Does the authentication part actually work?


I just installed the Cryptomator app to test it. Reviewing the Crytomator architecture, it seems that the AES-SIV is used for encryption, which is the AES encryption with a variant of the GCM mode for authentication (the SIV, to ensure that the nonce is not reused). The authenticated encryption means that if an adversary modifies the ciphertext, the change is detected and the program either produces an error or at least a warning notifying the user that the ciphertext has been modified (integrity check).

I deleted some files in the encrypted directory and modified some others, and the Cryptomator opens the vault without any unusual message. Comparing the directories, I see that both deleted and modified files are missing. The log files 0-9 appear normal as well (2 lines of standard info).

Is this how it’s supposed to work, or am I missing something?

(I also noticed there seems to be issues with symbolic links).

Two things we need to distinguish:

  • SIV is used for file names (and it is roughly based on CTR with the IV derived via CMAC on the plaintext)
  • CTR + HMAC is used for file contents (in an encrypt-then-mac fashion)

Every file is encrypted independently of other files. This means deleting or modifyig one file doesn’t harm the authenticity of other files.

Cryptomator checks the authenticity of ciphertext before decrypting. Therefore decryption will fail when tampering with file contents. But again: Only for the files affected.

Therefore it is expected behaviour that tampered files will no longer be accessible (they might still show up in a directory listing, though, if the filename is ok).


Yes, I understand that the order in authenticated encryption is encrypt-then-HMAC, and that HMAC tags are produced independently.

Given that for some files HMACs might fail to be verified upon decryption, is there a way to notify the user of failed instances (ideally in a warning summary printed in the GUI, but at least in log files)?

I can see you have a command line interface as well:

Could we force decryption of the un-authenticted files in the read only format for diagnosis (with safe flags, of course)?

Thank you!