Cryptomator on Windows: Accessing your vault with admin priviliges

Hey folks,

after we introduced Dokany with version 1.4.0 as another unlocked vault provider and changed it after a while to be the default one, several windows user reported

The Problem: Processes (aka programs) do not have access to an unlocked vault, even when Cryptomator is started with admin privileges.


The Reason for it is the following: Cryptomator has no user management and so, after your vault is unlocked and you have a decrypted view of it, with Dokany either only the current user (you) or everyone has access. Due to security reasons we set it to the first one. And as long you started Cryptomator and not the administrator, he/she has no access to your unlocked vaults.


The Solution: With version 1.4.12 we added the feature to give the vault provider custom mount options. For Dokany one of these is the flag CURRENT_SESSION and it does exactly what is described above: Only you and all processes with your identity can see and therefore access the vault. You can remove it, but be aware of the implications: Every process is able to access the vault afterwards. To remove it go to the vault specific settings (before 1.5.0: advanced settings of a vault), click the checkbox “Use custom mount options” and remove only the string --options CURRENT_SESSION.

Hope it helps.

Remark: People complain that if they start Cryptomator with admin privileges they cannot access the unlocked vaults anymore. The reason of it is the same as above: They tried to access the vaults with their user account and not the one of the administrator.

5 Likes

Since I’m not familiar with how Windows handles user privileges in detail:

How big of a risk is it to remove the CURRENT_SESSION flag? Don’t have all programs I start or have running on Windows have the right to access my files anyway?

PS: I’m referring to a use case where I’m the only one with a user account on the machine.

According to the Dokany documentation, the flag does the following:

Mount the drive on current session only

I guess its more a question of visibility rather than user priviliges.

No, not necessarily. Like in the Linux world you have different groups, each having their own access rights. Even if you are the only user on your machine, there exists several built-in accounts. Among those is for example the “Anonymous Logon” group, which by default has no rights. At system startup there may be processes started without your user id and thus may have different rights.

In general I would say the risk is low. If you have an account on a multi user system you should be aware of it but otherwise you can remove the option safely.

Thanks for clarifying!

© Skymatic 2019 • Privacy PolicyImpressum