Incremental encryption and decryption


I am a new user and would like to know if cryptomator would re-encrypt the whole file even if there is a minor change in it? Assume that I have a 20MB file and I just change 1 byte in it. If the entire file is re-encrypted on every change, and if my vault’s destination is a dropbox folder, the complete file needs to be sync’d (as the encrypted contents are all different). This consumes both CPU and network resources.

Similarly when decrypting the file, is the complete file decrypted every time I open it?

Can something be done so that only the changes are encrypted/decrypted and not the whole file?

Please correct me if my understanding is wrong.


Cryptomator encryption is file based. So yes, if you change a file it will be completely decrypted/encrypted and thus synced with your Dropbox.

That is not true. It would impose a big performance penalty to always de- and encrypt a whole file. As can be seen in our docs, Cryptomator splits a file into chunks of roughly 32KB and each chunk is encrypted. If i want to decrypt a specific position, i only have to do some math to get the correct chunk and decrypt these 32KB. For writing it is the same.

That said, most synchronization apps do not support delta updates, i.e. only uploading the small part that changed. They rather just check the file hash sum or modification date and if one of those changed, upload the file to the server.

Thank you for correcting. I had forgot the junks splitting thing :grinning:

Thank you. This is what I would have expected.

But when I tested by making a one character change in a huge file, I see that all the encrypted bytes are different. Are there any other settings to see behavior you mentioned above?

It also depends on application which opens the file. Most of modern applications load the complete file into the memory and write the complete changed file. Or Replace the old file with a new copy. Then, of course, (nearly) all bytes changed