Master password backups


I’ve set my vault and have it linked in my google drive. In the google drive it certainly shows the encrypted files which is great. My question is, it shows the following files below the encrypteed ones

  • masterkey.crypomater
    *masterkey.cryptomater.bunch of numbers.bkup

Should I be deleting those from the google drive? They don’t seem to be able to be opened but are they encrypted? no need to remove those or save them anywhere else?


Follow on, if you click mirror files in google, will it simply mirror back the encrypted files to your folder or it will now push both the unencrypted files from your vault and also encrypted. I’m just trying to make it so that if Google was locked or I lost access, I would still have the files on my harddrive as a secondary copy…which I guess I do if it is in the vault?

No. these files are essential to open your vault together with your password. the files with *.bkup are backup files that are created just in case the other file gets damaged.
Why are these files in the cloud and why isn’t this a risk? see here: Why is the masterkey stored in the cloud?

As the google sync client does not know anything about the files IN your vault, it will of course just mirror the encrypted vault files.

Yes. But please make an additional backup of your files somewhere else. This is not a solid backup strategy. For example: if you damage/delete a file in your vault local, it will be damaged/deleted on GoogleDrive as well as soon as the sync starts (which is usually immediately). So please do your backups anywhere where you can restore them without relying on Google. I always recommend a 3-2-1 backup strategy

Thanks Michael,

One last question, how do I actually unencrypt the contents from google that are now encrypted?

If I lost access to the vault for example, I would download the google encrypted contents but where would I put them to unencrypt them? And of course I need the Master Password right? There is no key or backup keys.


Don’t know if I got your question right, but of course you unencrypted the same way as you encrypt. Just open your vault in cryptomator.

Anywhere you like.
Example: you set up a new pc and want to access your vault on googledrive.

  1. install Google drive and sync your Google content (including your encrypted vault files) to your local drive
  2. install cryptomator
  3. add vault to cryptomator
  4. open vault with password.

If you lost your password you can use your recovery key to set a new one.