In the absence of Cryptomator having 2FA (or MFA), for laptops (which can be stolen):
1: Would it be possible to store the 4 files (master key, vault and 2x bkup files) for opening the Vault behind a Password Manager (with its own 2FA) and then to download these to a Virtual drive that sits in w11 RAM (only) and direct Cryptomator to look at that virtual drive for the 4 files?
Also:
2: Do ‘bkup’ files ever be need to be altered in any way when Cryptomator performs an update ? (if so, this idea won’t be feasible)
Although Bitlocker could be an alternative option (as it encrypts all files and ties the SSD to the device), it adds DPC latency to the entire system (which is a pain for latency free real-time audio processing).
Take a look at the keepassxc plugin for cryptomator. I use it to add a second factor in the form of windows hello.
With it enabled my C database uses keepassxc to open vaults. Keepassxc is configured in its settings to require Windows hello facial recognition or fingerprint recognition.
So, this way if my laptop or your laptop were to be stolen the person would need to crack your password and also have your face or fingerprint.
Really. 2FA is generally “Something you have” and “Something you know”. The master key you have, the password you know. Then store the password separately.