You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
To lock a vault, simply click `Lock` and the virtual drive will disappear or render empty. Your files remain encrypted at the vault's location.
43
+
40
44
## Manage Files and Folders in Your Vault {#manage-files-and-folders-in-your-vault}
41
45
42
46
By default, a vault's content will be accessible via an attached virtual drive on your PC.
@@ -55,10 +59,6 @@ Even though your files are shown unencrypted in the virtual drive, they are not
55
59
On Windows, you can choose the drive letter of the virtual drive for each vault using advanced vault options.
56
60
:::
57
61
58
-
## Locking a Vault {#locking-a-vault}
59
-
60
-
To lock a vault, simply click `Lock` and the virtual drive will disappear or render empty. Your files remain encrypted at the vault's location.
61
-
62
62
## Locate Encrypted File {#locate-encrypted-file}
63
63
64
64
The Locate Encrypted File feature helps users find the encrypted version of a specific file. This feature is particularly useful when vault files are versioned and the user wants to restore an older version of a file. As Cryptomator encrypts filenames and obfuscates directory structures, users first locate the encrypted file and then restore an older version of the encrypted file with the third party app.
@@ -75,3 +75,19 @@ A file manager window opens showing the encrypted folder and marking the encrypt
## File System Case Sensitivity {#file-system-case-sensitivity}
80
+
81
+
:::warning
82
+
Cryptomator virtual drives are always case-sensitive. This means `Document.txt` and `document.txt` are treated as two different files, regardless of your operating system.
83
+
:::
84
+
85
+
This behavior is required for Cryptomator's deterministic [filename encryption](/docs/security/vault.md#filename-encryption) to work correctly across all platforms. While Linux users are accustomed to case-sensitive file systems, this can cause unexpected behavior on Windows and macOS where the default file systems are case-insensitive.
86
+
87
+
On Windows and macOS, this difference means:
88
+
89
+
1. Attempting to open `Test.dat` when the file is named `test.dat` will result in a "file not found" error
90
+
2. You can create both `README.md` and `readme.md` in the same directory, which would normally conflict
91
+
3. Some applications may fail when they expect case-insensitive file access
92
+
93
+
Our recommendation is to avoid creating files with names that differ only in case. Make sure to test applications like backup tools or any other software that will access files in your vault to ensure they handle case-sensitive file systems correctly.
Copy file name to clipboardExpand all lines: docs/desktop/adding-vaults.md
+4Lines changed: 4 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -79,6 +79,10 @@ This is especially important if you plan to share a vault with someone.
79
79
Additionally, we recommend sharing passwords only over a secure channel, like PGP encypted emails, or end-to-end encrypted chat apps.
80
80
:::
81
81
82
+
:::info
83
+
Be mindful of your keyboard layout when creating passwords. Special characters and dead keys can behave differently across keyboard layouts (e.g., Dutch vs. English). This may cause password entry issues if you switch keyboard layouts later. For more information, see [Keyboard Layouts and Special Characters](/docs/security/best-practices.md#keyboard-layouts-and-special-characters).
84
+
:::
85
+
82
86
<Imagesrc="/img/desktop/add-vault-4.png"alt="Choose a strong password for your Cryptomator vault"width="718"height="590" />
Copy file name to clipboardExpand all lines: docs/desktop/password-and-recovery-key.md
+4Lines changed: 4 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -34,6 +34,10 @@ In the opened window, you will be asked for:
34
34
2. A new password. We suggest following our guide on choosing a [strong password](/docs/security/best-practices.md#good-passwords).
35
35
3. Enter the new password again.
36
36
37
+
:::info
38
+
Be mindful of your keyboard layout when changing passwords. Special characters and dead keys can behave differently across keyboard layouts (e.g., Dutch vs. English). This may cause password entry issues if you switch keyboard layouts later. For more information, see [Keyboard Layouts and Special Characters](/docs/security/best-practices.md#keyboard-layouts-and-special-characters).
39
+
:::
40
+
37
41
In order to proceed, you must confirm that you understand your action by selecting a checkbox.
38
42
39
43
Finally, click on the `Change` button to change the password.
Copy file name to clipboardExpand all lines: docs/security/best-practices.md
+15Lines changed: 15 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -38,6 +38,21 @@ Thus, we recommend using a password manager to generate and store the passwords.
38
38
By doing so, you only have to remember a few or a single secure password.
39
39
Otherwise, we recommend using at least 10 characters, ideally [use sentences instead of words](https://xkcd.com/936/).
40
40
41
+
### Keyboard Layouts and Special Characters {#keyboard-layouts-and-special-characters}
42
+
43
+
Be aware that keyboard layout differences can affect password entry. When creating a password, consider these important points:
44
+
45
+
* Use the same keyboard layout when entering your password. Characters may produce different results depending on your keyboard language setting.
46
+
* Some keyboard layouts use "dead keys" for accented characters. For example, pressing `'` followed by `e` might produce `é` instead of `'e`. This can cause unexpected character conversion in passwords.
47
+
* Characters like `'`, `"`, `` ` ``, `^`, and `~` may behave differently across keyboard layouts and can be particularly problematic.
48
+
49
+
To avoid issues:
50
+
51
+
* Test your password immediately after setting it by locking and unlocking your vault.
52
+
* Avoid special characters that may be affected by dead keys if you frequently switch between keyboard layouts.
53
+
* If you must use different keyboard layouts, document which layout was used when creating the password.
54
+
* Consider using alphanumeric characters and basic symbols that remain consistent across keyboard layouts.
Copy file name to clipboardExpand all lines: docs/security/security-target.md
+39-7Lines changed: 39 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,26 +8,58 @@ sidebar_position: 1
8
8
9
9
Cryptomator was designed to solve privacy issues when saving files to cloud storages.
10
10
11
+
## What Cryptomator Is {#what-cryptomator-is}
12
+
13
+
Cryptomator is a client-side encryption tool for cloud storage services.
14
+
11
15
The risk that the cloud provider or third parties access the data stored in the cloud without permission is mitigated.
12
16
Only people who know the vault password are able to read the files in the vault or change the file contents undetected.
13
17
This is true for file contents as well as for filenames.
14
18
15
19
## What Cryptomator Encrypts {#what-cryptomator-encrypts}
16
20
17
-
To allow a working synchronization with the cloud, there are some meta information that Cryptomator does not encrypt.
18
-
These are:
21
+
Cryptomator encrypts:
19
22
20
-
* access, modification, and creation timestamp of files and folders,
21
-
* number of files and folders in a vault and in the folders, and
22
-
* size of the stored files.
23
+
* file contents,
24
+
* file and folder names, and
25
+
* the directory structure is obfuscated.
26
+
27
+
For technical details on how these elements are encrypted, see [Vault Cryptography](vault.md).
23
28
24
29
## What Cryptomator Is Not {#what-cryptomator-is-not}
25
30
26
31
In addition, you have to keep in mind what Cryptomator is not.
32
+
27
33
Protection of the files on the local computer is not the focus of Cryptomator.
28
-
Cryptomator is not a complete replacement for other encryption tools based on container files if the aforementioned meta information should be encrypted.
34
+
Cryptomator cannot provide protection if the local computer is infected with malware which reads entered passwords and file contents (e.g., files in an unlocked vault).
35
+
29
36
Cryptomator does not provide protection if programs create backup copies of the encrypted files when working with them.
30
37
Such files are not detected by Cryptomator and may remain on the computer even after unlocking a vault.
31
-
Cryptomator cannot provide protection if the local computer is infected with malware which reads entered passwords and file contents (e.g., files in an unlocked vault).
38
+
39
+
Cryptomator is not a complete replacement for other encryption tools based on container files if metadata (like file sizes and timestamps) should be encrypted.
40
+
41
+
Cryptomator is not a [steganography tool](https://en.wikipedia.org/wiki/Steganography). It uses recognizable file extensions (`.c9r`, `.c9s`) and stores configuration files (`vault.cryptomator`, `masterkey.cryptomator`) that make it evident that data is encrypted using Cryptomator. The security of your data relies on strong encryption and a secure password, not on hiding the fact that encryption is being used.
32
42
33
43
To protect against such risks, other methods, like complete disk encryption, immediate installation of system and software updates, and the use of applicable antivirus software, is required.
44
+
45
+
## What Cryptomator Does Not Encrypt {#what-cryptomator-does-not-encrypt}
46
+
47
+
To allow a working synchronization with the cloud, there are some metadata that Cryptomator does not encrypt.
48
+
These are:
49
+
50
+
* access, modification, and creation timestamps of files and folders,
51
+
* number of files and folders in a vault and in the folders, and
52
+
* size of the stored files.
53
+
54
+
## Accepted Risks {#accepted-risks}
55
+
56
+
### Filename Swapping Within Same Directory {#filename-swapping-within-same-directory}
57
+
58
+
An attacker with write access to your cloud storage could swap encrypted filenames within the same directory. While the contents of the files remain secure and any tampering with file contents would be detected, the swapped filenames would not be detected.
59
+
60
+
This is considered a **low risk** vulnerability because:
61
+
- It requires an attacker to already have write access to your vault
62
+
- File contents remain encrypted and tamper-proof
63
+
- The attack only affects filename-to-content mapping within a single directory
64
+
65
+
This is an accepted risk because implementing cryptographic binding between filenames and contents would significantly impact performance, especially on mobile devices and remote storage systems. For more information, see the security advisory documented in [GHSA-qwfw-w5qf-7wcj](https://github.com/cryptomator/cryptomator/security/advisories/GHSA-qwfw-w5qf-7wcj).
0 commit comments