Why is the masterkey stored in the cloud?

Inside the storage location of a Cryptomator vault, you will find a file called masterkey.cryptomator. This file is stored in the cloud to allow convenient access to a vault on different devices.

What does this file contain?

This file contains encrypted data, which is needed to derive the masterkey from your password. The file does not contain the decrypted masterkey itself. In addition, some metadata about the vault (e.g., the version of Cryptomator used to create it) is also stored in this file.

Is this a security problem?

No. The encrypted key in masterkey.cryptomator is not more sensitive than the encrypted files themselves.

For more details on how this exactly works, take a look at our security architecture.


It might be good to mutually cross-link this thread with the “Password Advice” and “Security Architecture” pages.

I’ve been reading more than my fair share about encryption, and yet coming to cryptormator I would have naively gravitated towards a “rememberable” password in order to minimize the risk of losing access. For cryptomator, this choice would have been quite wrong.

1 Like