Hi, I’d like to know if Cryptomator is a safe replacement for veracrypt for non-document usages. I’ve read and understood the security differences, and the ability to encrypt each file separate is what I’m going for: to keep files encrypted at-rest and to sync them between two machines using SyncThing (although a backup to the cloud can also be done). I came across this post, though, which says it’s not meant for anything but encrypted cloud sync.
I’d like to use it for encrypting various activities, including CAD design and web development. I noticed that deleting the nodejs package directory, “node_modules” took a REALLY long time from a cryptomator vault, but was relatively fast when using veracrypt, though this makes sense since every little file is encrypted separately. Operations like that should be pretty rare though and I’m willing to live with the performance hit. Question is – is my usage safe? Will I encounter any downsides besides the occasional slowness when there’s high I/O? If yes, is there alternative software that is recommended that enables quick/immediate syncing?
No. It is not meant to be.
As already pointed out by you and in your linked post, Cryptomator targets cloud storage encryption and is optimized for this use case. As such, there are trade-offs, such as leaking the last modification date of files (otherwise your sync client would have a hard time).
Veracrypt on the other hand doesn’t need to deal with 3rd party tools accessing the ciphertext, therefore it can layout data in an internal, optimized format and can protect more metadata. That’s why we recommend Veracrypt for local disk encryption.
That said, it is rather pointless to have your node_modules in a vault. In general, dependency caches only contain public data anyway (unless you work with private npm repos).
Like I said, I understand the differences security-wise. I don’t personally care about leaking modification times and number of files – I mainly care about the contents.
I can take your word that it’s not meant for my use case, but I’d like to understand why. If I don’t care about leaking the metadata, why is it not suitable for my use case? Perhaps this should be addressed in the FAQ doc
Well the already mentioned aspects aside, there is also the file system feature perspective: Symlinks are still very new to Cryptomator and not yet supported on all platforms. Also, xattr is still missing as well as resource forks (aka. alternate data streams).
That said, if Cryptomator is working fine for you with its current feature set, I can’t think of a reason not to use it.
I personally still like to use the software that serves a specific use case best, even if this means to have multiple similar tools installed. But I don’t have any problems with other opinions on this.
Thanks for the file system feature explanation. I also think the best tool should be used for the job. Cheers, and thanks for the work!