If your machine becomes infected with malware while your Crymptomator vault is unlocked, is the password to that vault at risk?

This is something I’ve been wondering recently. I have some vaults on my machine that are essentially always kept unlocked and mounted, although I haven’t set Cryptomator to remember the passwords to those vaults. If my machine were to ever be infected with malware, would the passwords to those vaults be at risk? Or would they remain secure so long as I haven’t set Cryptomator to remember them?

The reason I’m curious is because one of my vaults uses the same long password used for something else on my machine. I know password sharing isn’t advised (and need to get around to changing this), but I’m still curious how vulnerable to malware Cryptomator passwords are.

Obviously yes. The key is held in RAM if you don’t check the box “Save Password “ and in OS key ring, or possibly even cached on disk if developers are not careful, if you check off that box.

If your machine is infected, you are in a bad situation. The severity depends on malware, and whether it has root access, on vulnerabilities in cryptomator etc.

The “key”, is not the password.
See here: Security Architecture — Cryptomator 1.5.0 documentation
So from my point of view the answer to the 1st question is “no”.

Ha?! The key is obtained from password using KDF. The knowledge of either one is sufficient to decrypt.

From key you don’t get the password, but , who cares, as cryptomator says, your password is no more important than data , if data is exposed.

But the question was explicit if the password will be exposed.

I’m not sure what marc123 means by data (metadata?), but I only care about the content of the encrypted files themselves and the password used to unlock my vault. What I want to know is whether the password used to unlock my vault will be compromised if malware infects my machine while the vault is unlocked, but “Save Password” hasn’t been checked. If my password would be safe in this case, I’m assuming the same could be said for a scenario where malware infects my machine while the vault is locked (and “Save Password” is still unchecked).

With two assumptions, the direct answer to your question is: No.

The assumptions are:

  • you are solely worried about the password you enter in the password field (i.e. not the data in the vault)
  • the maleware infects your computer really only after the vault is unlocked and you don’t have to unlock your vault again

@infeo This is exactly what I wanted to know - thanks for explaining. Maybe it’s naive, but I figured that if I ever got an obvious malware infection, I could just immediately lock my vault (which is kept mounted by default) to minimize the damage. I’ve never had a real malware infection though, only false flags in Malwarebytes and Defender, so I could be completely wrong here. Because the long master password to that vault is currently used in one other place, ensuring that it can’t be intercepted - either while the vault is mounted or while it’s unmounted (obviously not applicable if the password to unlock the vault is entered sometime after an infection) - is important to me.

You should probably clarify the answer a bit more for the user, as the person seems unaware of details of encryption (KEK and DEK etc).

@cr7. If the password you enter is, say, August7, from this, an actual password (a key) is obtained by the software, let’s say, “jfdetukkccdf”.

Due to details of cryptography, if you don’t check off “Save Password,” the first password August7 is most likely secure. So in case you reuse August7 somewhere else, for example in other cryptomator vaults, those other vaults are probably fine. That’s the only protection you get.

However, the actual password is jfdetukkccdf. This password is compromised, alongside all data in the corresponding vault.

So your vault is compromised. Locking that vault quickly makes no difference: the attacker has the final password jfdetukkccdf and decrypts data

@marc123 Thanks for explaining. Although it’s good to know that the password itself would be secure in this scenario, I wasn’t aware that quickly locking the vault would be totally ineffective as far as protecting the data goes. Is there anything that can be done to protect your vault data in this scenario, or mitigate the damage done? Or is it one of those cases of once you’ve become infected, there’s nothing you can really do.

The general view is that a compromised host is a difficult situation. Regardless of your defense, an attacker could just wait until you unlock your vault and read data.

There are things that could be done, for instance, encrypting keys in RAM or holding them in TPM or USB key. But that’s the job of developers.