Cryptomator Hub 1.4.0: More Trust, More Control, More Transparency
With the release of version 1.4.0, Cryptomator Hub receives a major feature upgrade that offers more control and transparency — while also improving the overall user experience.
At the heart of this release are a new Web of Trust, finer-grained permission management, extended audit logging, and deeper insights into user profiles.
Let’s take a closer look at what’s new!
Web of Trust: Mutual Verification for Better Security
One of the highlights of this release is the new Web of Trust (WoT). Users can now mutually verify each other’s identities by signing public keys. This creates a network of trust that protects against the injection of manipulated or forged public keys.
This feature directly addresses so-called “key injection” risks and strengthens the protection of sensitive data across organizations.
The verification process is based on a simple but effective principle: Only when a person’s public key is confirmed by trusted peers is their identity considered verified.
Admins can configure how many verifications are required.
New Create-Vaults Role: Granular Permissions for Vault Creation
With the introduction of the new create-vaults role, admins now have full control over who is allowed to create new vaults within the organization.
Previously, this permission was available to all users by default — now, admins can specify whether only certain teams, individuals, or everyone should have access to this feature.
Especially in large organizations, this is a key improvement for maintaining order and managing infrastructure growth in a more controlled way.
Audit Log: Even More Precise Activity Tracking
Monitoring security-relevant actions is a key responsibility in IT operations. With version 1.4.0, the audit log becomes even more powerful:
Filter by event type: You can now filter audit log entries by type — such as key changes, access attempts, or account activity — to quickly isolate relevant data during incidents.
New events: Several new event types were added to better capture security-critical actions.
Register Device – A user registered a new device, e.g., Cryptomator app or browser session.
Remove Device – A user removed a device.
Signed Identity – A user signed another user’s identity.
Account Key Changed – A user regenerated their account key, which also affects user keys.
Reset User Account – A user reset their account.
User Keys Change – A user changed their keys, e.g., during initial setup or account key updates.
Claim Vault Ownership – A user claimed ownership of a vault that was created with a Hub version prior to 1.3.0 using the Vault Admin Password.
Retrieve Vault Key event enhanced: This audit event now includes the IP address and device ID — making it easier to trace who unlocked a vault and from which device.
More Transparency in User Profile
The user interface has also been updated to offer more transparency about devices and access patterns:
Legacy devices: Users can now see if they’re still using devices linked to vaults created with older versions of the Hub. This helps with migrations to the current user-key-based encryption introduced in version 1.3.0.
Last IP and vault access timestamp: The device overview now shows the last known IP address and the most recent vault access timestamp for each device — ideal for identifying suspicious activity.
New Languages and Improved Usability
More language support: Cryptomator Hub is now available in Dutch, French, Italian, Korean, Portuguese, and Turkish — making it even more accessible for international teams.
Language preference is preserved: Your selected language setting is now saved in your user profile and no longer resets after logout.
Provenance Attestation for Container Images
A frequently overlooked but critical area of security is the authenticity of software containers. Starting with version 1.4.0, we now publish provenance attestations for our container images.
These attestations document the origin and integrity of our images and provide additional assurance for automated deployments and CI/CD pipelines.
Full Changelog
All technical details, fixes, and improvements can be found in the release notes and the new CHANGELOG file.
Closing Remarks
Cryptomator Hub 1.4.0 is a release that builds trust — through greater visibility, more refined controls, and solid technical foundations.
Whether it’s security management, role-based permissions, or user-facing transparency: This update lays the groundwork for even more robust data infrastructures in organizations that take encryption seriously.
Cryptomator Hub Celebrates Its Second Anniversary – Test New Features in Beta Now!
It’s hard to believe that Cryptomator Hub is already two years old! As a central management platform for encrypted cloud storage solutions, Cryptomator Hub enables businesses and organizations to securely and efficiently manage access and permissions. Since its release on November 2, 2022, we’ve worked hard with our community to develop an even stronger and more secure tool to meet your needs. First of all, a huge thank you to the community! To celebrate this milestone, we’re introducing exciting new features – and the best part: you can test them now in a beta version!
“Web of Trust” – Enhanced Security through Mutual Verification
Our brand-new “Web of Trust” feature adds an extra layer of security to your Cryptomator instance. Until now, users could verify others, but now we’re taking it a step further: once a verification is made, it’s automatically signed and shared, making it possible for others to see when someone has been marked as trustworthy. This creates a network where trust and authenticity become visible.
This feature allows teams to see at a glance how trustworthy someone is within the network, based on prior verifications by other users. It’s especially beneficial for organizations that prioritize secure collaboration and high authenticity, as it makes trust visible and traceable within the platform.
“Create-Vaults Role” – Precise Control Over Vault Creation
With the “Create-Vaults Role,” admins now have the ability to precisely control who can create their own vaults within the Hub. Previously, anyone in the Hub could create new vaults, but now, permissions can be finely configured. For instance, admins can decide that only certain departments, such as IT or HR, can create new vaults. This function ensures clear structure, prevents unwanted vaults, and adapts to your organization’s unique needs. This flexibility is particularly beneficial for larger teams.
Test the Beta Now!
These features are available in the beta version and are waiting for you to try them out. Give us your feedback and help us fine-tune these functions before the official release. The full rollout is planned for the coming weeks – until then, we look forward to your support and insights!
Cryptomator Hub 1.3.0: The Account Key Update
The release of Cryptomator Hub 1.3.0 marks an exciting feature update, which introduces an Account Key for users. This update, while necessary and beneficial, will require active participation from users. Here’s what to expect during the transition from version 1.2.x to 1.3.0.
ℹ️ Preparation is Key
Before we dive into the upgrade process, ensure every vault admin secures a backup of their Vault Recovery Keys and Vault Admin Passwords. ⚠️ Doubling down on this step is critical; your backups are your safety net. Without them, our hands are tied.
⬆️ Updating Cryptomator Hub (Server) to 1.3.0
This section is only relevant for administrators who host their own Cryptomator Hub instance. If you’re using our managed service, you can skip this section. We will reach out to you to arrange a date and time to update your instance.
As mentioned above, if you’re an administrator of a self-hosted Cryptomator Hub instance, follow these steps to update Cryptomator Hub:
Back up the database. ⚠️ The importance of a working backup cannot be overstated.
Refresh your container image to the latest version: ghcr.io/cryptomator/hub:1.3.0
Skip this step if you’re using the stable tag. We will update the stable tag to point to the new version in a couple of weeks.
Implement the changes within your container orchestrator. Monitor for healthy pod statuses before proceeding.
⬆️ Updating Cryptomator (Desktop Client) to 1.11.0
Updating the Cryptomator desktop application is recommended for all users, but not technically required for now. Vaults can still be unlocked using an old version. This backward compatibility provides flexibility for a gradual rollout of the updated app. Nevertheless, making changes to access, incl. adding new members to a vault and adding new devices, requires Cryptomator 1.11.0 or higher.
🔑 Introducing Account Keys
With the updated app, users will encounter a two-step migration on their first unlock attempt:
Secure and store their new personal Account Key. ⚠️ It’s crucial for future logins from other devices.
Use the Account Key to link their Cryptomator device to their account.
This procedure is a one-time requirement for every user. It allows users to self-manage linked devices and vault owners to more easily manage access without having to frequently regrant permissions each time a user logs in from a new device.
👤 Claiming Vault Ownership and Granting Access
After updating to Hub 1.3.0, vault owners (formerly known as vault admins) are prompted to claim their vault again using the Vault Admin Password. Initially, only one user can claim ownership. Subsequently, this primary owner can grant ownership rights to others, thus eliminating the need to share the Vault Admin Password.
Once vault members have navigated through the account migration, vault owners should refresh vault permissions. This action will securely distribute the necessary vault keys to the users.
❓ Frequently Asked Questions
Q: What exactly is my Account Key? A: The Account Key is your personal secret, required for registering new devices and establishing your identity across different Cryptomator apps and browsers. Treat it with the same level of security as you would with any important password.
Q: How do I retrieve my Account Key if I lose it? A: You can retrieve your Account Key by logging into your Cryptomator Hub account and navigating to the Profile page. There, you can view your Account Key. If your browser doesn’t have access and you can’t retrieve it anymore, you can reset your account. In this case, you will lose access to all your vaults and the vault owner(s) will have to grant you access again.
Q: Will the update affect my existing vaults and the data they contain? A: No, the update will not affect your vaults or the data they contain. This update only affects the unlock process and access management, not the encrypted data itself.
Q: What happens to the Vault Admin Password after I reclaim ownership? A: Upon reclaim, the Vault Admin Password becomes obsolete. You may destroy any copies of it. Compromised Vault Admin Passwords don’t pose a threat to the security of the vault.
Q: Is the process for adding new users to a vault different? A: The difference is that you don’t grant access to each and every device, but to the user once, thanks to the Account Key. The user can link their devices to their account and access the vault from any of them without having to ask for permission again.
Q: What should I do if I encounter problems during the upgrade process? A: If you encounter any problems during the upgrade process, please contact us at [email protected].
📋 Wrapping Up
The upgrade to Cryptomator Hub 1.3.0 and Cryptomator 1.11.0 is more than a routine update. It’s a shift towards greater security and user agency. Prepare for the update by backing up essential data, and follow the outlined steps to ensure a smooth transition. Embrace the change, as it brings forward a more robust and user-friendly way to manage your vaults.
Cryptomator Hub 1.2.0: More Control and Flexibility
We’re excited to release Cryptomator Hub 1.2.0, featuring essential updates for both administrators and users. 🎉 Let’s dive into what’s new.
🗒️ Audit Logs (Premium Feature)
Our new Audit Logs feature, available with a paid license, empowers administrators with insights into user activities. Monitor vault changes, key retrievals, and other essential activities, providing an extra layer of transparency and accountability within your organization.
⚙️ Improved Vault Management
With the “Edit Vault Metadata” action, customizing vault details is now possible. You can now change the name and description of your vaults, helping you keep your vaults organized and easily identifiable. Plus, vault names no longer need to be unique, offering more flexibility.
We’ve also added the “Archive Vault” action, allowing you to remove vaults from your list. Easily reactivate archived vaults whenever needed.
👤 Streamlined User Profile Page
Our new “User Profile” page centralizes device management and user settings in one convenient location. Additionally, we’ve integrated a “Manage Account” link for users to be able to change their password and configure 2FA via Keycloak.
⬆️ Upgrade Info
Upgrading to 1.2.0 is simple. If you are on the stable lane, you just have to pull the image and restart the service. Otherwise, update the version number in your Docker Compose or Kubernetes spec file before you restart the service. Remember to always back up your data, especially before upgrading. For managed instances, rest assured, you’re already on the latest version.
⏭️ What’s Next
We’re embarking on a significant refactoring journey for our key management system in the next feature update. This update will introduce “user keys” as intermediary key pairs between vault keys and device keys. Vault owners will then grant access to users and not individual devices, which allows users to manage their devices independently.
This refactoring will deprecate vault admin passwords and introduce the vault owner role, providing a more secure and efficient way to manage your vaults.
Stay tuned for more exciting updates!
Cryptomator Hub: Managed – Request Access Now
We are happy to announce that managed instances of Cryptomator Hub are now available! 🎉 And we have released Hub 1.1.0 with recovery key support.
Request Access
First things first. 🚀 To get started, you can now request access to a managed instance of Cryptomator Hub. After your request, we will get back to you as soon as possible. Currently, some of the steps we take internally to create a managed Hub instance are still done “manually”. We are working on automating this process, but we didn’t want to delay the release any longer.
Managed vs. Self-Hosted
Managed instances of Cryptomator Hub are a great way to start using Cryptomator Hub right away without having to deploy and maintain your self-hosted instance.
Until now, you could only use the self-hosted version of Hub. This requires a lot of knowledge about how to deploy a software container using Kubernetes or Docker Compose. And if you have the knowledge, you still have to maintain the instance yourself. This includes updating the software, monitoring the instance, and keeping it secure.
With managed instances, we will take care of deploying and maintaining your Hub instance, while ensuring that your instance is highly available. You can focus on your work and your team.
This is all possible because of the underlying zero-knowledge key management. Cryptomator Hub doesn’t store unencrypted keys. All key material remains locally on the client. We can’t decrypt your data. It also helps that Hub is independent of your cloud storage provider, which means we have no access to either the key material or the cloud files.
Release 1.1.0: Recovery Key
We didn’t stop there and released Cryptomator Hub 1.1.0 with recovery key support. This allows you to access your data in case of disaster. Not only that, the recovery key is compatible with Cryptomator’s recovery key. This means you can convert your existing vaults to Hub vaults and vice versa.
What does that mean for your managed instance? If we cease to exist (we get asked this a lot, thanks to Boxcryptor 😉), you can convert your Hub vaults to “regular” password-based vaults, completely offline, so that you always have access to your data under any circumstances. This is also great for your self-hosted instance if something happens to your server.
Cryptomator Hub 1.0 Release
We are happy to announce that Cryptomator Hub, the team and enterprise solution for Cryptomator, is now ready for production use! 🎉 Huge thanks to our testers that participated in our open beta over the last 3 months for their feedback. ❤️
What is Cryptomator Hub?
In short: Cryptomator Hub adds access management for your Cryptomator vaults. It enables a secure way for you to work in teams with confidential and sensitive files for any cloud storage.
Check out our quick introduction video to learn more about the basics.
How does Cryptomator Hub work?
Cryptomator Hub is based on the same concept of a vault, a secure file storage for syncing to the cloud with end-to-end encryption. New is that Hub replaces the vault password with a central access management.
Individual access to Cryptomator vaults is secured through server-side authentication and key management. Hub manages key material based on a zero-knowledge solution without getting in touch with unencrypted keys. Learn more.
How can I get started?
The self-hosted solution is delivered as a software container and can be deployed using Kubernetes or Docker. Vist the landing page of Cryptomator Hub to get started.
Hub can be used for free for up to 5 team members. For larger teams and companies, an annual license can be purchased through the website at $6.00 per seat per month. Until the end of the year, there is a promotional discount that gives 25% off for the first year. 🎊
And as always, Cryptomator Hub is fully open source. If you have more questions, let us know in the discussion below or contact us. We are looking forward to your feedback! 🤖
