Why is the masterkey stored in the cloud?

Inside the storage location of a Cryptomator vault, you will find a file called masterkey.cryptomator. This file is stored in the cloud to allow convenient access to a vault on different devices.

What does this file contain?

This file contains encrypted data, which is needed to derive the masterkey from your password. The file does not contain the decrypted masterkey itself. In addition, some metadata about the vault (e.g., the version of Cryptomator used to create it) is also stored in this file.

Is this a security problem?

No. The encrypted key in masterkey.cryptomator is not more sensitive than the encrypted files themselves.

For more details on how this exactly works, take a look at our security architecture.


It might be good to mutually cross-link this thread with the “Password Advice” and “Security Architecture” pages.

I’ve been reading more than my fair share about encryption, and yet coming to cryptormator I would have naively gravitated towards a “rememberable” password in order to minimize the risk of losing access. For cryptomator, this choice would have been quite wrong.

1 Like

Then maybe, the architecture should be advanced with the method from VeraCrypt, where the key file contains lots and lots more entropie and should be protected!

Of course a password that needs to be typed in will never be as good a a long key derived from a passphrase, mouse movements and entropie.


This would allow better security for those who are willing and able to store the key separately and only on local devices.

It could and should be optional, of course - esp. because of potential problems with mobile devices.

You can create an initial vault locally, then remove the masterkey file and move the remaining files into the cloud. The masterkey file then remains offline, whereas the rest of the vault is synchronized with your cloud drive.

Caution though: When you lose your masterkey file somehow, your access to the data is lost and cannot be restored anymore. You might also run into some difficulty when opening the vault from different devices, because you will now need a local copy of the masterkey file each time.

Regardless of this, if an attacker gains access to your local system and is able to break the password, access to the cloud container is now possible of course.