This page last changed 2025.12.07 06:58 [3 times today, 1 time yesterday, and 10 total times]

Using Cryptomator

A way for someone with MacOS device(s), iPad(s), and iPhone(s) to secure and access their data from their devices.

Set up a Cryptomator Vault on iCloud (macOS, iPhone, iPad)

This setup allows iCloud to sync your vault files in encrypted form, while Cryptomator handles local decryption on each device.

Requirements

Install Cryptomator on each device:

macOS:

Download from: https://cryptomator.org/downloads/

iPhone & iPad:

Install Cryptomator from the App Store (paid app)

Make sure you are logged into the same Apple ID and that iCloud Drive is enabled:

macOS:

System Settings → Apple ID → iCloud → iCloud Drive → ON

iPhone/iPad:

Settings → [your name] → iCloud → iCloud Drive → ON

Step 1: Create the vault on your Mac (recommended)

Creating it on macOS is easier and more reliable.

Open Cryptomator
Click Add Vault → Create new vault
When asked for a location, choose:
- 'iCloud Drive'
Optionally create a folder named:
- ``Cryptomator``
Name your vault (example: ``SecureVault``)
Create a strong password
(Recommended) Save a recovery key offline

Result:

A folder appears in iCloud Drive: ``SecureVault``
Inside are encrypted files (this is correct)
When unlocked, the vault appears as a drive (example: ``/Volumes/SecureVault``)

Step 2: Let the vault sync fully

Open Finder → iCloud Drive
Confirm that ``SecureVault`` is visible
Wait for any cloud icons to disappear (fully synced)

IMPORTANT:

Do not proceed until syncing is complete

Step 3: Add the vault on iPhone

Open Cryptomator
Tap Add Vault
Select iCloud Drive
Open the ``SecureVault`` folder
Tap the file:
- ``SecureVault.cryptomator``
Enter the same password

You can now:

View files
Add photos/documents
Scan into the vault
Use Face ID or Touch ID

Step 4: Add the vault on iPad

Repeat the same steps:

Cryptomator → Add Vault
iCloud Drive → SecureVault
Select ``.cryptomator`` file
Enter password

Your vault is now available on:

macOS
iPhone
iPad

Important Usage Rules

To avoid data corruption:

Only open the vault on one device at a time
Always lock the vault after use
Allow iCloud to finish syncing before opening on another device
Do NOT rename or edit vault files in Finder or Files app

Think of it as:

Save → Lock → Sync → Open on next device

Suggested Folder Structure (inside the vault)

Personal
Scans
Taxes
Medical
Password backups
Encrypted documents

All of this is encrypted in iCloud.

Optional macOS Tip

After unlocking the vault on macOS:

Right-click the mounted vault
Select Add to Finder Sidebar

Now your vault is one click away.

Cryptomator: Password Strategy, Face/Touch ID, and Backup

Password & Recovery Key Strategy

Your vault password is the ONLY key to your data. If it’s lost → data is permanently inaccessible.

Strong Password Guidelines

Use a long passphrase (recommended: 4–6 random words + symbols)

Good example:

``River!Tulip-Coffee9!Glass``

Avoid:

Pet names
Birthdays
Dictionary-only words
Short passwords

Minimum recommendation:

16+ characters
Include uppercase, lowercase, numbers, symbols

Recovery Key (CRITICAL)

Cryptomator allows you to create a recovery key file.

Store it in TWO offline places:
- External USB drive
- Printed and locked in a safe
Do NOT store the recovery key in:
- iCloud
- Email
- Your Cryptomator vault

Recommended labeling:

``Cryptomator Recovery Key – SecureVault – [Date Created]``

Think of the recovery key as:

A master key for emergency use only

Enable Face ID / Touch ID

This improves convenience WITHOUT weakening encryption.

On iPhone / iPad

Open Cryptomator
Click the vault
Go to:
- Settings → Security
Enable:
- Face ID (or Touch ID)
You will still need the password after reboot

Now you can:

Unlock the vault with Face/Touch ID
Avoid typing the full password each time

On macOS (Touch ID MacBooks only)

If your Mac has Touch ID:

Open Cryptomator → Settings
Enable Use Touch ID
You can now unlock using your fingerprint

If your Mac does NOT support Touch ID:

Use a long, stored passphrase in your password manager

Backup Strategy for Your Vault

Important rule:

iCloud sync is NOT a backup
Sync ≠ Backup

You need separate, offline copies.

Method 1: External Drive Backup (Recommended)

Once a week or month:

Plug in an external drive
Copy the entire:
- ``SecureVault`` folder
Paste it to:
- External drive only
Safely eject when finished
Keep drive disconnected when not in use

IMPORTANT:

Only copy the folder when the vault is CLOSED
Otherwise, encryption files could corrupt

Method 2: Time Machine (macOS)

Time Machine WILL back up the encrypted files automatically.

This is good because:

It stores the locked, encrypted content only
Even Apple cannot see the data

Just be sure:

The vault is locked most of the time
Time Machine is running normally

Optional: Off-site Backup (Extra Safety)

You may also store a backup at another loc