Cryptomator

What Is Cryptomator?

Every file you upload to Dropbox, Google Drive, or OneDrive is readable by that provider. Their terms of service say so, their support staff can access it, and their servers are subject to US legal jurisdiction through CLOUD Act requests. For most personal files — holiday photos, shopping lists — this is an acceptable trade-off. For sensitive documents, client data, or anything touching GDPR obligations, it is not.

Cryptomator was built to solve this problem without forcing you to change your workflow. Developed by Skymatic GmbH, a small German software company in Bonn founded in 2016, it sits between your files and your cloud storage as an invisible encryption layer. You see a virtual drive on your computer. You drag files in and work with them normally. Meanwhile, Cryptomator encrypts every file with AES-256 before your cloud sync client can send it anywhere. Your cloud provider receives unintelligible ciphertext. The encryption keys never leave your device.

The product is built on a zero-knowledge principle: Skymatic's servers play no role in the encryption process. There is no account, no key escrow, and no telemetry. When Cure53 — one of Europe's most respected security auditors — independently reviewed Cryptomator's cryptographic implementation, the architecture stood up. The project publishes the full audit report.

Cryptomator has broad platform support. Desktop applications for Windows, macOS, and Linux are free and open-source. Mobile apps for iOS and Android require a one-time purchase (around EUR 14.99), and the vault format is identical across all platforms.

Key Features

Zero-Knowledge Vault Encryption

Each Cryptomator vault is a folder on your filesystem — and inside your cloud storage. Every file placed into the vault is encrypted individually using AES-256 in CTR mode, with HMAC-SHA256 authentication. File names are encrypted using AES-SIV to prevent leaking directory structure. The master key is derived from your vault password using scrypt, a deliberately slow key derivation function that makes brute-force attacks expensive.

This design has important practical consequences. Corrupting or losing one encrypted file does not affect other files in the vault — there is no single-encrypted-container format that becomes unrecoverable. Cloud providers can sync individual encrypted files efficiently without processing the entire vault. And because each file is encrypted separately, version history in services like Dropbox still works on the encrypted files.

Works With Any Cloud Storage

Cryptomator is cloud-agnostic by design. It does not replace your cloud storage client. You continue using Dropbox, Google Drive, OneDrive, iCloud Drive, Box, pCloud, or any service with a local sync folder. The vault folder simply lives inside that sync folder. This means you keep your existing storage capacity, sync speed, and interface — you just add an encryption layer on top.

For self-hosting situations, Cyberduck can mount S3-compatible storage and expose it as a local folder that Cryptomator can then encrypt. The combination gives teams a privacy-preserving S3 workflow without running their own encryption infrastructure.

Cryptomator Hub for Teams

Individual users operate Cryptomator through password-protected vaults. For teams, Skymatic offers Cryptomator Hub — a key management system that allows organisations to share vaults without sharing passwords directly. Hub handles key distribution, access control (grant and revoke individual users), and maintains an audit log of vault access. It is available as a self-hosted solution or as a SaaS offering from Skymatic.

Hub is a meaningful addition for regulated organisations where individual vault passwords create operational risk — if someone leaves the organisation, their vault access should be revocable without re-encrypting all files.

Open-Source Cryptography With Independent Audit

Cryptomator's cryptographic protocol is fully documented and the implementation is open-source under the GNU General Public Licence. Cure53, a German penetration testing firm with an exceptional track record (they also audited ProtonMail and Bitwarden), conducted a security audit and found no critical issues. The audit report is published on Cryptomator's website.

This transparency matters because encryption tools cannot be trusted on marketing claims alone. Skymatic's willingness to submit to independent audit and publish the results is a meaningful signal of technical confidence.

Pricing

Cryptomator's economics are unusual in software: the desktop application that most users need is genuinely free. Windows, macOS, and Linux apps are free downloads with no feature restrictions, no trial periods, and no watermarks.

The mobile apps for iOS and Android are one-time purchases at around EUR 14.99 each. This is a significant departure from subscription models and a fair price for what is effectively unlimited lifetime access to the mobile client. The one-time purchase also funds Skymatic's development — Cryptomator relies on app purchases and donations rather than recurring subscription revenue.

Cryptomator Hub is priced separately for organisations that need team vault management. Skymatic has not published a standard rate card for Hub; pricing is discussed directly with the team. For small teams doing informal vault sharing, individual vaults with a shared password work adequately.

There is no free trial required to evaluate Cryptomator — the desktop version is full-featured from first launch.

EU Compliance & Privacy

Skymatic GmbH's Bonn headquarters places Cryptomator firmly under German and EU law. But the more important compliance characteristic is architectural: Cryptomator is designed so that no personal data, no encryption keys, and no files reach Skymatic's infrastructure at any point.

For organisations subject to GDPR, Cryptomator addresses the problem of cloud storage used for personal data. If files containing personal data are encrypted with Cryptomator before reaching a US cloud provider, those encrypted blobs are arguably not personal data — they are unintelligible without the key that the data controller retains. This does not eliminate the need for a DPA with your cloud provider, but it substantially reduces the risk surface.

The AES-256 encryption standard meets requirements under GDPR's Article 32 pseudonymisation and encryption obligations. The independent Cure53 audit provides documentary evidence of implementation quality that compliance teams can cite.

For personal use, the practical GDPR benefit is straightforward: your cloud provider cannot read your files, so their data practices and US jurisdiction exposure are irrelevant to the encrypted content.

Who It's Best For

Privacy-conscious individuals who already use Google Drive, Dropbox, or iCloud and want to add encryption to sensitive documents without switching providers. Cryptomator requires no technical expertise to set up — create a vault, set a password, drag files in.

Freelancers and consultants handling confidential client documents who store files in cloud storage. Cryptomator provides an encryption layer that satisfies client confidentiality expectations without the operational complexity of a full self-hosted solution.

Small organisations needing GDPR-aware cloud storage without the budget for enterprise solutions. Cryptomator turns commodity cloud storage into GDPR-safer document storage for the cost of the desktop app (zero) plus existing cloud subscriptions.

Regulated teams with existing cloud contracts who cannot or do not want to migrate providers but need to demonstrate encryption of sensitive files at rest and in transit.

The Verdict

Cryptomator solves a specific problem exceptionally well: it adds trustworthy, independently audited encryption to cloud storage you already use. The price point — free for desktop, a one-time EUR 14.99 for mobile — is absurdly low for the security it provides. The limitations are real: no metadata encryption of folder sizes on all platforms, no built-in sharing with non-Cryptomator users, no cloud sync of its own. None of those limitations are bugs; they are the consequence of a focused design. For anyone storing sensitive files in commercial cloud storage, Cryptomator is the most accessible and best-verified encryption tool in the European open-source ecosystem.

Frequently Asked Questions

Is Cryptomator GDPR compliant?

Yes. Cryptomator operates entirely client-side — no files, keys, or personal data are transmitted to Skymatic's servers. Encryption and decryption happen locally on your device. Skymatic GmbH is a German company subject to GDPR, but practically speaking, they never receive your data in the first place. For cloud GDPR compliance, encrypted Cryptomator vaults stored with a US provider significantly reduce risk by making the content unreadable without your local key.

Does Cryptomator replace my cloud storage provider?

No. Cryptomator works alongside your existing cloud storage setup. You keep using Dropbox, Google Drive, or whichever service you prefer — Cryptomator adds an encryption layer by creating an encrypted vault folder that your cloud provider syncs without being able to read the contents. You need both a cloud sync client and Cryptomator installed simultaneously.

Can I use Cryptomator for free?

The desktop applications for Windows, macOS, and Linux are completely free and open-source. Mobile apps for iOS and Android require a one-time purchase of around EUR 14.99. There is no subscription and no recurring fee for the desktop version.

What encryption does Cryptomator use?

Cryptomator uses AES-256 for file content encryption with a randomly generated master key, protected by your vault password via scrypt key derivation. File names are encrypted using AES-SIV. The cryptographic implementation is open-source under GPL and was independently audited by German security firm Cure53.

Can I share encrypted files with someone who does not have Cryptomator?

No. Encrypted vault files are unreadable without Cryptomator and the vault password. Anyone you want to share files with needs to install Cryptomator and have the vault password. For sharing with external recipients, share files outside the vault in unencrypted form, or use Cryptomator Hub for managed team access.