so far I use a vault inside my Nextcloud.
Does it make sense to use multiple Vaults in the same Nextcloud for security reasons? Of course, each vault would have its own password.
Or do I think again too complicated and would have only more work?
You will not have more security by having multiple vaults. One vault with a strong password is as secure as 2 vaults with a strong password.
Nevertheless, I have separated my vaults in a way you described. Not for security reasons I just like this organisation. And it speeds up my backup and sync processes because I can split them into more frequent ones (documents) and less frequent ones (pictures). But that’s totally up to you.
I’m not a member of cryptomator team, just a very satisfied cryptomator user.
I respect Michael’s opinion on this and a lot more.
I’d like to say the op question is philosophical and arguments can be made on both side.
On the side of saying don’t bother with multiple vaults:
- The data is only unencrypted on your local machine. If your local machine is compromised with malware all bets are off. So you should focus your efforts exclusively on preventing your machine from being compromised, and protecting your cryptomator encrypted data with a strong password and possibly cloud 2FA etc, and not be distracted by other measures which add very little value.
On the other side of the coin (the argument for multiple vaults):
- nothing in security is perfect or certain. That’s why multiple series barriers are sometimes preferred. Adding extra barriers in case your local machine is somehow compromised certainly cannot hurt (as long as it doesn’t divert your attention from the more important things). IT people talk about principles of compartmentalization and giving users the least privelege for the least time needed to accomplish what is needed. Separating vaults fits those considerations.
- So let’s take an extreme example, you have financial account credentials protecting your retirement account )big $$) that you might access once or twice a year. And you also have photos of your family and friends from your phone that you access daily or weekly (for uploading, editing and occasional sharing). You want to keep all of that private from 3rd parties, but I think you’ll agree it wouldn’t make sense to keep them all in one single vault. If you did keep them all together, then every single day or week when you unlock that vault for simple photo transfers etc, you are potentially putting your crypto credentials at risk (from someone somehow capturing the passphrase as you enter it, or somehow capturing the unencrypted data off of your machine). It is perhaps a contrived example (mixing highly critical infrequently-accessed things with marginally-private frequenty-accessed things) but I think it illustrates the principle there can be benefit to comparmentalization. In the real world i think for that particular situation most people would segregate the vaults and additionally use different passwords for the separate vaults. Yes it adds effort and complexity but seems to make sense in that case.
And yes password manager probably makes more sense for that retirement account credentials (because among other things, you get phishing protection if you use a password manager browser plugin) but i’m sure you can think of something really critical that you want to save on cryptomator and other things that are far less critical that you also want to save.
TLDR - imo - whether the incremental security benefits you gain by comparmentalization are worth the incremental effort… it’s a somewhat subjective and situation-dependent question.