Cyberduck Mountain Duck CLI

Version 15 (modified by yla, on Jan 9, 2017 at 12:31:32 PM) (diff)


Cyberduck Help / Howto / Cryptomator

Support for client side encryption with Cryptomator interoperable vaults.

The Cyberduck encryption feature is based on the excellent concepts and work of Cryptomator. Cryptomator is free and open source software. Since Cyberduck is also open source software anyone is able to audit the source code. That means no security by obscurity, no hidden backdoors from third parties, no need to trust anyone except yourself.

Compared to other client-side-encryption solutions the Cryptomator based approach yields a few crucial advantages:

  • in addition to file content encryption also filenames are encrypted and directory structures obfuscated
  • no online services, no subscriptions, no accounts
  • no need to share your cloud storage provider credentials

Encryption Security Architecture

Please refer to Cryptomator security overview for more details.


Each vault has its own 256 bit encryption as well as MAC masterkey used for encryption of file specific keys and file authentication, respectively. Both keys are encrypted using RFC 3394 key wrapping with a KEK derived from the user's password using scrypt.

The wrapped keys are stored in a JSON file named masterkey.cryptomator located in the root directory of a vault.

Filename Encryption


File Content Encryption


Create new Vault

Choose File → New Vault… to create a new vault.

Important: The passphrase for the vault cannot be changed later. Make sure to use a strong passphrase where the password strength indicator is fully green.

A backup of the master key file (masterkey.cryptomator) is saved in user defaults. The encrypted key in masterkey.cryptomator is not more sensitive than the encrypted files in the vault. For technical aspects, refer to Masterkey Derivation.

Unlock Vault

When opening a directory in the browser that is a Cryptomator vault, a prompt is displayed to unlock the vault using the provided passphrase and decrypt the directory and filenames. If you cancel the prompt, the encrypted vault content is displayed.

Save Passphrase

You can check Add to Keychain to save the passphrase to open the vault with the master key file in your login keychain. The checkbox is disabled by default.


You can open and browse multiple vaults on a server in a single browser window. For each vault to be opened you will be prompted your passphrase to decrypt the filenames. Decrypted filenames when browsing a vault will show a padlock overlay icon.