How to make sure only one person has access to the master password for the vaults I create?

Right now if I use cryptomator to encrypt files and upload them on the cloud and share the files with someone else they are able to change the password since the fact they would know the vault password.

How do I make sure the person I share the password with is not able to change the vault password without “ADMIN” ?


You can’t.

There is no “admin” option in cryptomator or group/user management. If you share your vault and its password with someone, you share everything.

Sadly, this doesn’t work on a cryptographical level. Faking such a behaviour in our UI doesn’t prevent anyone from writing a separate application that allows to change the password.

Even if we added a separate admin password which is distinct from the unlock password, anyone with the unlock password could decrypt the actual masterkey and declare himself admin by creating a new self-signed masterkey.cryptomator file using his own password. He then hijacked the admin role.

Cryptomator only ensures the privacy. If you want your data to be protected from damage, make backups!