To know where I’m coming from: I already used a home-grown solution similar to Crytomator for quite a few years now on my Windows machines. I have a Python script that uses Veracrypt and junction.exe to have double-clickable “.encfol” files (actually Veracrypt volume files). When you double-click them, the script asks for the volume password, finds a free drive letter to mount the volume on, calls junction.exe to make a same-named folder junction to that drive (next to the activated .encfol file itself), and finally opens that folder too (with some optional custom menu support baked in). I use this a lot for my freelance development work; each project gets it’s own vault to not have all the sensitive data from all my clients in plaintext on my machine all at once when I need to work on something. And I also have separate vaults for my Thunderbird mail folder, a vault with all license keys, one with my website subscriber’s info, one with sensitive private info, etc.
Rather similar and just as secure, but since Veracrypt volumes are fixed-size, it is quite a nuisance to manage the ever-changing volume sizes. The script does suggest automatically resizing the volume when closing the vault when it’s free space gets above/below certain limits, but that involves setting up a new volume, formatting it, mounting it in parallel, copying over the content (robocopy) and then verifying the copy was OK (winmerge), all with lots of non-suppressible prompts from the used apps.
All that is now history for me with automatically resizing Cryptomator vaults – again, thank you, and my donation has already been made
Though I do miss some of the functionality I have with my own custom solution… Maybe some of it is worth adding to Cryptomator?
When unlocking a vault, my script mounts it onto the highest available drive letter instead of the lowest. This because the lowest ones are also used by USB devices, and I have Sandboxie configured to force-start everything from the first few drive letters in a sandbox because of this. With Cryptomator I can assign a drive letter to each vault, but I have dozens of vaults, so clashes are bound to happen that way. (Then again the drive letter is just an intermediate step for my script; with Cryptomator I will mount directly into dedicated folders anyway).
When my script makes the folder junction, it doesn’t require that an empty folder already be present at that location; it automatically creates the designated folder if it is missing. This might be a nice addition that shouldn’t have any drawbacks I think?
Since my “vaults” are single (Veracrypt) files I give them a dedicated file extension and associated my script+icon with that, so that I can just double-click them to open them. You can also double-click the masterkey file in Cryptomator vaults, but that only adds the vault to Cryptomator if it’s not already added. Since Cryptomator has no CLI I cannot make my own script to e.g. associate a dummy file with opening a same-named vault next to it. I know of the separate Cryptomator CLI project, but it’s not quite ready for prime time yet I suppose? Anyway, some basic CLI support would be very nice.
As an alternative to or just an extra to the above: maybe a per-vault option to have a post-open hook, where you can point it to a script or such? We now have the option to “Do nothing” or “Reveal drive”. My encrypted folders also have optional post-open menu support (via a per-vault options file), where I can list all available actions to choose from after unlocking the vault (auto-choosing the 1st if there is only 1). Each action is just a key/value pair; a label for the GUI button and either a cmdline for a shell action or a path to open (folder -> explorer; file -> start executable, open doc, etc.). These command strings can contain a known token that gets replaced with the final mount location. The null / default action is to just launch the mounted folder in Explorer. My Thunderbird vault has just one action: launch Thunderbird itself; this way unlocking the Thunderbird vault also immediately starts Thunderbird. Another vault has a choice of opening a database file in it, start a website backup within the vault, or just browse the vault’s files.
Recycle bin support. I know this feature is already underway with Dokany and already preliminary available via the custom mount option MOUNT_MANAGER, but it would be really nice if that would become the default.
Some way to detect when the folder can be locked again. My script launches a post-mount background “Click OK to close” msgbox (with “cancel” the default for accidental enter presses), and even like this I already forget these prompts from time to time, thus having a certain folder unlocked the whole day when not needed. I know scanning for open file handles into the mounted folder is not fail-proof enough and probably still not what a user really wants, so it can’t probably be 100% automated, but some GUI reminders could add some benefit?
When I just now copied some Excel files from one of my own vaults into a new Cryptomator vault, Explorer told me not all of the file’s properties could be copied along. I suspect that this e.g. also concerns the NTFS alternate steam data; these Excel files were saved from a mail client, and thus got tagged with extra zone info. I also saw the “Security” tab in Explorer’s properties menu is missing. I suspect these folders get mounted via Dokany more like in a FAT than NTFS style? I tried adding the mount option ALT_STREAM, but that made the vault unmountable (Cryptomator “unexpected error” dialog with IllegalArgumentException: Dokany option ALT_STREAM not supported). And REMOVABLE_DRIVE seems to conflict with MOUNT_MANAGER and/or mounting in a folder (the mount folder showed no files; removing the option made the vault work again).
Anyway, Cryptomator already gives me more benefits than drawbacks right now, so no complaints from my side, but maybe you find the above inspirational?
Oh, and as a follow-up now that I’m in the process of moving over all of my vaults:
In Cryptomator the main window and the system tray icon shows the list of vaults as a flat list. I already saw someone else mention that it would be nice to be able to have a tree structure. And I couldn’t agree more, because I’ll probably end up with well over 70 vaults.
The tray icon nicely shows a “Lock all” entry, and you can use the popup menu to lock single vaults. However, which vaults are actually unlocked cannot be seen from the popup menu list. When having many vaults, hunting down the ones that are unlocked is thus very tedious. It would be nice if the vault name came with some extra tag to show when it is unlocked. Maybe add (unlocked) to it’s name, but even something as simple as an appended * would do. Or have two vault lists above each other; the top one with the locked vaults, and the bottom one with the unlocked ones (so a simple extra sorting and an extra separator between the two groups).
thanks for this rich feedback and the various feature suggestions! For some of them an answer already exists:
Well, i would say this is a user specific system setup. We needed to choose a strategy and changing it now could break other homegrown solutions.
Apart from the lack of features and rather clunky usability, it works. The reason for this is, that it is mainly community driven and the Cryptomator developers focus on the GUI app. But it seems you are capable of programming on your own, so your welcome to bring this project forward!
You might be interested in the currently implemented auto-lock feature. Apart from that, adding a gui indicator is possible.
They are neither. Unlocked vaults have their own filesystems (CryptoFS), which mimics/passthrough certain features common to most filesystems. NTFS Alternate streams only exists on NTFS and, as already mentioned, we aim for cross-platform compability. Hence, there are no plans to integrate this feature.
It’s quite possible that i did not addressed everything here, but if you that a certain feature is a must-have, have a look at our issue tracker, and if it is not already present, open a new ticket:
Heh – you got a point there. But I always seem to have more freelance project hours hogging my agenda than there are days per week… And I’m a C++ coder who hasn’t touched Java in nearly 2 decades, so I’ll restrain myself before I make a mess of your code base
Anyway, I’ve added 3 new feature suggestions to Github for the above suggestions I think are most usable to other people too. Though “most usable” ofc also depends on your target demographic (power user or regular user?)
I’ve attached the Python script I used (renamed to .log). It needs to have VeraCrypt, WinMerge and ofc Python (3.x) installed, as well as a copy of junction64.exe next to it. The Python script itself also needs WXWidgets. Junction64.exe you can get that one from Microsoft directly I guess? I have it still lying around since Windows XP when junction creation was only possible by external apps; maybe today there’s a build-in exe that can do it? And it expects some .ico files to pimp it’s taskbar icon.
Anyway, the script is quite reliant on how my PC is set up, so I think you’re better of using it as inspiration
Also note that using this script is far less enjoyable and reliable than using Cryptomator. It’s a hack after all, linking disparate apps together. I built in as many safety guards as I deemed necessary for personal use, but it’s not fool-proof. One thing I e.g. sometimes did on accident was close the msgbox that pops up asking to close the vault while Thunderbird was still read/writing from it’s content. Thunderbird wasn’t happy afterward
The script works with .encfol files, which are really just VeraCrypt container files. To customize the vault open action, you can also put a like-named .encopt file next to it; it should have ini-like content describing all options available after opening a vault.
I myself have made a file association from .encfol files to my script file so that I can just double-click them to open them. And the script also detects an extra cmdline option to force a vault resize. Both actions are registered via the .reg file I also attached (install.log).
Aaanyway, BIG DISCLAIMER, this script has worked for me for several years, but I found it clunky in use (especially when the vault would fill up again and again – it doesn’t auto-resize on the fly at all). So far I found Cryptomator to be far superior to this. Apart from the feature suggestions in this thread ofc
And I’d like to expressly note that I do not claim it is fit for production use – use at your own risk!
Many many thanks, also for the documentation and explanation!
I downloaded everything and will archive your posting.
My PC and Mac are currently off the internet, as we have some local provider problem - it may take some days until I can this this.
