You have to consider that Cryptomator was designed to be “simple to use” and “without much configuration usable between many devices, including mobile devices”. It was a well-thought design choice to put the masterkey file inside the “vault folder” so that it’s instantly accessible from many devices.
Maybe my “edit” in my last post was too late but you don’t need a 256-bit password. I understand your suggestions and as you’ve seen, we had many discussions in the past and we’re making sure that we consider this issue from many angles.
You can’t just think about technical feasability. In that case, yes of course you could just define a custom path for the masterkey file and this could probably be “one line of code”.
But that’s not how designing and developing a product works. This would have many implications like:
- How do I know which masterkey file belongs to which vault? Yes, you could solve it with an identifier or something like that but that’s not currently defined in the vault format. Yet another change.
- How do I make sure that I have access on my mobile devices? You would probably need lengthy instructions on how to import the masterkey file from your Desktop computer to your mobile device (and vice versa). Yet another change.
- How do I make sure that there are backups of the masterkey file? What if your computer/laptop breaks and the masterkey file is getting lost, even though your encrypted data is still in the cloud. That means they become useless? This is a hell of a big problem that can’t be just ignored, you have to think about usability as well.
There may be further points that I haven’t thought of spontaneously right now but I just wanted to say that it’s not “just one line of code”, which is an absurd statement for such a huge change.