Cryptomator on Windows: Accessing your vault with admin priviliges

Hey folks,

after we introduced Dokany with version 1.4.0 as another unlocked vault provider and changed it after a while to be the default one, several windows user reported

The Problem: Processes (aka programs) do not have access to an unlocked vault, even when Cryptomator is started with admin privileges.

The Reason for it is the following: Cryptomator has no user management and so, after your vault is unlocked and you have a decrypted view of it, with Dokany either only the current user (you) or everyone has access. Due to security reasons we set it to the first one. And as long you started Cryptomator and not the administrator, he/she has no access to your unlocked vaults.

The Solution: With version 1.4.12 we added the feature to give the vault provider custom mount options. For Dokany one of these is the flag CURRENT_SESSION and it does exactly what is described above: Only you and all processes with your identity can see and therefore access the vault. You can remove it, but be aware of the implications: Every process is able to access the vault afterwards. To remove it go to the vault specific settings (before 1.5.0: advanced settings of a vault), click the checkbox “Use custom mount options” and remove only the string --options CURRENT_SESSION.

Hope it helps.

Remark: People complain that if they start Cryptomator with admin privileges they cannot access the unlocked vaults anymore. The reason of it is the same as above: They tried to access the vaults with their user account and not the one of the administrator.


Since I’m not familiar with how Windows handles user privileges in detail:

How big of a risk is it to remove the CURRENT_SESSION flag? Don’t have all programs I start or have running on Windows have the right to access my files anyway?

PS: I’m referring to a use case where I’m the only one with a user account on the machine.

According to the Dokany documentation, the flag does the following:

Mount the drive on current session only

I guess its more a question of visibility rather than user priviliges.

No, not necessarily. Like in the Linux world you have different groups, each having their own access rights. Even if you are the only user on your machine, there exists several built-in accounts. Among those is for example the “Anonymous Logon” group, which by default has no rights. At system startup there may be processes started without your user id and thus may have different rights.

In general I would say the risk is low. If you have an account on a multi user system you should be aware of it but otherwise you can remove the option safely.

Thanks for clarifying!

I have just tried and without --options CURRENT_SESSION any users on the system has read/write access to the mounted vault

I had the same issue with not seeing my mounted drive when starting Cryptomator as admin (SyncBack can’t see the Cryptomator drive) and removing --options CURRENT_SESSION solved it.

Before this topic was linked to me by @infeo, thus fixing my problem, I also realized something. The reason why people can’t access the unlocked vaults via normal means - Windows Explorer is that explorer.exe is not running as admin. That’s also the reason why some copy etc. operations in the system drive show a UAC prompt.

For anyone who doesn’t want to remove --options CURRENT_SESSION and wants to run Cryptomator as admin, a simple workaround is to access the vault by running a third party file explorer as admin. Another thing I was contemplating before applying this fix was to make a task using Task Scheduler, to run Cryptomator as admin on startup instead of using the built-in option. This might be a good solution for those who don’t want all users to access the unlocked vault, but also don’t want to manually start Cryptomator as admin every time.

© 2020 Skymatic GmbH • Privacy PolicyImpressum