📬 Use Cryptomator to encrypt files on Google Drive, Microsoft OneDrive, and Dropbox
5 min read

📬 Use Cryptomator to encrypt files on Google Drive, Microsoft OneDrive, and Dropbox

How and why we use Cryptomator, a free tool that lets you encrypt files before they are synced to Google Drive or other cloud storage provider.
Person working on laptop leaning against glass wall through which racks of servers for cloud storage can be seen.
Photo by Christina @ wocintechchat.com / Unsplash

To understand why we would bother layering Cryptomator onto cloud storage (glossary) and sync tools, understand first why countries have data protection laws.

Cloud storage (glossary) lets you store files through the internet. You already use cloud storage. Probably Google Drive, Microsoft's OneDrive, or pCloud. Cloud storage is what allows you to use sync tools, which let you access the same files from different devices.

Cloud storage subscriptions can also be cheaper, in the short-term, compared to buying a computer with larger storage or external storage.

But, consumer-grade cloud storage, while good enough for many people, just won't cut it with businesses of any size and security/privacy-aware professionals.

Why encrypt files before syncing to cloud storage

Just like there are laws protecting property ownership and personal safety, data protection laws exist because data is valuable enough to need legal protection. Data has measurable value, like the bike we own, and our personal safety.

These data protection laws are different depending on where you live or where your business operates. Some laws extend to cover more forms of data, and some less.

In Canada, for example, medical data is among the best protected categories of data. As a consequence, one legal requirement is that medical data held by Canadian businesses cannot be stored outside of Canada.

What difference does it make where data is stored?

Data stored using cloud storage (glossary) lives on another computer somewhere. This computer, a server, is physically located anywhere.

The legal enforcer of Canadian data protection laws are the federal and provincial governments. Within Canada, the operators of cloud storage can be legally compelled by federal and provincial governments to use tough security and reliable practices. But operators outside the country don't fall under these protections.

Operators elsewhere would follow their own data protection laws, which could be more effective, less effective, or non-existent.

So if a Canadian business stores valuable medical data outside the protection of Canadian data protection laws, that data wouldn't benefit from the protection required by Canadian laws.

It can be difficult to find local storage providers that both fit business requirements and have a good user experience on their apps (glossary).

To use the most convenient cloud storage on the market and make them comply with the data protection laws of your region, use end-to-end encryption (glossary).

Putting cloud storage through end-to-end encryption

Like how you add a private key to protect your Backblaze backups from being used by anyone but yourself, you can use Cryptomator to protect files in cloud storage. This is end-to-end encryption (glossary). It's "end-to-end" because encryption is unbroken between the ends where you access your files.

We'll use a common acronymn for end-to-end encryption-E2EE.

A tool like Cryptomator allows E2EE by scrambling your files before uploading through the internet, using a dedicated key or password. Even if your cloud storage is breached, your files are protected with its own password.

🛠 Cryptomator cheatsheet
Tips, links, and resources: Cryptomator makes cloud storage safer for you.

Can your cloud storage provider access files not end-to-end encrypted?

The providers of cloud storage usually give themselves the ability to access what you store in it. Reputable providers likely don't routinely use that access. The provider may even be legally prevented from accessing your data. But, in some cases beyond your control, that legal protection could be suspended.

Very simply put, Microsoft as your storage provider can see your OneDrive files, if they decided it was necessary.

E2EE prevents your cloud storage provider from accessing your files.

Think of this like your parcel pick-up point.

Let's think of your parcel for a pair of jeans you got from a webshop, like Amazon, and it gets delivered to a pick-up location. When you go to that location to pick-up your parcel, you show ID or a code to prove that you have the right to pick-up that parcel. This is like signing into your cloud storage using credentials (glossary).

It's possible for people at your parcel pick-up point to open your parcel, have a look at the waist size your ordered, try on the pants. Laws and regulations technically deter them from doing this, but these could be ignored or worked around. This is like the average cloud storage provider.

Using good E2EE is like Amazon locking up your jeans in a parcel that is impossible to open without a key which you have. The credentials you show when you pick up the parcel are not the same as the key. You take the protected parcel home, use your key to open it, and get your jeans.

E2EE allows you to control the only key that allows access to your jeans-sorry, files. Only those with the key can access files. Keep the key to yourself. Or choose to give the key to members of your team or clients, as needed. Like if you lent the key to Amazon, to protect your jeans before mailing them to you.

Setting up Cryptomator

How do I set up Cryptomator?
Cryptomator’s only task is encryption. The application does not connect to a cloud storage service directly (only applicable to Cryptomator for Desktop). If you would like to use Cryptomator to encrypt your cloud storage, you either have to install a sync tool (e.g., Dropbox, Google Drive, etc.) or…
Instructions for setting up Cryptomator.

Use Cryptomator's first-party instructions to get started. Use Support if you need help.

Using Cryptomator to apply E2EE to cloud storage also works with Nextcloud, Dropbox, anything really that creates a local (glossary) directory (glossary) on your computer which you use to sync files.

To encrypt files on Dropbox, you'll need the Dropbox app on your device working alongside Cryptomator. The same applies to the other storage providers.

Cryptomator only handles encryption. The cloud storage apps continue to handle sync.


Helpful words


  1. https://www.nist.gov/publications/guidelines-improving-security-and-privacy-public-cloud-computing
  2. https://helpdesk.it.helsinki.fi/en/instructions/information-security-and-cloud-services/information-security/cryptomator
Dog with heart-shaped nose in a screen, AKA the Majorcord logo.