I don’t understand why should I use cryptomator to encrypt my files in a cloud storage when the vault/masterkey files are unprotected and available for a… say employee to grab them.
Wouldn’t this mean anyone with access to these files could also access all my encrypted personal documents?
Thank you.
No. You need the password to open your vault.
More information: Why is the masterkey stored in the cloud?
Besides this, since App version 1.6 you can store the Masterkey file anywhere you want as long as it is accessible by the app.
but unfortunately a masterkey backup file (bkup) is written in the folder after each unlock. So if I generally want to keep my masterkey outside of the cloud, a masterkey backup is always generated in the folder after every sync or unlock. What is the exact meaning of this bkup file?
I find it practical at Keepass that you can create a key file in addition to the password.
That would be a kind of two factor security. I think that is simply missing in the cryptomator and in my opinion it is elementary.
Would be great if you could include that.
No. The backup is only written, if the masterkey is stored inside the vault, (can be even seen in the source code).
If the original one gets corrupted. Since the masterkey file is crucial to the vault, if a sync client messes it up or a bit flip happens you are still able to access the data.
There exist already a similar feature request on our issue tracker about including a physical security token, see Feature: Second (physical) security token for authentification · Issue #367 · cryptomator/cryptomator · GitHub.
Ok, thank you for infomation.