[Feature Request] Unscrambled filenames for single-file recovery

A deleted file inside an existing directory, yes. If the directory got deleted, it is no longer possible to map a cleartext path to a ciphertext one.

Oh okay, that’s bad. Because it won’t fit my needs then. I will be able to always restore deleted folders and files. So in that case it would be great when there is the possibility to decide wheter the file names are encrypted or not.

This is not planned, sorry.

What a pity. So it will not fit for me :frowning:

Why is it not planned? I guess the effort to implement this feature isn’t that much. Is it a strategic decision?

In addition to overheadhunter’s post:
Restoring should be a feature of your backup solution. Cryptomator is not a backup solution. It’s a privacy solution.
I recommend to have a look at you backup strategy/solution if you are missing the option to restore files you deleted by accident.

Sure, but if i can’t identifiy the uploaded files / folders in my backup solution by the name, i’m not able to restore them.

For example if i delete a folder, overheadhunter told me that it’s not possible to identify the deleted folder afterwards. So i have no idea which encrypted folder name i have to restore in my backup solution.

If you accidentally delete a file, you should be able to restore it from your backup. If you work locally in your vault, and it is immediately synchronized to your cloud storage (mirror sync), then the vault is not a backup. A backup contains data regardless of the current state of your local work files (basically). Just to restore a previous state if necessary.
A backup process does NOT delete the files when they are deleted in the data source. The sync process of your cloud provider does exactly this (delete files online if they are deleted local) and is therefore NOT a suitable backup solution.
Cryptomator itself is not a data availability solution, but a privacy protection solution for files stored online.
If you want to prevent data loss (e.g. accidental deletion, or hardware failure, or malicious attack), then you need a backup solution.

Here’s an example setup:

Work Folder: D:\ (encrypted or not but not synced to your cloud storage if not encrypted)
Use a backup solution to backup files frequently to your backup destination X:\ (X is can be a vault). Configure the backup solution to keep file versions (depend on your needs, in my case I keep 5 File versions when modified and one permanently when deleted in the source).
If your Backup Folder X is a vault you want to have stored online too, make sure the vault files are placed somewhere where the are included into the sync operation of your cloud providers client.

Now, lets assume you deleted a files in your working folder D:. Then open your Vault X:\ and restore the File-Version you want to restore.

As you can see: the backup process itself does not rely on cryptomator. If you want to store your backup online and keep data private, you should backup into a cryptomator vault.

Maybe you are interested in reading this: https://www.techsoup.org/support/articles-and-how-tos/your-organizations-backup-strategy

1 Like

Thank you. I know the difference between a backup and file syncing. If i sync it immediately and have versioning i’m sure it’s a backup. The old deleted files are available in my backup (i use crashplan), even if i delete them locally. Everytime i change a folder or file i have another version of it in my backup.

I don’t want to prevent data loss with cryptomator. Therefore i use my backup solution crashplan. Crashplan synchronizes the files / folder on every change and has versioning.

I’d like to use cryptomator in the future. But that’s only possible if i can store my files encrypted in my online backup solution and make sure that i can recover them if necassary. And this only works, when i’m able to identify the correct file / folder even when it’s deleted in the source. I don’t like to have another vault, because then i need doubled hard disk storage.

The solution or possibility you describe presupposes that i can connect my backup like a drive to mount the cryptomator vault. And that is not possible. So i need the ability to identify the correct file / folder to choose which folder / file i’d like to download from the backup to prevent downloading the whole backup on that specific restore timestamp.

I hope you now understand why your offered solution is not working for me.

That’s the hint that clarifies it for me. Crashplan backups your files as a service directly in the cloud.

Correct :slight_smile:

And how do you think should a 3rd party application encryption for this Szenario work without an additional application layer between the crashplan service and your operating System (where the encryption should happen before the data is backed up) and without doubling your data?
I mean, even if Cryptomator (or any other encryption software) would not mask the file names, you would have to setup up a vault where you store your backup in, and then tell crashplan only to backup these encrypted files. Otherwise crashplan would also backup your unencrypted files and make the encryption useless.
Or am I missing something?

Hmm? I think our discussion ist getting a wrong way. Maybe i missunderstood you.

Actually i use Boxcryptor Classic which is outdated to encrypt my data without encrypting the file names.
So i have my data encrypted on drive D: and from there i open the Boxcryptor Container (vault) to get access do decrypted data. Crashplan is backing up the files from drive D: and because the file names are not encrypted, i’m able to restore whatever i want.

My goal is to use Cryptomator instead of Boxcryptor.

Ok, got it. So crashplan does the backup and the versioning and the uploading. Yes, with this setup you need a solution that does not encrypt Filenames, so you can identify the encrypted files and versions for restoring.
I personally prefer the filenames to be masked, because I don’t want the storage provider to know which kind of insurance I have (as an example what information can be read out of a filename).
This is why my setup includes a local versioning (what you don’t want because of the data multiplying that comes with such a setup)

Thanks for taking the time to clarify that to me.

Thank you, too for your help and suggestions.

I think the way you do it is more secure, than the way i do it. With which tools is your setup implemented? You convinced me and maybe i can adapt your setup :slight_smile:

At the moment i have two backup targets with Crashplan: One local on an external harddisk and the cloud backup on the crashplan server. Maybe it’s possible to use the external harddisk for the versioning layer you use.

As answer on Michaels post:

Thank you very much. I will think about and try it.

But if i got it right, actually the main problem still exists with this solution: It’s not possible to identify the encrypted file in the vault. Am i right?

My preferred backup solution is PersonalBackup.
With this tool I do all the versioning and syncing to external drives or SFTP Servers.
In addition to that I sync to cloud storages with the respective client apps.
For local backups (means not online) I keep several versions.
As I do not have excessive space online, my online backups are just mirrors.
For the cloud storage I use cryptomator as encryption. Which means I have a vault (X:) in my sync location (eg C:\OneDrive), and I mirror my workfolder (eg C:\Documents) into that vault (X:).
Yes, that consumes a lot of local space. This is why I do only mirror backups when it comes to online storages.
I have to admit that I’m a little “paranoid” when it comes to data loss, so I have a lot of backups which multiple the amount of space I actually would need just for working.
To be honest: If I have an images with 3 MB size, I need up to additional 21 MB space for backups (1 version in the vault for OneDrive, 1 Version in an other vault stored on my FTP and 5 Versions on my external harddrive).
I now its too much, but I never lost a file in the last 15 years, despite I had several major incidents with my hardware. :wink:

Here’s a link where I have explained the PersonalBackup setup in more detail.

(PS: PersonalBackup 6 comes with a hot-folder monitoring & backup)

So it looks like people have wanted this feature since 2017. Is there any chance that it will happen?

If you are on a machine that doesn’t have space to download an entire cryptomator vault, then you need some way to download just the files you currently need. But there’s no reasonable way to do this if you can’t see the file names.

Even though showing file names may be less secure (if you are titling your files like “where I put the body”), being able to see them makes it much more functional in real life scenarios.


There is, and it’s called cyberduck. (See my first post April 19th in this thread)

1 Like

… “unfortunately no linux support”

I was hoping there would be at least a command line tool that would let you match up real file names with encrypted file names.



Hi all, check out my work on PoC of this case here 101#issuecomment-864782646.
I hope that someone will pickup this ongoing work to make it to final version. Cheers

1 Like

Maybe another approach is the way Rclone provides this functionality: