned with the goal to integrate similar functionality directly within Cryptomator.

This plan finally bore fruit into a workflow to perform different checks on a vault to detect common problems. The results are shown on the fly and once the check is finished, you can export the results. For 1.6.0, there will be only three checks to execute, but we plan to add more. But keep in mind that the Health Check is not designed as a magical fix-all-tool. If you are encountering problems with a vault, make sure that the vault files are properly synchronized before running this tool. That said, of course, we appreciate feedback about it regarding usability and functionality.

Plugin API

Cryptomator is now able to load plugins from a dedicated plugin directory. In the long run, this allows integrating third party services, e.g. enter password via password manager. The feature is still experimental and might change over time. A first plugin is already available: A KeePassXC integration developed by PureJava. You can download it here.

Update Guide

In general, you should update, because you not only benefit from new features, but also from bug fixes. Still, you might consider to delay the update, because Cryptomator 1.6.0 enforces the new format, i.e. old vaults need to be migrated in order to unlock them, and once a vault is migrated, older desktop versions won’t be able to open it.

Of course, and as always, Cryptomator provides a migration from older formats to version 8. But to perform it, the app needs write access to the vault files (configuration files and encrypted data). Details about the migration can be found in the vault format 8 article. ​ You should wait with the update, if

  • you cannot update all Cryptomator apps (desktop and mobile)
  • you don’t have write access to all the vaults you use.

When you decide to update, there is one last issue you need to check beforehand: If you ever manually altered the setting file filenameLengthLimit for a vault in the settings.json file, these modifications will be lost after the update and will be ignored if simply copied back. A guide to migrate in this setting will be published soon.

Vault Format 8

Hello Community!

We’d like to give you some information about an important part of the upcoming 1.6.0 release: The new vault format in version 8.

Yes, a new vault format. The ones who remember the last upgrade might start to groan, because last time the migration process from vault format 6 to 7 was in some cases not without hiccups. But don’t worry, this time the changes are significantly less invasive!

This article will give motivation for designing the new format, what the changes are in detail, and sketches how the migration process looks like, such that you know what you are up to. ​

The Motivation

The storage location of the masterkey is a topic, which in the early days of Cryptomator already raised a lot of questions and led to several feature requests. (e.g., look at the number of clicks in https://community.cryptomator.org/t/why-is-the-masterkey-stored-in-the-cloud/)

So, what is all the fuss about? The masterkey of a vault is stored within the vault structure in a file called masterkey.cryptomator and encrypted with state-of-the-art algorithms. Its location is not a security risk and, additionally, the location ensures that this integral part of a vault is always moved with the vault. Admittedly, calling the file “masterkey” is an arguable decision, but it’s definitely obvious that the file is important.

But this isn’t about the name. By hardwiring where the masterkey is stored, we lose flexibility to load it from somewhere else. (A relating feature request is under the first 100 tickets of Cryptomator!) What if a user has a hardware token which could store it? Or what if a company has a centralized key management with single sign-on and wants to use it with Cryptomator? And even if workarounds for the above questions are found, how to deal with them when the vault structure/format changes? ​ These questions led to the idea of decoupling the masterkey retrieval from the vault structure and eventually into the design of vault format 8. ​

The Changes

With vault format 8, we introduce a new file named vault.cryptomator for every vault located in the vault root. This is the vault configuration file. Together with the data directory named d, they form the required minimum for a valid vault.

The vault config file is a JWT containing the basic information about the vault (like a unique identifier) and especially where to load the masterkey from. All other parameters that are required to derive the masterkey are not stored in the vault config anymore, which decouples the key derivation from the vault format itself and opens the door to get the masterkey from other sources than just the masterkey.cryptomator file inside the vault. For example, in future releases, you might be able to store the vault masterkey inside a Yubikey or the Microsoft Certification Store. Additionally, with the vault config being a JWT, it is signed by the masterkey itself and ensures that nobody tampered with it.

As noted above, the vault config file can also store additional information. One is the vault-specific threshold of shortening encrypted filenames. Before format 8, this value was set in stone in Cryptomator’s encryption scheme. By specifying it in the vault config, it can be configurable in the future, such that the full capabilities of a vault are also available on more restrictive storage locations.

The encryption scheme, the directory structure, and encrypted files stay the same. ​

The Migration

What do these changes mean for a migration from vault format 7 to 8? Nearly nothing!

The only file edited is masterkey.cryptomator. Hence, for all “online only” users, it would be sufficient to only download this file. For the migration process itself, first, the vault config file vault.cryptomator will be created and filled with the correct values like the aforementioned unique vault identifier and the filename shortening threshold. Second, the already present masterkey file is updated. And third… that’s already it. 😄 No other files need to be altered. ​

As you can see, vault format 8 only imposes a small and easy to migrate change, while making way for interesting and exciting new features. With updating to Cryptomator 1.6.0, vaults of a former version need to be migrated and newly created ones will already be in format 8. Keep in mind that the masterkey file is still needed, since it securely contains the actual key to your vault.​

We hope that your worries about a vault upgrade are reduced and you are eager to update! If you want to know more about the upcoming 1.6.0 version of Cryptomator, continue reading the article about it.

Update on the Document Provider Development

Hey Community,

From time to time, we need to adjust our schedule for certain features. We are well aware that the Document Provider is the most-requested feature of the Android app, but despite this fact, we need to temporarily shift our attention to other tasks within this project. This blog post you’re reading right now is to keep you, our community, updated and inform you that we are unable to stick to our original plan. Unfortunately, this means that any further development of the Document Provider feature needs to be postponed to the end of this year.

The Document Provider Feature

As users of our Android app, you know how cumbersome sometimes the work with it is: You open your favourite notes app to quickly jot something down, then notice that you cannot open your to-do list from the app because you store it encrypted with Cryptomator. So you sigh, open the Cryptomator app, unlock your vault, navigate to the to-do list file and open it with the aforementioned notes app. Definitely not the optimal workflow.

We always strive to provide the same features across all our supported platforms. One of these is a user-friendly integration of the vault into the running OS to easily access content of unlocked vaults. For the desktop systems, this feature was always present and recently we added it in our new iOS app. The last OS, where it is missing is Android. And the way to resolve this, is implementing a Document Provider for our Android app.

The Document Provider feature creates a virtual access point to an unlocked vault, with the consequence that you can conveniently browse and access a vault’s content via the standard file browser. Also, any app which supports browsing through Document Providers can directly load files from your unlocked vault without the need to go via Cryptomator’s app GUI.

Development Status

The development is tracked in the following ticket of our issue tracker: https://github.com/cryptomator/android/issues/35

As you can see, the issue is already quite old and got over the time a countable amount of comments. After publishing the source code of the app at the end of 2020, our plan was to work on this important feature.

From the technical side, we already determined the parts of code needed to be edited, developed a concept and built a proof of concept (see the linked ticket). The next step would be to actually implement it including rigorous testing.

Unfortunately, we determined that integrating Document Provider into the existing app would require major architectural changes, therefore requiring a lot of time and resources. We have exciting plans with Cryptomator after our next major release with version 1.6.0 so that we have to delay the development of the Document Provider integration to the end of 2021.

Meanwhile, maybe you, our community can help us out.

Call for Contributions

Cryptomator for Desktop was always open source. Cryptomator for iOS and Android are now open source as well. And as such, we also rely on our community to receive feedback, distribute the app and improve its functionality.

So, we are always very excited about contributions and are happy to assist, especially when it comes to the Document Provider. 😉

Cryptomator 2.0 for iOS: Open Source and Beta Release

Finally, the time has come! 🎉 The brand new iOS app of Cryptomator can now be tried out in a beta version via TestFlight and the project is now, as previously announced, fully open-source! This means that the entire Cryptomator family is now open-source, consisting of the Desktop, Android, and iOS versions.

Cryptomator 2.0 for iOS: Open Source and Beta Release

The new Cryptomator app with full integration into the Files app of iOS fulfills one of the biggest feature requests. For example, it is now possible to save encrypted files directly into a Cryptomator vault within Word. On iPad, drag & drop is possible with the new app. In general, all features of the Files app are automatically supported by Cryptomator.

Development on the new iOS app started just over a year ago and was rewritten from scratch in the Swift programming language. We are now using the latest tools to develop the app and can therefore support new features of iOS faster. This makes the project more future-proof and easier to maintain. Half a year ago, we were able to open-source the Android app and have released numerous updates with great contributions from the community since then. We couldn’t wait to release the source code of the new iOS app as well. Through open-source, the new app is now accessible to all interested developers and the whole community, as we are used to from our other projects.

We are looking forward to your feedback and contributions and are very grateful to you and the whole community that made this step possible. To support the ongoing open-source development of Cryptomator, consider donating or sponsoring. ❤️

Cryptomator Roadmap Early 2021

Development on Cryptomator 1.5.x is coming to an end and we are now working on the next major version 1.6.x. Read more about it in this roadmap!

State of the Desktop App

The update to version 1.6.0 is just around the corner! The release will mainly contain some invisible changes that will allow us to add new features in a timely manner. One of the main points here is to implement a new vault format (Vault Format 8). It makes the integration of other authentication methods in the future possible, for example to enable 2FA.

Another feature is the integration of a sanitizer. Until now, a separate program was needed to check the state of your vault and to execute cleanup and restore commands. In the future, this will be possible directly in the Cryptomator user interface.

In addition, there is now a prototype for the distribution of Cryptomator as a Microsoft Software Installation (.msi), but the implementation still has alpha character. Furthermore, we have updated Cryptomator to JDK 16 with the latest version 1.5.14, which brings some upstream fixes. Unfortunately, we could not make any progress with regard to Flatpak.

State of the Android App

As you might have noticed in our blog, we finally published the source code of the app! Apart from that, vault format 8 is also a big topic in our development here.

Since the update to version 1.5.14 (currently still in a beta version), pCloud is natively supported by Cryptomator. Many thanks to Manu for his open source contribution! Another small change is that since the update 1.5.13, it is possible to sort the vault list and thus get a better overview of the vaults.

But that’s not all we have planned for the Android app! We are happy to release Cryptomator on F-Droid soon. Also, we hope to be able to include more clouds soon and enable access to content of the vault via third-party apps with a “document provider”.

State of the iOS App

With the introduction of vault format 8, the “old” iOS app will probably get its last major update to version 1.6.0.

Meanwhile, work on the “new” iOS app continues. As announced in the last roadmap, the iOS app will be fully integrated into the Files app. We are already very far along. Nevertheless, we still have some work to do, as we want to offer some features like dark mode or support for multiple accounts from the same cloud provider right from the start.

We can’t promise you an exact release date yet, but we hope we will release a first beta version via TestFlight in the summer.

Open Source: Cryptomator for Android

We announced it last month and now we are ready… our gift to the community for the holidays: Cryptomator for Android is now fully open-source! Check out the repository here: https://github.com/cryptomator/android

Cryptomator for Android is now open-source

There will definitely be a transition phase and learning curve for us to fine-tune the repository and coordinate open-source contributions but it shouldn’t be too far off the “main” repository Cryptomator for Windows, macOS, and Linux, which was open-source from the beginning.

We are looking forward to your contributions and are very grateful to you and the whole community that made this step possible. To support the ongoing open-source development of Cryptomator, consider donating or sponsoring. ❤️

And what about Cryptomator for iOS? To quote from our “Roadmap Late 2020”:

We won’t open-source the current app anymore because we’d like to look forward. The new app is written with open-sourcing it in mind but it will still take some time until we can release anything.

Happy holidays and a happy new year! 🎁

Cryptomator Roadmap Late 2020

We recently released Cryptomator 1.5.10 for Windows, macOS, and Linux with many new features and bugfixes. Well, actually the changes were in 1.5.9 but we followed it up with a hotfix release. 😁 With the (crazy) year nearing its end, we’d like to give you some insight to our roadmap across all platforms for the upcoming months!

State of the Desktop App

With the redesign and full rewrite of the UI in 1.5.0, we established a good foundation for adding further features. There was one former feature that didn’t make the cut though, which is now back with the latest version: Vault Statistics. 🎉

Vault Statistics in Cryptomator

We didn’t stop there! Vault passwords can now also be stored in KWallet on Linux. Huge thanks to Ralph Plawetzki (purejava on GitHub) for his contribution! And last but not least, it is now possible to mount the vault via FUSE on Windows. This is still a beta feature! In order to try it, WinFSP needs to be installed. We’d love to hear your feedback on this!

On the distribution front, we didn’t quite meet our expectations. So far, we’ve been struggling with Flatpak as we just can’t convince its sandbox to properly support FUSE drives. But we’re not giving up on this!

Behind the UI, we introduced the integrations-api alongside implementations for each OS. It’s a new way for Cryptomator to include native (also OS-specific) functionalities. Now easier than ever, you can implement native functions. So grab your keyboard and start hacking! 😁 With this change, we archived the old native-functions repository. 👋

What’s next? Our plan is to move on to 1.6.x. First of all, we want to integrate Sanitizer, so you can check your vault health and run cleanup and recovery tasks right within the Cryptomator UI. Furthermore, by decoupling the key derivation from the vault encryption, we plan to give you more options for authentication, including third-party password storage, 2FA, and multi-user access using individual passwords.

State of the Android App

In the last months, we added new features like face unlock, sort directory listings, and search using glob pattern matching. Some community members also translated the app to French and Turkish. Many thanks for their contributions!

Looking forward, we have some exciting news about our Android app! The project is in the perfect situation to fulfill the two biggest wishes of the community:

  1. Open Source: Publishing the source code of the app.
  2. Document Provider: Accessing the content of the vault using third-party apps.

You heard that right, we are going to open-source Cryptomator for Android! The fact that the app is open-core had its legitimate reasons but we are now fully confident that we can open-source the app without compromises. We are working hard to publish the complete source code within a few weeks.

After that, the highly anticipated Document Provider feature will be on our roadmap.

State of the iOS App

What’s up with Cryptomator for iOS? For the last 6-7 months, we have been hard at work on a completely new app written in Swift. Our first efforts can already be seen in our new open-source libraries for Swift: cryptolib-swift and cloud-access-swift.

What will be so special about the rewrite? Cryptomator will be fully integrated into the Files app. This comes with many benefits like thumbnails, support for third-party apps that can edit files directly inside the vault, and many more! But that also means, there won’t be a “custom” file browser inside the app anymore. Integration into the Files app is one of the most requested features of the community.

What about open source? We won’t open-source the current app anymore because we’d like to look forward. The new app is written with open-sourcing it in mind but it will still take some time until we can release anything.

We’ll definitely do extensive testing via TestFlight in the next year. Stay tuned for that!

Cryptomator for Android for Us Paranoids

This blog post is aimed towards the paranoid Cryptomator power users among us and describes how to fully establish a relationship of trust with Cryptomator for Android.

When it comes to our desktop application, we claim that you should in fact not trust us but you (or at least many developers) can instead inspect what Cryptomator is doing. For our mobile apps, this is only half the truth, frankly. While the encryption code is fully open-source, the UI and cloud access code isn’t (yet 😉).
If you count yourself as one of the more paranoid users, who prefer to compile everything yourselves, you might ask the legitimate question: How can you check the current, open-core app for backdoors?

A backdoor usually requires communication with an external server. If vaults are only opened from the device’s file system, the Cryptomator app does not require an internet connection. Alternatively, the vault can be synchronized bidirectionally to the file system of the smartphone with a third-party application such as Syncthing.

Using this setup, the Cryptomator app can have its internet access revoked using the Android operating system features, which prevents the app from sending or receiving any data to or from the internet.

Android revoke Cryptomator's internet permission

Thus, even if there ever was a backdoor in Cryptomator for Android, it would not be possible for the intercepted data to leave the smartphone. This is ensured by the operating system.

Cryptomator 1.5.0 Release

Cryptomator 1.5.0 is now available with a brand-new user interface (incl. dark mode) and an improved vault format

Cryptomator has been redesigned and comes with a new dark mode. It is not simply a redesign, it was a full rewrite of the UI. During the rewrite, a whole new code structure was planned which makes it easier to extend the application in the future. One goal of the redesign was to make the onboarding process easier for users who don’t feel too comfortable with encryption software. Usability tests helped designing the workflows and understanding common misconceptions. Besides the redesign, the new vault format 7 increases compatibility with some cloud services and at the same time reduces the complexity for certain I/O operations.

To support the ongoing open-source development of Cryptomator, consider buying a donation key, which unlocks the new dark mode. ❤️ Detailed release notes for the desktop app are available on GitHub.

As you might have noticed, this website is also shining in a completely new design. ✨

Cryptomator for iOS & Android

New updates for iOS and Android have been released as well. To celebrate the release, our mobile apps are 40% off until April 23! 🤖

Cryptomator for Android is now also available as an APK version through our own online store.

Cryptomator Roadmap Early 2020

Between all the work on Cryptomator, we need to remind ourselves to not forget about our regular updates post. While most of you have already noticed that we’re approaching a new major release of Cryptomator, I think it is time to inform you where we’re currently standing and what our roadmap looks like.

State of our Desktop Application

We plan to release 1.5.0 within Q1 2020. In our currently running beta (huge shout-outs to all the helpful test feedback), we have already sorted out several problems and feel confident to deliver outstanding quality.

While we have already discussed upcoming changes to what we call the vault format (i.e. the layout of the encrypted files and directory) to increase compatibility with some cloud services and at the same time reduce the complexity for certain I/O operations, the far more obvious change affects the GUI:

We did not simply redesign our UI, we did a full rewrite of it. Nearly every single line of code that was involved in Cryptomator 1.4.x has been deleted. Why would you do something like this? Well, the application grew over time. Cryptomator has been started more than six years ago and some concepts weren’t established back then that make development easier today. During the rewrite, we planned a whole new code structure which makes it easier to extend the application in the future and at the same time have new developers understand what parts of the code is responsible for what dialog in the software.

One goal of the redesign was to make the onboarding process easier for users who don’t feel too comfortable with encryption software. We attended (and organized) some usability tests in our vicinity and saw how first-time users reacted to the vault creation process. This helped us to design the workflows and understand common misconceptions.

State of the Android App

Not worth mentioning is that the Android app in 1.5.0 will support vault format 7. In the Android app, we focused on implementing new features and improving stability:

  • Already opened files are cached on the smartphone. When reopened and if the file has not changed in the cloud, the file is loaded from the local file system, which leads to a huge performance improvement.
  • Fixed and improved auto photo upload e.g., after device reboot or on Android 10 under certain conditions the upload didn’t work
  • We added an option to lock a vault immediately when Cryptomator is closed or in background
  • Last but not least, we’ve put a lot of work into a new license store that will enable us to provide an alternative way of distributing our Android app, as we have a lot of requests from users who prefer not to use Google services such as the Play Store

State of the iOS App

The iOS app will also support vault format 7, obviously. There are some further fixes and improvements under the hood, but no new features. It already supports caching and it you can even buy it without using the Google Play Store. 😉

What is missing for the final release of 1.5.0?

While at the time of writing this, there are only few missing features planned for 1.5.0 (such as vault recovery) and only some final polishing is required from our side, we want to make sure our mobile apps and also third party apps such as Cyberduck are ready to deal with the new vault format, too. For some bugs scheduled for 1.5.0 (such as this one), we’re currently waiting for an upstream fix.

Simultaneously, we’re preparing new documentation pages for 1.5.0 as well as a new website with a new FAQ section and we integrate new translations added by our great community on a regular basis.

What’s up next?

Our first priority right after 1.5.0 is to migrate from Java 11 to Java 14. Java 14 includes a long-awaited new tool that is required for our packaging. We’re currently using a workaround that prevents us from upgrading to the latest bundled JRE. This is a small change that will probably be shipped right with 1.5.1. However, we didn’t want to dig up new holes right before 1.5.0 and decided to postpone this to 1.5.1.

Next, we want to focus on Flatpak. We ditched .deb and .rpm files some time ago and replaced them with AppImages. We also really like how the Flatpak ecosystem is gaining traction and is supported natively by a steadily increasing number of distributions. So far, we didn’t get Cryptomator working due to the complexity behind the file system mounts. But after we’ve finished 1.5.0, we hope to be able to put some more attention to this and solve this to ship Cryptomator as a Flatpak soon.

In the Android app, the next big feature will be accessing files of a Cryptomator vault inside other apps using a DocumentProvider. For example, a file explorer will be able to access the content of the vault in this way. As well as smaller features like recursive upload of folders to the vault are planned.

Cryptomator Roadmap Mid 2019

We would like to take a more regular look at our roadmap to publicly document the past, present, and future developments of Cryptomator. Unlike before, we’re also going to have a look at the roadmaps of our mobile apps.

Desktop

In the desktop area, we are currently pursuing two different branches: On the one hand we are striving for feature completion of 1.4.x, with 1.4.12 already available as a release candidate. It will finally allow Linux users to store their password in the system and include the much desired “Custom Mount Flags” feature.

  • Save password in system (Linux): For a long time, you could only store your vault’s password in the system under macOS and Windows. Through a community contribution, this is now finally also possible under (some) Linux systems. 😄 The existence of GNOME Keyring or another keychain via Secret Service API is required. Many thanks to Ralph Plawetzki (purejava on GitHub) and Sebastian Wiesendahl (swiesend on GitHub) for the implementation!
  • Custom Mount Flags: Cryptomator uses default options to mount a drive (both for Dokany and FUSE) that we chose for security or performance reasons. However, this leads to limited functionality in some cases and users who want to set their own options can now change them. Be aware: Use at your own risk!

On the other hand the implementation of 1.5.0 has already started. For 1.5.0, as announced, we want to fully concentrate on the redesign of the user interface and improve the internal processing of Cryptomator, because like many open-source projects it has grown organically over time and therefore needs a good refactoring. 😉

iOS

After the release of Cryptomator 1.4.0 for iOS with built-in cache functionality, which on the one hand avoids repeated downloading of files and on the other hand allows (limited) offline access, the work on Cryptomator 1.5.0 for iOS has started.

The main focus will be the integration into the Files app of iOS. The first step will be the expansion of our Document Provider which is going to be extended by the methods “Open” and “Move”. This will make a direct access to files within a Cryptomator vault from other apps possible without having to copy them back and forth.

Android

Cryptomator 1.4.0 for Android is currently being finalized with the following features, which can already be tested in a beta version:

  • Automatic photo upload: After activation, all images created on the smartphone will be uploaded the next time the selected vault is unlocked.
  • Make files writable by third-party apps: Files that are opened can be edited in third-party apps. When you finish the editing process by saving and returning to the Cryptomator app, the changes are transferred to the cloud.

We are considering these features for future versions:

  • LRU Cache: To save network traffic, certain server responses are cached to avoid repeated downloading, for example of unmodified images from the cloud.
  • Support for Google Team Drives: Access to vaults located in Google Team Drive should be made possible.
  • Distribution of the app outside of Google Play: Cryptomator for Android should also be available from alternative sources. We are thinking about setting up a licensing system, through which a license could be purchased directly.
  • Unlocking with system password: You should be able to use the system password of the smartphone to open vaults. (Similar to unlocking with a fingerprint.)
  • Access to files via DocumentProvider: Access to a Cryptomator vault inside other apps should be made possible via a DocumentProvider. For example, a file explorer would then be able to access the vault in this way.
  • Upload of directories (recursive): The download of whole folders already works, the upload including all subfolders is not possible yet.

Cryptomator Roadmap Early 2019

Hey it’s a new year, so here comes our quarterly annual 🙈 roadmap preview.

OpenJDK and OpenJFX

Until now we’ve been using Oracle JDK, since this included the GUI library we used for Cryptomator: JavaFX. Beginning with JDK 11, we plan to switch to OpenJDK and OpenJFX. JavaFX will no longer be included in the Oracle JDK anyway and OpenJFX promises shorter release cycles and - as the name suggests - is developed in an open process.

Since we no longer depend on non-free software, Cryptomator could theoretically move from “contrib” to “main” in Debian repos.

We also hope that building Cryptomator becomes easier, since OpenJFX is a normal dependency and you no longer need to install the Oracle JDK.

We have successfully moved to FUSE (Linux and macOS) and Dokany (Windows). Now it is time to improve the file systems. One of the most asked features is support for symbolic links. If you don’t know what this is, don’t worry. For everyone else: Stay tuned for a 1.4.x update introducing symlinks.

UI Redesign

We plan to redesign the whole user interface from scratch with Cryptomator 1.5.0. In order to do this, we are happy to get your input. If you have any ideas on how Cryptomator should look, feel free to join the discussion in our redesign thread.

Cryptomator 1.4.0 Release

Cryptomator 1.4.0 has been released featuring Dokany and FUSE support

What’s New

Introducing Dokany (Windows) and FUSE (macOS, Linux) support. Vaults can now be mounted via Dokany and FUSE which is now the preferred way over WebDAV. Expect vastly improved integration into the system. A complete list of closed issues is available here.

Dokany / FUSE

  • Provide virtual drive using Dokany on Windows (#207)
  • Provide virtual drive using FUSE on macOS and Linux (#252)
  • Solves upstream bug with keeping modification date and other dates of original file (#220)
  • Solves upstream bug on Windows with files >4 GB (#82)
  • Solves upstream bug on Windows with Windows Explorer showing C: drive capacity for any vault (#80)
  • Solves upstream bug on macOS High Sierra with disappearing drives (#579)
  • Solves upstream bug on macOS Sierra with duplicate folders in /Volumes (#464)
  • Solves other WebDAV-related bugs (#67, #145, #175, #204, #238, #256, #366, #513, #597, #631, #684)

As usual, we have open-sourced the libraries Dokany-NIO-Adapter and FUSE-NIO-Adapter under AGPL.

Improvements

  • Quitting Cryptomator is now also graceful, similar to locking vaults (#230), kudos to Jelle Dekker (jellemdekker on GitHub)
  • Added status indicator to tray icon (#296), kudos to Jelle Dekker (jellemdekker on GitHub)
  • Fixed apparently empty vault when ciphertext size of one file is invalid (#673)

Windows

  • Fixed missing text in menu options of tray icon (#612)
  • Fixed violated code integrity policy by signing all DLLs (#736)

Linux

  • Provide AppImage as a long-term replacement for other distribution methods (#469)
  • Fixed WebDAV support when having gvfs 1.37.2 or later (#722), kudos to Ralph Plawetzki (purejava on GitHub)
  • Fixed support for high resolution display (#42)

Misc

  • Updated to JDK 10
  • Decreased file size of application and installer packages significantly
  • Dropped official Windows and Linux 32 bit support

Become a Cryptomator Sponsor

Dear community,

As you know, we’re providing Cryptomator as a pay-what-you-want software and we want to keep it that way. In the meantime, we’ve grown to a small team working full time on this project. And we all need to pay our bills.

Therefore we need your help! If you use Cryptomator in your company or know a company that uses open-source software, please ask if they want to become an official sponsor of Cryptomator. Alternatively, you can support Cryptomator through recurring donations.

We have prepared three sponsoring plans with different benefits for you. Head on to our sponsors page for more information.

Your Cryptomator team

Cryptobot Sponsor

Cryptomator Roadmap Early 2018

Since it is understandable that not all of our users can track all development activities on GitHub, I would like to write a few paragraphs here about the technical updates that are planned for Cryptomator in 2018 and their impact on usage.

FUSE

The biggest upcoming change is the implementation of FUSE-based drives. This will be additional to WebDAV and will become the new default setting. We are currently developing the necessary library. It is based on jnr-fuse, which means you need FUSE for macOS or WinFsp in case of Windows. The Linux kernel supports FUSE out of the box.

A big challenge at the moment is how to include WinFsp or FUSE for macOS in the installer. First test versions will therefore require manual installation of named libraries.

The benefit of using FUSE lies not only in performance enhancements (which are already clearly measurable in the current state of development for some file/directory operations) but also in the expected increase in compatibility with third-party software. There are several problems related to the WebDAV drive, as can be seen in our issues list.

Java 9

During the Christmas holidays, I made all libraries and the desktop application compatible with Java 9. Our CI builds now run uniformly with JDK 9 in containers. However, the code is still compiled for older Java versions, not just because our Android app depends on it.

What’s the point? Java 9 is a huge step in the development of the Java platform. In addition to various bug fixes that directly benefit Cryptomator users, e.g. better support for HiDPI displays under Windows and Linux, there were massive refactorings which form the basis for a new release model of the Java platform with new feature releases in six-month cycles. This means that we will be able to benefit from new features in the future more rapidly without having to rely on unstable test versions.

However, the conversion to Java 9 with Cryptomator 1.4.0 is also the basis for the use of the Java Platform Module System from Cryptomator 1.5.0 onwards, whereby much smaller applications can be built. In a first test, the size of the Cryptomator application for macOS was reduced from over 200 MiB (in the installed state) to about 70 MiB.

IntelliJ

We switched our build platform from Eclipse to IntelliJ because the JDK 9 compatible versions of Eclipse contain changes to the compiler that didn’t get along with code generated by Dagger.

Furthermore, our Android developers are already used to IntelliJ so that we can harmonize our tools a little bit here.

64 Bit

Since both WinFsp and JDK 9 require 64 bit, Cryptomator will no longer support 32 bit systems as of version 1.4.0. Although this is a pity, it also speeds up the development process because fewer systems have to be tested.

Cryptomator 1.3.x will be 100% compatible with 1.4.0. This means that users who depend on 32-bit software can continue to use Cryptomator vaults.


Did you find this insight interesting? Should we give an outlook for every major milestone in the future? We would like to hear your opinion in the comments!

Cryptomator 1.0 for Android Release

Today, we are glad to announce the release of Cryptomator 1.0 for Android. 🎉 Finally, you can protect your cloud files also on Android devices. The app is naturally fully compatible to the desktop and iOS versions of Cryptomator.

We have worked extensively during the last year to ensure the app’s security and usability. Thanks to your feedback and the experiences of more than 10,000 beta testers, the Android app has finally reached the level of maturity that fulfills Cryptomator’s high standards.

In version 1.0 for Android, the app is compatible with Dropbox, Google Drive, OneDrive, and WebDAV-based providers. You can also create vaults in Android’s local storage and, e.g., sync them with third-party apps. The app is available for $4.99 in the Google Play Store.

https://cryptomator.org/android/

Changelog since 0.7.0

  • Added “lock all vaults” option to the auto-lock notification
  • Improved performance of the cloud login process
  • Removed internet connection requirement for local storage
  • Fixed display problem when logging in to OneDrive
  • Translated app into Spanish
  • Increased Android requirement to version 4.3
  • Fixed several smaller bugs and problems

A New Home for Our Community

Our online community has finally found a new home. From now on, you can reach us here for technical support and have discussions with other users. The site was created to build a comprehensive knowledge base in the long run to help answer questions quickly.

We welcome all visitors and are excited about your posts!

https://community.cryptomator.org/

Cryptomator 1.3.0 Release

We’ve completely rewritten Cryptomator. Its core components are now modularized to CryptoLib, CryptoFS, and WebDAV-NIO-Adapter. A complete list of closed issues is available here.

Improvements

  • Auto-Unlock!!! 🎉 (#40) We finally implemented the most-wished feature. Still experimental and will be completed by autostart (optionally hidden) in future versions
  • New vault format 6 (#521)
  • Added new options to “unlocked” screen: Mount/unmount without locking/unlocking (#452)
  • Network access now filtered by the socket instead of the application (#431)
  • You can now change the socket port without restarting Cryptomator
  • New log system with log file rotation and exposed, user-adjustable configuration

Windows

  • Removed IPv6 flag, Windows will now always mount cryptomator-vault which is mapped to 127.0.0.1 (#512, #529)

macOS

  • Improved macOS Sierra integration, unlocking doesn’t ask for username/password for localhost anymore (#170)
  • Improved iCloud Drive compatibility (#364)
  • Fixed slow startup on some systems
  • Added CMD+, shortcut for preferences

Misc

  • Changed license to GPLv3
  • Dropped SHA-1 signatures in Windows Authenticode code signing
  • Dropped official Windows Vista support
  • Dropped official Ubuntu Vivid and Wily support

Technical Details on Windows Mounting

After we have fixed #431, we noticed various issues on Windows. We tried hosting the virtual drive via localhost, 127.0.0.1, and ::1 but every host has its own issue: Sometimes access to the virtual drive was extremely slow, sometimes Windows showed unnecessary security warnings (#529), and sometimes Office didn’t properly work (#512). That’s why the Windows installer for Cryptomator now writes the new host cryptomator-vault (which is mapped to 127.0.0.1) into the hosts file. Weirdly enough, with that new host, all problems seem to be gone. Even though we don’t quite understand why binding an IP has such a big impact, we just hope that we finally found a good solution!

Under-The-Hood Improvements

We’d like to highlight some improvements that we were able to make under-the-hood: Faster build times, high test coverage for our crypto libraries, and more!

CI Build Times

(Travis CI build numbers are in parentheses)

Branch 1.3.0 1.2.4
Master (Release) 3min (809, 819, 835, 842, 845) 5min (699, 704, 714, 727, 828)
Develop 1.6min (830, 831, 837, 839, 841) 3min (710, 711, 715, 724, 725)

Lines of Code

(determined via cloc --exclude-dir=test --include-lang=Java)

Project 1.3.0 1.2.4
Cryptomator-Desktop 7,249 16,624
CryptoLib 1,447 -
CryptoFS 6,829 -
WebDAV-NIO-Adapter 3,979 -
SIV-Mode 1,238 1,238
Sum 20,742 17,862

Test Coverage

(determined via JaCoCo)

Project 1.3.0 1.2.4
Cryptomator-Desktop 14% 66%
CryptoLib 93% -
CryptoFS 97% -
WebDAV-NIO-Adapter 26% -
SIV-Mode 96% 96%

* passes litmus (WebDAV server test suite)

File Size

File 1.3.0 1.2.4
Cryptomator.jar 9.18 MB 12.1 MB

Evolution of Cryptomator

(made with Gource)


Cryptomator 1.2.4 for iOS

  • Added compatibility to vault version 6
  • Fixed auto-lock bug, which occurred when you opened up the Touch ID settings (#89)
  • Improved filename blacklist, you can now see files and folders that start with a period “.”

We weren’t able to finish Cryptomator 1.3.0 for iOS in time. Some great features are planned for this version. Stay tuned!


Cryptomator 0.6.0 for Android

  • Added compatibility to vault version 6
  • Added external storage support (#50)
  • Added fingerprint support (#14)
  • Added multiple selection for file upload (#30)
  • Added creation and editing of text files
  • Added sharing of texts
  • Added logout of cloud storage services in settings
  • Improved filename blacklist, you can now see files and folders that start with a period “.” (#60)
  • Fixed inaccessible vaults in OneDrive (#55)
  • Further crash/bug fixes and design improvements

This version will be released shortly and might be the last major beta version. We are now in preparations for releasing Cryptomator 1.0.0 for Android. Looking forward to a great first final release!

Cyberduck Meets Cryptomator

Cyberduck 6.0 with support for Cryptomator vaults has been released today. You can download the new version at cyberduck.io. Cyberduck is a libre remote file browser for Mac and Windows, making it the perfect tool for all, who do not want to synchronize their cloud files locally.

Cyberduck meets Cryptomator
Illustration by Katharina Hagemann

Cyberduck allows access to your cloud storage without an additional sync client. FTP, SFTP, WebDAV, Amazon S3, Backblaze B2, Microsoft Azure & OneDrive, and OpenStack Swift are some of the supported protocols. All vaults created with Cyberduck or Cryptomator can be opened with the other.

You can learn more about our cooperation with Cyberduck at our dedicated coop page.

Mysterious Windows Bug Fix with 1.2.3 Update

Cryptomator 1.2.3 for Windows fixes a mysterious bug, commonly known as system error 53 or 67. Well, it’s not that mysterious anymore, but this particular error had been haunting us from the beginning! Cycor on GitHub (almost casually) pointed out in GitHub Issue 210 that he found the cause of system error 53/67 after a few months of experiencing the issue himself.

Apparently, there is a Windows Registry entry responsible for listing available network providers called ProviderOrder. Cryptomator’s virtual drive is based on WebDAV. Therefore, a missing webclient value in the ProviderOrder registry key would lead to such error. We were stunned, desperate, and hopeless for many months, because we were never able to reproduce the issue. We added things like the IPv6 literal option (which is probably going to be removed in a future version) or thought that some firewall was responsible for the error. But nope! Clearly some applications modify this registry entry, because a clean Windows installation doesn’t have the webclient value missing. Shame on them! 🔔

We fixed this issue by patching the Cryptomator for Windows installer and added some code that adds the webclient value back to the ProviderOrder key, if it is missing. The registry key can be found at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order. If you’re a fellow developer and stumbled on this blog post while having the same issue and even using Inno Setup yourself, you can find the code on GitHub.

Big thanks to Cycor for finding the solution to this weird bug! 😄

Furthermore, version 1.2.3 (also available for Mac and Linux) includes other improvements:

  • Saved password can now be forgotten by deselecting the checkbox. [Windows/Mac]
  • WebDAV server keeps running after unlocking a vault even if mounting fails.
  • Log files don’t contain debug-level information per default anymore, added debug mode in settings.

What’s next?

We released CryptoFS in version 1.0.0, which is now ready to be integrated in our main application Cryptomator. The next minor release Cryptomator 1.3 will mainly include a “heart transplant” with the integration of CryptoFS. This is a requirement before we can integrate FUSE/Dokany, which is currently scheduled for version 1.4.

Cryptomator for Android 0.1 Beta

We’ve finally released the first beta version of Cryptomator for Android after almost 6 months of development. It’s a completely new and native app. In this process, we outsourced the cryptographic code from our main project, which is now available as CryptoLib.

You’re welcome to test the beta version. Follow this link for more information. Version 0.1 is by far not feature-complete and has known issues, but we’re of course open for feature requests, suggestions, and obviously bug reports.

You can send us feedback on GitHub. We’ve created a repository just for collecting Android issues. Please review and follow our contribution guidelines.

Thank you all for your patience! We know some of you have been already waiting for an Android app of Cryptomator for many months. We’re looking forward to your feedback! 😄


What’s next?

  • Version 0.2: We’re going to fix some critical/major bugs first, don’t expect too many new features.
  • After that we’ll most likely successively add support for Google Drive, OneDrive, and WebDAV.
  • Our goal is to add the functionality equal to the iOS app for the final version.

Cryptomator 1.2.0 Release

Cryptomator 1.2.0 for Windows, Mac, and Linux is out now!

New Features

  • On Windows and Mac you can now optionally save your password. This is a preparation for auto-unlock (GitHub Issue 40), one of the most wanted features we’re planning for the next minor release. Linux support will follow, as soon as we figured out a standard way to protect saved credentials across most distributions.
  • New migration screen preventing accidental migration.
  • Cryptomator for Mac will now appear in Dock + Application Switcher, when not minimized to the menu bar icon.

Fixes and Improvements

  • Improved speed of directory listing by using a deterministic cleartext size calculation.
  • A full list of fixed issues can be found here.

The Downside

Sadly, we had to drop file size obfuscation support. From this version onwards, there is a bijective function for calculating the cleartext size from the ciphertext size and vice versa.

We always strive to offer the best of both, security and usability. But sometimes we need to find a compromise in order to implement all the features, we’re planning for future releases. In the past, we needed to access the first few bytes of a file in order to determine the cleartext file size, which led to O(n) I/O activities with n being the number of files per directories. In this case, we decided in favor of O(1) directory listings, which is especially useful for large directory listings, file size determination via mobile devices, or slow internet connections.

File size obfuscation has never been a cryptographically effective protection against adversaries getting to know the approximate cleartext size. Anything the size of a movie remained the size of a movie and was most likely not mistaken for a text document. Nevertheless, we will miss you. R.I.P.


Cryptomator 1.2.0 for iOS

  • Added compatibility to vaults created with desktop version 1.2.0
  • Added file sizes to directory listing (only available for newly-created or migrated vaults)
  • Added “sort by date” in directory listing
  • Added filter capability in directory listing
  • Added favorite folders to file upload
  • Added sticker pack with Cryptobot for Messages (available for iOS 10)
  • Improved clean up of temporary files
  • Fixed upload of large files in iCloud Drive, Dropbox, and OneDrive
  • Fixed access of shared folders in OneDrive
  • Fixed directory listing that limited the number of files shown in Google Drive and OneDrive
  • Fixed last modified date in Google Drive
  • Fixed reauthentication of some cloud storage services

Cryptomator for Android

We are confident that we can inform you about a beta release in the next weeks. Stay tuned and thank you for your patience!

Security Fixes with 1.1.4 Update

Cryptomator 1.1.4 for Windows, OS X, and Linux fixes two (related) vulnerabilities allowing malicious Flash files being injected into vaults, that can be executed to “bypass” the SOP and access files from a Flash-enabled browser (GitHub Issues 318 & 319). Kudos to Lukas Reschke for reporting them!

Various bugs with Dropbox, Google Drive, Windows drive letters, the Windows Registry and WebDAV access on Linux were also fixed. A complete list of closed issues is available here.


What’s next?

  • We’re making progress with the Android app. If everything goes as planned, you can expect a first beta release next month. We’ll send out invitation links to those who have expressed interest in participating in the beta. Stay tuned!
  • We plan to improve the desktop app compatibility- and performance-wise by integrating FUSE/Dokany (PFM has been suggested instead of Dokany, we’re still evaluating this). Hopefully, we can launch a first beta with these major changes by the end of this year.
  • Due to these major development efforts we have been modularizing the cryptographic relevant libraries into cryptolib and cryptofs under the GPL license. In that way, it’s easier for us to use the same libraries across multiple apps and also for third parties to use them independent of our main application. These libraries aren’t final yet.
  • We haven’t planned our 1.2 milestone yet, but the  has been highly requested and is probably the biggest contender right now. We hear you and we’d like to thank you for all your feedback! 😄

In-Depth: Export Compliance for French iOS App Store

Cyptomator for iOS has finally been approved by the French administration. You can download it now in the French App Store. We’d like to share our experience on how to receive export compliance for the French iOS App Store.

Just to be clear, you also need the U.S. Encryption Registration (ERN) approval from the U.S. Bureau of Industry (BIS). But this has already been covered by many sites, just google for export compliance ern ios app store.

However, there is little information on how to get the French encryption declaration approval from the Agence nationale de la sécurité des systèmes d’information (ANSSI). This information could be useful for fellow developers that are e.g. using third-party libraries for cryptographic operations in their iOS app. I’m not sure if this is also needed for the Google Play Store (or other Android app stores). We’ll see soon enough.

When do you need French approval?

Let’s take a look on how we’ve filled out our export compliance documentation in iTunes Connect, which is needed for apps containing encryption.

ID Question Answer
1 Is your app designed to use cryptography or does it contain or incorporate cryptography? (Select Yes even if your app is only utilizing the encryption available in iOS or OS X.) Yes
2 Does your app qualify for any of the exemptions provided in Category 5, Part 2 of the U.S. Export Administration Regulations? No
3 Does your app implement one or more encryption algorithms that are proprietary or yet to be accepted as standard by international standard bodies (such as, the IEEE, IETF, ITU, and so on)? No
4 Does your app implement one or more encryption algorithms instead of, or in addition to, accessing or using the encryption in iOS and OS X? Yes
5 Is your app going to be available on the French App Store? Yes

Our answer to question 4 is probably less common among typical apps using encryption. Additionally to Apple’s CommonCrypto, we’re making use of OpenSSL and scrypt, which aren’t bundled with the standard library of iOS. Only then you’re going to be asked question 5 and only then you have to submit a copy of the French encryption declaration approval from the ANSSI.

How do I submit an application to the ANSSI?

Thought you’d never ask. Thankfully, there is an English website for this: http://www.ssi.gouv.fr/en/regulation/cryptology/how-to-submit-an-application/

But the fun stops there. From now on, everything is in French. Yup. That’s right. Everything. Even the responses you receive are in French. And you have to submit your request via mail (yes, not email).

What’s our advice on this? Best case you know someone who can read/write French, but in our case we just used Google Translate extensively. We’ve filled out the approval form in English, because we hoped for common sense that they’re at least able to read our request in English. And it worked!

How long does it take until my request has been processed/approved?

The official statement is:

Declaration requests are processed within one month from receipt of the complete request file and authorisation requests within four months from the same date.

We’ve submitted our declaration request in the beginning of April 2016 and received a first response in the beginning of May. It was just to inform us that they’ve received our request and it’ll take another two months to finish the process. In the end, we’ve received the approval two months after our submission.

I don’t remember exactly how long it took to get the ERN approval, but it was just a matter of days and completely processed online.

Summary

I hope you learned something from our experience and if you’re an app developer struggling with the same issue, you hopefully received some insight in this process. Obviously, this information may change in the future, so do some additional research. 😉

Funny story: In the approval form are checkboxes, which you can enable if you’re sending a CD or USB flash drive with information of your product (like commercial brochure, user manual, technical details). I couldn’t believe what they were asking for, so I didn’t send anything besides the approval form. They kindly sent me an email, if I could provide a commercial or technical brochure for Cryptomator so that they can process my request. So I did that via email and everything was fine. 😄

Cryptomator 1.1 Release

Cryptomator 1.1 for Windows, OS X, and Linux is out now! We’ve added a password strength indicator and sync conflicts are now being detected.

Cryptomator 1.1 für Windows, OS X und Linux

What’s New:

  • Password Strength Indicator: Based on Dropbox’s zxcvbn. Kudos to Jean-Noël Charon (jncharon on GitHub) for implementing this feature.
  • Sync Conflict Resolution: When editing a file on multiple devices simultaneously, version conflicts are inevitable. Dropbox, Google Drive, etc. can detect these conflicts and will provide all versions of the affected file. From now on Cryptomator will transparently pass detected conflicts right to the decrypted drive to ensure no version gets lost.
  • Several small tweaks and fixes.

We’ve also released Cryptomator 1.1 for iOS recently. WebDAV support is finally here! Encrypt your files in cloud storage services like ownCloud, HiDrive, MagentaCLOUD, STACK, blaucloud, and many more.

Cryptomator 1.1 für iOS

What’s New:

  • Added WebDAV support.
  • Downloads and uploads continue while the app is in the background.
  • Improved Google Drive integration, using their newest APIs.
  • Fixed missing fullscreen button when viewing videos on iPad.
  • Several bug fixes and UI optimizations.

What about Android?

We started implementing a prototype of the Android app and will keep you updated shortly! Stay tuned. 😄