Version 44 (modified by dkocher, on May 29, 2017 at 9:19:33 AM) (diff) |
---|
Table of Contents
Cyberduck Help / Howto / Cryptomator
Available in version 6.0 or later.
Support for client side encryption with Cryptomator interoperable vaults to secure your data on any server or cloud storage.
The Cyberduck encryption feature is based on the excellent concepts and work of Cryptomator. Cryptomator is free and open source software. Since Cyberduck is also open source software anyone is able to audit the source code. That means no security by obscurity, no hidden backdoors from third parties, no need to trust anyone except yourself.
Compared to other client-side-encryption solutions the Cryptomator based approach yields a few crucial advantages:
- in addition to file content encryption also file and directory names are encrypted and directory structures obfuscated
- no online services, no subscriptions, no accounts
- no need to share your cloud storage provider credentials
Encryption Security Architecture
Please refer to Cryptomator security overview for more details.
Masterkey
Each vault has its own 256 bit encryption as well as MAC masterkey used for encryption of file specific keys and file authentication, respectively. Both keys are encrypted using RFC 3394 key wrapping with a KEK derived from the user's password using scrypt.
The wrapped keys (with some additional metadata) are remotely stored in a JSON file named masterkey.cryptomator located in the root directory of a vault.
Filename Encryption
Cryptomator uses AES-SIV to encrypt file as well as directory names. Additionally to the name, a unique directory ID of its parent directory is passed as associated data. This prevents undetected moving of files between directories.
File Header Encryption
The file header stores certain metadata, which is needed for file content encryption. It consists of 88 bytes.
- 16 bytes nonce used during header payload encryption
- 40 bytes AES-CTR encrypted payload consisting of:
- 8 bytes filled with 1 for future use (formerly used for file size)
- 32 bytes file content key
- 32 bytes header MAC of the previous 56 bytes
File Content Encryption
The cleartext is broken down into multiple chunks, each up to 32 KiB + 48 bytes consisting of:
- 16 bytes nonce
- up to 32 KiB encrypted payload using AES-CTR with the file content key
- 32 bytes MAC of
- file header nonce (to bind this chunk to the file header)
- chunk number as 8 byte big endian integer (to prevent undetected reordering)
- nonce
- encrypted payload
Create new Vault
You can create a new vault directory anywhere on your remote storage.
Cyberduck
Choose File → New Vault… to create a new vault.
Mountain Duck
Choose New Vault… from the Finder Extension toolbar or context menu using right click in Finder or Windows Explorer.
Choose a name for the vault folder and a passphrase to secure the vault.
A backup of the master key file (masterkey.cryptomator) is saved in user defaults. The encrypted keys in masterkey.cryptomator are not more sensitive than the encrypted files in the vault. For technical aspects, refer to Masterkey Derivation.
Unlock Vault
When opening a directory in the browser that is a Cryptomator vault, a prompt is displayed to unlock the vault using the provided passphrase and decrypt the directory and filenames. If you cancel the prompt, the encrypted vault content is displayed.
Save Passphrase
You can check Add to Keychain to save the passphrase to open the vault with the master key file in your login keychain. The checkbox is disabled by default. Another application that wants to access the vault passphrase from the login keychain will trigger a permission prompt.
File Transfers
File transfers require you unlock the vault again unless you have chosen to save your vault passphrase in the keychain.
Browser
You can open and browse multiple vaults on a server in a single browser window. For each vault to be opened you will be prompted your passphrase to decrypt the filenames. Decrypted filenames when browsing a vault will show a padlock overlay icon.
Moving files into vault
You can move files from and to the vault. Because files need to be encrypted or decrypted respectively they pass through your local computer and cannot be moved on the server side.
Access vaults on local disk
Both Cyberduck and Mountain Duck support browsing your local disk to access vaults created on your computer.
Known Limitations
- Changing the vault passphrase is currently not supported.
- To delete a vault it cannot be unlocked. Choose Cancel in the vault password prompt to skip unlocking the vault after selecting the vault folder for delete.
References
Attachments (13)
- Mountain Duck Unlock Vault.png (142.2 KB) - added by dkocher on Dec 20, 2016 at 9:11:15 PM.
- Mountain Duck Create New Vault.png (154.4 KB) - added by dkocher on Dec 20, 2016 at 9:21:01 PM.
- cryptomator.png (59.4 KB) - added by dkocher on Jan 3, 2017 at 4:08:20 PM.
- Cryptomator Vault Browser.png (77.0 KB) - added by dkocher on Jan 4, 2017 at 10:26:01 AM.
- Mountain Duck Create New Vault Finder Extension.png (55.1 KB) - added by dkocher on Jan 11, 2017 at 11:56:36 AM.
- Keychain Access Crpytomator Passphrase.png (146.7 KB) - added by dkocher on May 1, 2017 at 3:06:13 PM.
- Mountain Duck Create New Vault Finder Extension Context Menu.png (25.8 KB) - added by dkocher on May 22, 2017 at 6:59:47 AM.
- New Encrypted Vault File Menu Option.png (22.8 KB) - added by dkocher on Jul 14, 2017 at 8:41:29 AM.
- Mountain Duck Create New Vault Windows Explorer.png (31.5 KB) - added by dkocher on Jul 14, 2017 at 9:05:51 AM.
- Mountain Duck Unlock Vault Windows.png (38.4 KB) - added by dkocher on Jul 14, 2017 at 9:06:41 AM.
- local disk connection.png (33.2 KB) - added by lvogt on Oct 24, 2017 at 8:52:26 AM.
- access Cryptomator vault Mountain Duck.png (26.3 KB) - added by lvogt on Oct 24, 2017 at 8:52:39 AM.
- access Cryptomator vault Cyberduck.png (49.3 KB) - added by lvogt on Oct 24, 2017 at 8:52:48 AM.
Download all attachments as: .zip