Want Suggestions: Configuring a Comprehensive Backup and Sync Plan That Includes Cryptomator

My goal: Set up a “structure” that does a few things as seamlessly and automatically as possible.

  1. I use an external drive as my “primary and physical” backup device. This would be where ALL my stuff sitting on my laptop would back up to using something like Macrium Reflect that runs on a preconfigured backup schedule.
  2. From there, I’d like to sync to a cloud service, so every time a backup finishes there will immediately be a “cloud copy” (insurance in case laptop/external drive is stolen, house burns down, flood). This would be my “redundant” encrypted offsite backup.

How (at what stage) would I add in CM where it makes the most sense? I’m not new to CM, just have not set it up this way. And it has to be a reasonably simple, automated process.

My initial thought is that everything I want encrypted needs to be accessed via Cryptomator FIRST from my laptop, then everything follows from there – but I’d like the collective expertise of this community to point out any potential flaws or gaps. As a way of testing my plan, I imagine of my laptop and ext drive were destroyed in a fire, what would be the steps to recover everything.

My setup is similar to yours, but rather than an external hard drive, my laptop contains two hard drives and I use a backup program to automatically mirror the original data onto the 2nd hard drive once per day as protection against one of the hard drives failing.

The copy on my 2nd hard drive is encrypted by Cryptomator and I upload that to a cloud storage provider automatically. That’s my guarantee against the fire destroying my laptop situation.

1 Like

My backup looks like this.

  1. automatic, local backup to several Cryptomator vaults (which are synchronised with the respective clouds/FTP servers via OneDrive, Google Drive, SyncFTP. (Weekly/as needed). Backup as mirror, so only with 1 file version, locally deleted files are removed. These are primarily critical documents for which it is often useful to have mobile access (insurance policies, for example, or pictures).
  2. Automatic, external (non-encrypted) HDD backup with historical up to max 10 file versions and without deletion (only marking) of files no longer available in the source (weekly/as needed). This is my primary backup and includes all data.
  3. Automatic cloning of backup HDD1 to a second external hard drive (monthly).
  4. manual and monthly backup of larger and non-critical amounts of data directly online (without local synchronisation). I use Cyberduck for this and encrypt the files with the integrated cryptptomator encryption (it’s more of a gimmick).

My personal opinion:
I strongly recommend to not mix up data privacy and data protection. Tools like Cryptomator are not for covering data loss risk. So you should not have your only backup being encrypted (regardless which encryption tool you are using)

1 Like

@Michael: Can you explain the your second task? How or with which tool are you creating file versions and how to mark files for deletion?

1 Like

I am using this backup tool: What tool do you use to automatically unlock your cryptomator vault and sync the files in your vault with the local copies of those files?

For SFTP Sync I am using the same tool.

While I acknowledge the potential risk of encrypted versions become corrupt, I weigh that risk against having unencrypted copies on my local drive. If your laptop gets stolen (probably the bad event with the highest probability of happening), and you have unencrypted copies of everything on the local drive, all your security efforts are moot- the crooks now have all your stuff. So when I think of using encryption, IMO, its pretty black or white – either a file/folder is important/sensitive/private enough to encrypt it or not, but not both. If you want to keep unencrypted versions on your local drive I suppose you could rely on the security built into Windows, but I’d rather not.

Having said that, wondering if its better to use Veracrypt and just encrypt the whole local drive vs creating a bunch of vaults in CM, UNLESS, CM’s advantage is it’s cloud capability.

And when I said „unencrypted backup“ I did not meant „on devices I carry with me“. Of course, a notebook, as any other device that you carry with you, should be completely encrypted. But there are tools that are build for that purpose and much better and deeper integrated into the OS. That’s not the purpose of Cryptomator, which is designed to encrypt online stored files and work with as much as possible providers.

Still looking for suggestions for MY setup - I only have (and only need) one external drive. Would prefer not to have to use more than one encryption app as well. So the way I envision it:

1 - An encrypted vault/container on my local drive that has ALL my private content
2 - That same vault gets backed up to an external drive (also encrypted), and lastly
3 - That same encrypted vault is copied to a cloud service

So lets start with #1 - do I need to double up" and use both Veracrypt for local drive/folder encryption, and then “add in” CM so I can have a backup in the cloud? I sense there is a simpler way but I’m not seeing it

Hi, I’m using Cryptomator to encrypt all my sensitive files. All Cryptomator vaults in my PC stored in pCloud and Dropbox. The vault (encrypted) is also back-up/sync in FreeNAS, External drive, mobile devices and Mega. The way I back-up/sync my Cryptomator vault

  1. In my main PC, I have 3 encrypted vaults; Personal, Family and Financial. All stored in the clouds.
    pCloud - Financial vault
    Dropbox - Family vault and Personal vault.
    Mega - All 3 Cryptomator vaults (Financial, Family, Personal)also sync here, using RealTime Sync to monitor any changes from pCloud and Dropbox vaults. Synced only in every 24 hours. I avoid syncing it in real time, the reason is, if anything happened (like accidental delete) to my pCloud and Dropbox vaults I can still access files from Mega vaults.

  2. FreeNAS and External drives also monitored and synced the 3 Cryptomator vaults using RealTime Sync. Sync only 3 times a week. Same reason as Mega, why I synced it 3 times a week only.

  3. Mobile devices (1 tablet and 2 phones) - all 3 Cryptomator vaults in my main PC (pCloud-1 vault and Dropbox – 2 vaults) are monitored and synced using SyncThing. One of the advantages of using SyncThing compared to any cloud storage services is even without internet connection I can access my vaults and also cloud storage services are limited to 2 or 3 devices only, with SyncThing I can add as many devices as I want.

I included hashfiles in all main folders in CM vaults using Exactfile. Every now and then I mount the vault from the back-up ( MEGA, FreeNAS and External drive) just to check the integrity of the files.

I set-up this kind back-up/sync two year ago until now it’s working. All done automatically. Once set-up I just forget it.

Hope that helps.