Poll - # of Vaults and Auto-open

I’m curious in hearing from users on two questions:

  1. How many vaults do you have?
  2. Are they set up to automatically open when you log on?
1 Like
  1. 6 vaults
  2. I do not auto-open. I only unlock when I need to access the data inside. And I have settings to auto-lock the vault after I’m done.

Regarding #2, I perceive that the exposure to having my data viewed/stolen is not just on the cloud but also on my pc (even though I’m very careful with good practices to avoid allowing malware into my devices, I don’t think I can be sure). Whenever the vault is unlocked on a device (especially pc) the data is available to any app on the device, so I try to minimize the time unlocked.

  1. One vault.

  2. I do not auto-open. On my work laptop, I open it once at the start of my day and keep it unlocked until I’m done with my work day. On my home machine, it’s open all the time but I also require a password to unlock my computer from the screensaver.

Interesting point on #2, as I had not spent much time thinking about “open vault exposure.” I open one of my 3 vaults every morning and leave it open all day as I access files from there, but maybe should consider closing it throughout the day? But are you that skeptical as to the safety of your machine locally? I run a full malware scan every month and have windows defender on all the time.

Like jskang, you’d need to get through “3 locked doors” to access my machine contents. #1 - Bitlocker with a 10 digit PIN, #2 - my lengthy, cryptic Windows password, and #3 - My Yubikey. With all three in place I feel secure, but Cryptwo is talking bout malware which could be lurking inside.

I tried auto-open but found it doesn’t actually open the vault, it just opens the password entry screen, so if thats all, its just a very minor convenience option to eliminate one step

How do you decide what goes in each vault? Seems like 6 could get confusing with 6 robust passwords to store (password manager?).

-5 vaults synced with cloud, opened only on demand.
-1 vault local to the PC. this vault is auto-opened on startup, and it’s used for downloads coming from browser and other apps, so when I download anything from the net it’s never unencrypted on the disk, and then I can move stuff to other vaults.

Does your auto-open include entering the password for you so it just appears open on bootup?

password for that vault is saved and I don’t enter anything.

How do you decide what goes in each vault? Seems like 6 could get confusing with 6 robust passwords to store (password manager?).

It would not be necessary to have a different password for each vault to reap the benefits of segregating vaults. If you had one password for all vaults, it would still help reduce the degree of data exposure (not necessarily cryptomator vault password exposure).

With that said, I personally am somewhere in the middle (not 1 password and not 6 passwords). The password for my most sensitive vault is not shared with any other vaults. Keeping track of passphrases is a personal thing, everyone has their own approach / system.

so you save that vaults password IN Cryptomator? Even with my “3 locked doors” to get into Windows, I still use a password manager (Bitwarden in case you’re interested) to access my four vaults. That way, God forbid, someone, somehow, gets past the doors, they still need my Bitwarden password and my Yubikey (again) to open any vaults.

I think you misunderstood me. For my 5 main vaults I obviously use password manager, however the downloads-vault is here just to keep the new files encrypted by-default when being transfered from internet. This is a temp storage, nothing more.

For the poll:
10 vaults.
3 for online only (via cyberduck) for long term backups.
None is auto opened, but all of them stored password in system keychain.
All vaults purpose is just secure online storage. I have all files also outside a vault on my local desktop. (Which is of course secured by local encryption with bitlocker)

Bitwarden does NOT auto-fill logons or passwords by default - you have to specifically opt for that (which I do not), so there’s no risk in that regard. I copy/paste out of it (you can type it in too but my passwords are so complex that would be a real PITA).

Even with my “3 locked doors” to get into Windows, I still use a password manager (Bitwarden in case you’re interested) to access my four vaults. That way, God forbid, someone, somehow, gets past the doors, they still need my Bitwarden password and my Yubikey (again) to open any vaults.

I think (?) Bitwarden would transfer the password to cryptomator via the clipboard (which is different than the way bw transfers the password to webbrowsers). If so, I’m not sure how safe it is ( * ). The Windows clipboard is pretty accessible for all windows apps even without any elevated permissions. So I personally think typing the password (or some combination of typing and copy/pasting) is more protective than using Bitwarden to access cryptomator, provided of course that you have some way to keep track of robust passphrases outside of a password manager (which is a topic all its own, people have different preferences and approaches).

( * ) With all that said, I agree that it’s difficult or impossible to devise any strategy that would protect you 100% if you start with an assumption of malware on your device. I don’t view it in absolutes, only risk reduction by trying to reduce the windows/opportunities for the bad guys. I gather the traditional wisdom is to spend your time and energy on keeping malware out of the device and not waste time/energy addressing the continency that there might be malware on the device. Maybe I am just one of the paranoid ones… I try to do both.

  1. 4 vaults
  2. 1 automatically open in laptop and sync w/ onedrive
  1. 3 main vaults and around 5 usb vaults with a simple password
  2. no vault automatically opens

Interesting responses - and are people using one password for multiple vaults, or different passwords for each? I use Bitwarden to store my passwords, so on one hand its easy to have different ones for each vault, on the other hand, if someone were to get one of those passwords, it means they also got into my Bitwarden account and therefore they’d have them all, so having different ones doesn’t seem to add more security - just more time to log into each vault.

As I mentioned my passwords are not all the same. I don’t use a password manager for my cryptomator vaults (I do use password manager for some websites. I have one vault that is infrequently used and more critical. I make it a longer passphrase than the others, I don’t mind the effort on the few times I access that and I feel it might be somewhat more secure if the password for that vault is not typed in frequently while accessing the less important vaults.

Again, I’m under the impression you are using the clipboard to copy/paste from bitwarden into the cryptomator password input field, is that correct? IF it is passing throught the clipboard, then I think any app running on your pc profile at that time can theoretically see that password while it’s on the clipboard, but that app wouldn’t necessarily have access to your entire bitwarden account.

I talked before that it’s a philosophical decision on whether you want to spend time and energy addressing the contingency that there might be unknown malware on your device (virus scanners are not perfect). As long as it doesn’t take away from your efforts to keep malware off your device, I don’t see the harm in investing that extra energy, but I understand not everyone views it the same way and these are personal choices to suit your own situation and preferences.

4 vaults
no auto open
auto close after 30 minutes inactive

A question that goes through my head since using cryptomator, do members of your family have access to the information in the vaults if something happens to you ?
If so, how did you arrange that ?
Do they know you are using it, do they know how to use it, how to debug it in case of problems ?

I have all the necessary information in a safe deposit box in a bank and I have mentioned this in my will.

Debug is a completely different topic, there I’m using Vorta with four different HDDs, one of them (MONTHLY2) is in the safe deposit box in a bank too and I rotate MONTHLY1 and MONTHLY2 every four weeks:

Backups are created from the plaintext files (unlocked vault) as well as the rest of my PC and the disks are encrypted using LUKS.