After updating Cryptomator to the latest version I have now option Remember the Password.
It seems to me crazy as if I select that option then anyone who has access to my computer would be able to unlock the vault !
Am I missing something?
Roman
This is not a new function and already a while available (means since years). The new thing is that you can choose where to store, if the according plug-in is configured. If not it’s like is was (stored in the system keychain.)
See here:
Please keep in mind that some users use Cryptomator to ensure privacy of their online files only. This option is for people who want to unlock their vault automatically.
Thank you Michael for your reply.
If I store the password it is my assumption that I or anyone else can open the vault without knowing the password and without needing to enter it.
I may have missed the existence of this function but I still do not get why it exists.at all? Isn’t the whole point of encryption to be able to access encrypted files only if one knows the password?
Yes, but Cryptomator is not just a plain encryption tool, it has some design goals. One of those is preventing access of your files inside the cloud storage. And a non-goal is protecting your files from local access. See also
https://docs.cryptomator.org/en/latest/security/security-target/
In the refence given it is stated :
The risk that the cloud provider or third parties access the data stored in the cloud without permission is mitigated. Only people who know the vault password are able to read the files in the vault or change the file contents undetected
My vault is in the cloud but, if I save password, any third party who gains access to my computer could access my files stored in the cloud without permission. This to my mind does not agree with the above statement.
It also says: Protection of the files on the local computer is not the focus of Cryptomator. That is fair enough, I do not store and do not expect to protect any local files using Cryptomator… .
If that option was there before then it was somewhat hidden, it was not offered every time I try to unlock the vault. To me it looks like my bank offering me to store my login password every time I am going to log into my bank account - which would be crazy.
Valid point. And if you store your password in a password manager, everyone with access to that manager can access your Cryptomator files. If you write the password on a piece of paper and put it in a safe, everyone with access to that safe has access to your files. You see, it’s a matter of the safety of the password storing system. If your local system is protected against unwanted access, then it’s safe to store your password. If not, then you shouldn’t use that option.
I understand what you are saying but
-If I save a password in a password manager I have to set and know a master password to get in. I may be wrong, as i do not use it, but I do not think I would be given option to save the master password during login.
-the whole point of a safe is to lock things inside under a code or key that you will hide somewhere and not leaving it unlocked which to me saving a password for unlocking a vault in effect does.
-take my point about the bank and bank accounts. Why your bank never gives you an option to save the password when you are logging into your bank account?
My computer is only protected by Windows password, which I know is not very secure, but that is precisely why I chose Cryptomator to encrypt just a few sensitive files and keep them safely under the password which is only in my memory (so far it works .-)) . I think there will be more people like me…
There are also people who Trust their local machine, but not their cloud provider. For them it is a useful feature.
If you do not like the feature, do not tick the box.
It completely depends on your setup, your risk management and what kind of security or privacy issue Cryptomator should solve for you.
To speak for me, I’m using an Arch based Linux distribution with disk encryption using LUKS, that means, I trust my operating system as this far, that if someone gets hold of it while not unlocked, they can’t just get easily into my data. That is why I store all vault passwords in my password manager (KeepassXC) which I unlock when I’m using my pc and which auto locks itself after some idle time. I use KeepassXC as password provider for Cryptomator. Before it was possible to save the password into KepassXC, I used the GNOME keyring where the key material is only available when unlocked into the user account. The same applies to Windows and Apple, in both cases, the passwords are not just lying around in a file visible for all eyes but are protected by the operating system as far as they can (and of course want it too).
It would be a nightmare to have to enter my 40-digit auto generated vault passwords even once.
On my mobile phone I use GrapheneOS which I personally trust the most which is why I have no problem using KeepassDX there either to access my vault on the go.
Personally, I want my files in my self-hosted Nextcloud with Cryptomator be protected against third parties who may come into contact with there sooner or later, nothing more but also nothing less.
Your arrangements are quite sophisticated and the access to the vault is well protected. I would not advocate removing the option to save password for users like yourself but I believe it would be better if that option was hidden and not popping up every time when unlocking the vault. After all it is set only once and users like yourself would have no problem to locate and use the feature … .
Okay, then your point is that the user should know better about the consequences and how it is protected when saving the password?
It would then probably be sufficient to display a pop-up with the information when saving for the first time (in general, not per vault).
Yes, agreed.
As is it is far too easy to tick the box for convenience without thinking of the consequences.
Okay then I understand your concerns, thanks for that and from my point of view it sounds like a useful enhancement to show this dialog on first save. Will create an issue for it on GitHub tomorrow…can’t promise that it will be implemented but I find it useful and reasonable.