Cryptomator review — encrypt cloud storage without trusting the provider
Who is this for? Anyone using a cloud service — Dropbox, OneDrive, iCloud, Nextcloud — who does not want the provider to have access to readable files. Cryptomator encrypts files locally before they are synced.
Cryptomator review
Who is this for? Anyone using a cloud service — Dropbox, OneDrive, iCloud, Nextcloud — who does not want the provider to have access to readable files. Cryptomator encrypts files locally before they are synced.
Cryptomator solves a specific problem: cloud storage is convenient, but the provider technically has access to your files. Cryptomator adds an encryption layer to your existing cloud sync without requiring you to switch services.
Open-source (GPLv3 for the desktop app), made by German company Skymatic, and independently auditable.
How it works
Cryptomator creates a vault — a folder on your disk. You unlock the vault with a password, and it appears as a regular drive in your file manager. Everything you store inside is encrypted before it touches the folder.
You place that encrypted folder inside your cloud sync folder (your Dropbox folder, OneDrive folder, etc.). The cloud sync then copies encrypted files to the server — the provider only sees unreadable data.
The key never leaves your device. Cryptomator encrypts locally; the cloud server stores only the encrypted result.
Comparison with alternatives
| Cryptomator | VeraCrypt container in cloud | Proton Drive | Tresorit | |
|---|---|---|---|---|
| Cloud-provider agnostic | Yes — works with any service | Yes | No — own service | No — own service |
| Per-file sync | Yes | No — whole container | Yes | Yes |
| Open-source | Yes (GPLv3 desktop) | Yes | Partially | No |
| Free on desktop | Yes | Yes | Limited (free tier) | No |
| Mobile | Paid unlock (~€15) | Not practical | Yes | Yes |
| Requires own cloud infra | No | No | Yes | Yes |
VeraCrypt note: a VeraCrypt container in a cloud folder works technically but is impractical for daily sync — the entire container must re-sync on every change, even if you modified a single file. Cryptomator encrypts per file, so incremental sync works correctly.
Which cloud services are supported
Cryptomator works with any service that syncs files locally via a folder on your disk:
- Dropbox — via the Dropbox desktop app
- OneDrive — via the OneDrive desktop app
- Google Drive — via Google Drive for Desktop
- iCloud Drive — on macOS via the iCloud folder
- Nextcloud — via the Nextcloud desktop client
And any other sync mechanism that uses a local folder, including SFTP mounts or NAS folders.
Mobile: paid unlock
The Cryptomator mobile apps exist for Android and iOS but require a one-time paid unlock:
- Android: via Google Play or via F-Droid (add the Cryptomator repository via cryptomator.org/android/) — paid unlock (~€30)
- iOS: via the App Store — paid unlock (~€30)
This is a deliberate choice by Skymatic: the desktop app is free and open-source; the mobile payment threshold funds development. For users who only work on desktop there is no cost barrier.
Audit
Cryptomator was independently audited by Cure53 in 2017. The audit report is publicly available at cryptomator.org. One finding was classified as “Critical” — a PGP key had accidentally been committed to a public GitHub repository. The key was passphrase-protected and had no impact on end-user security; the cryptographic implementation itself was rated as exceptionally strong.
The source code is public on GitHub and independently verifiable.
Getting started
Install:
- Windows / macOS / Linux: download from cryptomator.org/downloads/
- Linux (Flatpak): via Flathub:
flatpak install flathub org.cryptomator.Cryptomator
Create a vault:
- Open Cryptomator → “Add New Vault”
- Choose a name for your vault
- Save the vault inside your cloud sync folder (e.g.
~/Dropbox/MyVault/or~/OneDrive/MyVault/) - Choose a strong password — this is the only key; no recovery without it
- Vault created — unlock it via the lock icon
Open and use:
- Open Cryptomator → click “Unlock” next to your vault
- Enter your password
- The vault appears as a drive in your file manager
- Save files normally — encryption is transparent
- Lock it again via Cryptomator when done
Migrate existing files:
Encryption only applies to files you store inside the unlocked vault. Existing files in your cloud folder are not automatically encrypted — copy them into the vault manually.
Caveats
Password loss is permanent: Cryptomator stores the key nowhere. If you forget your password, your files are permanently inaccessible. Store the vault password in a password manager.
Recovery key: when creating a vault, Cryptomator offers a recovery key — a sequence of words. Store it in your password manager or on paper in a safe location. This is the only fallback if you lose your password.
Sync conflicts: if the same vault is open on multiple devices simultaneously and the same files are modified, your cloud sync may create conflict copies. Avoid keeping the same vault unlocked on multiple devices at the same time.
Cloud search does not work: the encrypted files in the cloud are unreadable to Dropbox or OneDrive search. Search only works while the vault is unlocked locally on your device.
Mobile cost: the paid unlock (~€30) is one-time, but is a barrier for mobile-only users. For desktop-only use there is no cost barrier.
Pros and cons
Pros
- Works with any existing cloud service — no provider switch required
- Per-file encryption — incremental sync stays efficient
- Open-source (GPLv3), independently audited twice
- Desktop completely free
- Skymatic is a German company — no US jurisdiction
Cons
- Mobile app requires one-time paid unlock (~€30)
- Password loss = permanent data loss — no recovery without the recovery key
- Cloud search does not work on encrypted files
- No protection if your device itself is compromised (true of all client-side encryption)
Conclusion
Cryptomator is the most practical way to encrypt an existing cloud service without switching providers. It fits into an existing workflow without additional subscriptions or new services.
The only real friction is the mobile unlock payment — for desktop use the barrier is low and the approach is solid.
If you already use a cloud service and do not want the provider reading your files: start here.
Next step
Chosen Cryptomator?
- Choose a password manager — the Cryptomator vault password should go in a password manager; this helps you pick one
Similar options
- VeraCrypt review — for local encrypted containers and full-disk encryption without cloud
- Proton Drive review — if you prefer switching cloud services over adding an encryption layer
- Tresorit review — end-to-end encrypted cloud service as an alternative to Proton Drive
Want to go further?
- Backup implementation guide — Cryptomator encrypts cloud storage but does not replace a backup; local copies are still necessary
- VeraCrypt: encrypted storage — for use cases where you do not need the cloud