When vault is locked should I be able to see and read files "IMPORTANT", "masterkey" and "masterkey....bkup

I finally figured out how to use Cryptomator (I think!) but have a small query. So, when I lock the vault, I cannot see or read any of the encrypted files in my local drive or one One Drive. However, (but only on the One Drive vault), I can see and read the document titled “IMPORTANT” and see “masterkey” and “masterkey…bkup”. Is this normal? Could a malicious actor do anything with these files?

1 Like

Yes, that’s normal and no only with these files no one is able to decrypt your files. See here:

Ps: you can just delete the important file. It only contains information about where you have to store your files so they will be encrypted properly. Means: this is just an generally important information how to use Cryptomator.

1 Like

Thank you. So if I understand correctly, when I attempt to unencrypt files that were previously encrypted on another device, I can use the public master key to do this on the second device. Yes?

Yes. The file and of course your password.

Sorry for all the questions but I am having some difficulty in understanding how Cryptomator works. So, when I create a vault, let’s call it “Test Vault” and add some files to it, when I lock it, I can see “Test Vault” in One Drive but not in my local drive. Yes? And, although I can see “Test Vault” in One Drive, I cannot see the encrypted files in there, only the Word document “Important” , “Masterkey” and “Masterkey…bkup” and there is nothing a malicious actor could do with these three visible folders… Yes?

Then, when I unlock “Test Vault” using the master password, I can see two “Test Vaults”, one in my local drive (and this is where I should add, edit, delete or remove files NOT in the One Drive location). Yes?

Final two questions (I hope!). (1) As I cannot see the encrypted files in the locked “Test Vault”, how do I know that they are encrypted and not just hidden as hide file utilities do? (2) I assume there is no way to attach an encrypted file to an email to send in encrypted form. Or is there?

Despite all these questions, I like what I see so far but just want to make sure I am doing everything correctly.

Everything you asked with „yes“ is correct.

You can see them. If you have files in your vault, you should see encrypted files in your local OneDrive location as well.

No. Cryptomator relies on a vault structure. You can create a vault, put a file in there, zip the complete vault and send this zip to a friend who has to unpack the vault, add it to his own Cryptomator and thus decrypt the file. But I really thing there are better options to send encrypted attachments than Cryptomator. (Eg use 7zip as Packer and select AES encryption when creating the zip. Or think about pgp encryption plugins)

Hi Michael, thank you for replying so promptly (particularly on a Sunday). It is most impressive! I do not see the encrypted files when “Test Vault” is locked. I can only see the unencrypted files in my local drive when “Test Vault” is unlocked. I created four test Word documents “Test 1”, “Test 2” etc. When I unlock “Test Vault” and click “Reveal Drive”, I see the contents of “Test Vault” in my local drive and see five documents, “Test 1” to “Test 4” and the document titled “Welcome” (which is the same as “Important” when encrypted!), I also see the One Drive folder “Test Vault” which at the first level has four items in it a file folder “d”, “Important” (which is the same as “Welcome”), “Masterkey” and “Masterkey…bkup”. In “d” there are (three levels down), five encrypted files (even though the vault is unlocked) I assume that these must be the five files in “Test Vault” but the file names are also scrambled so there is no way of telling.

When I lock the vault I see exactly the same files and structure in the One Drive “Test Vault” as it is when unlocked. However, “Test Vault” is nowhere to be seen on the local drive. It is not a problem, as I can see it when I unlock the vault and click “reveal” but it does seem strange.

Is this how it should work?

Exactly. I guess your misunderstanding might be that you assume that either the unencrypted file is there or the encrypted. That’s wrong. You always have both of them because the drive that you see when vault is unlocked is just a virtual drive, that shows the unencrypted version of the encrypted file. That’s not a physical storage.

What you see is exactly what it should look like.

Thank you Michael. Your reply was very helpful and also impressive that you replied on a Sunday. I’ll now spend some time trying it out before transferring sensitive files/folders to it.

You’re welcome.
And don’t forget to backup your sensitive data.
Don’t mix data protection and data security
(just saying) :grinning_face_with_smiling_eyes: