Encryption on the fly

Hi there,

I have a question about the encryption process.

Lets say I have a file that is 1GB big on my windows computer and now drag and drop that into a vault.

What will happen on the technical level? Will the file be encrypted and the “normal” one deleted or what does happen to the file that was not encrypted?

Is it possible that I can find that file because its in the trash or with a file recovery tool, or will that file be changed itself?

Thank you! :))

That depends if you are moving or copying the file to the vault. If you are moving the file it could possibly be recovered using a recovery tool. If you are copying the file it is still present. Usually Windows will copy the file to the vault if you are using drag and drop without holding a key.


Sorry, I meant of course if I move them. If I copy them its clear that there will be a version that is unecrypted. But what happens if I move them?

If you move them they won’t show up in the recycle bin or anywhere else in the file exporer, but they can possibly be recovered using a recovery tool.

Can they, or cant they? Would be nice to have a “solid” answer from a developer who can answer this :o

From a technical point of view, you can’t move files between different file systems. Since the virtual drive provided by Cryptomator is a different file system, it’s always a copy. However, an operating system can simulate a move by “copying first and then deleting the old copy”. That’s what Windows is doing under the hood and this is totally up to the operating system, not Cryptomator itself.

1 Like

Ok so I will have to delete/override free disk space to get rid of the files if they had been on the os unecrypted before. Thank you! :slight_smile:

1 Like

I have noticed in many videos showing how CM is used people dragging and dropping files into a vault, which as you said only creates a COPY and leaves the original in place. Does this make much sense because now you have two versions and if you modify one (lets say the original) it won’t make changes to the other (encrypted copy).

It also means you have an unencrypted copy of what I assume is a sensitive file (otherwise why would you encrypt it in the first place??) that leave sit vulnerable.

That statement is misleading. Yes, the original file stays on same hardware location, e.g. if you have a HDD, the same sectors on one storage disc. But from the operating system point of view, the file is really moved and you need special tools to recover this file (if possible at all).

With encryption-on-the-fly it is meant, that if files are already in a vault, these are not stored outside of the vault somewhere else on your computer. (unless the application accessing those files demands it) As an example, if you work on a Word-Document inside a vault, Word reads the file into its private memory and later saves the changes to the file in the vault again.