On **November 2, 2023** , **Cryptomator Hub 1.0** was released—our solution for secure, encrypted collaboration in the cloud. **Two years** later, Cryptomator Hub has become a central tool for companies, universities, and NGOs that want to protect their sensitive data while working efficiently as a team. On this anniversary, we look back on two exciting years full of further developments, beta features, new areas of application—and what’s yet to come. ## What is Cryptomator Hub? Cryptomator Hub is the **central platform for managing and sharing encrypted vaults**. While the classic Cryptomator app allows individuals to protect their cloud files, the Hub extends this principle to teams and organizations. Cryptomator Hub offers a web-based dashboard that administrators and team members can use to **manage users, assign roles, and control access rights** —all fully encrypted and GDPR-compliant. Cryptomator Hub thus bridges the gap between strong **end-to-end encryption** and user-friendly teamwork. ## Features That Make the Difference 1. **Centralized Management of Users and Permissions** Whether you’re a small team or a large organization, administrators can always keep track of who has access to which vaults. Role-based permissions make management easy and transparent. 2. **Web of Trust** This security model enables secure key exchange between team members via digital trust relationships. No unencrypted data exchange and no complicated key files, as trust is mapped technically. 3. **Create Vault Role** Teams can independently create new vaults without administrators having to accompany each step. This keeps collaboration flexible while maintaining a high level of security. 4. **Self-Hosting & Data Protection by Design** Data protection is not an add-on, but a core principle: Cryptomator Hub can be operated locally (on-prem) or in private cloud environments. This gives companies and institutions complete control over their infrastructure and data. 5. **Integration with Popular Cloud Services** Whether OneDrive, Google Drive, Dropbox, or Nextcloud, Cryptomator Hub integrates seamlessly into existing work environments and protects data regardless of the provider. ## Typical Areas of Application ### Companies and Public Authorities Companies use Cryptomator Hub to implement zero-trust security strategies. **Industries with high compliance requirements** —such as healthcare, public administration, and legal services—benefit particularly from GDPR-compliant cloud encryption. Companies such as Walbusch GmbH & Co. KG are already successfully using Cryptomator Hub and can report consistently positive results: > **With Cryptomator Hub, we can securely manage sensitive company data while making it easy for our employees to use.** > > _Andreas Cofalla, Application Manager IT, Walbusch GmbH & Co. KG_ ### Universities and Research Institutions Research teams secure their project data with Hub without sacrificing cloud collaboration. **Sensitive research data** remains protected while collaboration across departments or countries continues to function. ### NGOs and Nonprofits For organizations operating globally, Cryptomator Hub offers a secure way to share **confidential documents** —from grant proposals to personnel data—even with limited IT resources. ### IT Teams and Data Protection Officers Hub simplifies audits, role management, and verification of data protection-compliant working practices—a clear advantage in internal and external security audits. ## Two Years of Further Development – And Looking to the Future Since its launch in 2023, Cryptomator Hub has developed rapidly. The 1.4.0 update in April 2025 brought two decisive milestones with the **Web of Trust** and the **Create Vault role**. Furthermore, everything is focused on optimization, scaling, and future-proofing—especially with regard to the upcoming standards of post-quantum cryptography. But we are not resting on our laurels. **Three new features** are already in the pipeline to make Cryptomator Hub even more powerful and user-friendly. ### User/Group Management **User and group management** will become much more convenient in the future. With the new, **integrated user/group management** , smaller companies and organizations can create and manage their team structures directly in the hub—intuitively, clearly, and without detours. In the background, we continue to rely on **Keycloak** —a proven, powerful solution for identity and access management. ### Emergency Access In companies, it can always happen that employees leave and access to important data is lost as a result. The upcoming **Emergency Access** feature provides a remedy here: it allows you to **designate a specific group of authorized persons** who can restore access to a vault, either collectively or partially, in an emergency. **Even in critical situations or in the event of personnel changes** , the company remains capable of acting. ### Files in Use (in the Desktop App) A frequently expressed wish of our Hub customers: **better support for collaborating on Office files.** While **LibreOffice** , for example, already has a built-in locking system for open files, this has been missing in **Microsoft Office** until now. That’s why we are currently developing our own **“locking system”** in the **Cryptomator desktop app** that recognizes when a file is already open and informs other users. This makes collaborating on documents more conflict-free, transparent, and secure—another step toward smooth teamwork. ## Two Years of Trust, Cooperation, and Security In two years, Cryptomator Hub has evolved from an idea into a reliable platform for secure teamwork. We would like to thank all users, administrators, and testers who have helped to further develop Cryptomator Hub with their feedback—and we look forward to the next chapter.

In **May 2025** , the **Oasis Security** published an analysis that caused a stir in the cloud world: **a vulnerability in OneDrive File Picker** allowed third-party applications to access files for which they did not actually have access rights. **Millions of users** were affected, both private individuals and companies. What exactly happened, why is this incident so explosive, and what can you learn from it to better protect your own data? ## What Went Wrong With OneDrive File Picker? OneDrive File Picker is a popular interface that allows apps to access files from personal cloud storage. However, Oasis Security discovered that **certain configuration** errors allowed applications to view and download files that they did not officially have access to – even sensitive content such as tax documents, project plans, or confidential meeting minutes. Worse still, the affected applications did not even need to use an exploit – all they had to do was use the File Picker correctly (or rather, incorrectly). **The problem was not a targeted hack, but a design flaw in the system.** ## The Real Lesson: Trust Is Not a Security Concept Many users trust cloud providers such as Microsoft, Google, and Apple to keep their data secure. But this incident shows that even large platforms make mistakes—with far-reaching consequences. The **real problem** runs deeper: * **Access rights** are managed in the backend, not by the user(s) themselves. * Files are often stored **unencrypted** on servers—or only with a key that the provider itself controls. * **Security vulnerabilities in third-party apps or web interfaces** can be exploited without those affected even noticing. **In short** : anyone who entrusts their data exclusively to the security promises of cloud providers is relinquishing control. ## The Solution: Zero-Knowledge Encryption With Cryptomator Cryptomator takes a fundamentally different approach: **files are encrypted locally on your device before being uploaded to the cloud**. This means your data remains protected even if the cloud provider is compromised—or, as in the case of OneDrive, simply makes a mistake. This means: * **No one** but you can read your files—not Microsoft, not Google, not us. * **Access rights** are secondary, because without the key, all data remains unreadable. * Even **compromised** APIs or third-party apps only see encrypted garbage data. **Cryptomator Hub** offers the ideal extension for teams, organizations, and companies: * **Centralized management of encrypted vaults** IT administrators can preconfigure vaults and share them with specific users—all with end-to-end encryption. * **Role-based access control** Thanks to the role-based system, you can specify exactly who is allowed to create, open, or manage vaults—without central key distribution. * **Web of trust for secure collaboration** Team members verify each other, creating a trustworthy environment—without the need for external certificate authorities. * **Seamless integration into existing cloud workflows** Cryptomator Hub can be easily combined with existing cloud storage solutions such as OneDrive, Google Drive, or Dropbox. Cryptomator Hub enables **highly secure and practical cloud usage within teams** without the usual compromises in data protection and compliance. This is a future-proof solution, especially for organizations with increased requirements, such as **NGOs, research institutions, or companies in regulated industries**. ## What You Can Do Now Whether you use OneDrive, Dropbox, or another cloud service, this incident shows that **no provider can offer 100% security** on its own. However, you can drastically reduce your risks by taking a few simple steps: * Use **client-side encryption** with tools such as Cryptomator. * Do not store particularly sensitive documents unencrypted in the cloud. * **Raise awareness among your team members** or colleagues about cloud access rights. * Check which third-party apps have access to your cloud. ## Conclusion: Safety Begins With Control The OneDrive security breach is not an isolated incident—it is a symptom of a system that relies on trust rather than real control. But if you **encrypt your files before uploading them** , you remain protected even in the event of serious security breaches. With Cryptomator, you retain full control over your data, your privacy, and your digital security.

With the start of the new winter semester, lecture halls are filling up again—as are the **digital platforms of universities**. Learning management systems, research platforms, cloud storage solutions, and digital administrative processes have long been part of everyday life at universities. But while digitalization opens up new opportunities, it also carries risks: **cyberattacks, data breaches, and inadequately protected cloud data** jeopardize the integrity and confidentiality of highly sensitive information. In this article, we show why encryption is essential for universities – and how it helps make **research, teaching, and administration more secure**. ## Why Universities Are a Lucrative Target for Cyberattacks Universities and colleges process a wide range of sensitive data: * **Personal data** of students, researchers, and employees (e.g., student ID numbers, transcripts, health information). * **Research data** , often related to third-party funding or government-funded projects. * **International collaborations** , which also require compliance with the regulations of other countries (e.g., FERPA, GDPR). * **Login details and access keys** for learning platforms, email services, and digital resources. More and more attacks are targeting universities, for example through ransomware, phishing, or cloud leaks. According to the BSI Situation Report 2024, educational institutions are among the critical areas with a sharply increased threat level. This makes it all the more important for universities to make their digital structures resilient and encrypted. ### Encryption: The University’s Digital Invisible Ink Data encryption protects information using mathematical methods—it can only be read with the right key. For universities, this means: 1. **Confidentiality of research results** Particularly in the case of sensitive basic research or cooperation projects with companies, it is crucial that only authorized persons have access to files. End-to-end encryption protects this data even if a cloud provider is compromised. 2. **Data protection for students and teachers** The EU GDPR requires universities to comprehensively protect personal data. Encryption enables data processing that complies with data protection regulations—even when using the cloud, working from home, or using BYOD models. 3. **Protection against ransomware and data loss** Encrypted backups and protected storage systems can greatly limit the impact of ransomware attacks. Attackers have no access to unencrypted original data, and recovery can take place without payment. ## Practical Application: Where Encryption Makes Sense **Field of application** | **Recommended solution** ---|--- Cloud storage (e.g., Nextcloud, OneDrive) | Client-side encryption with tools such as Cryptomator Research data archiving | Zero-knowledge cloud or encrypted vaults Administrative documents | Password protection and structured access controls Mobile use & working from home | Container-based encryption on mobile devices ## Conclusion: Set the Course Now for a Safe Semester The digitization of higher education is unstoppable—but it is not defenseless. Those who encrypt today will protect the autonomy of research and teaching tomorrow. Universities that rely on simple, secure, and privacy-compliant encryption solutions build trust among students, employees, and partner institutions. Now is the ideal time to evaluate existing systems, raise awareness, and integrate encryption solutions for the long term.

The next release of Cryptomator Desktop is right around the corner – and before we publish the final version, we’d like to invite you to test the beta of version 1.18.0. Along with useful new features and important bug fixes, this release also comes with a special call to our community. ## New Features & Fixes With Cryptomator Desktop 1.18.0, we’re once again bringing improvements and bug fixes across all platforms: #### New Feature * Remember Last Vault Location When creating a new vault, Cryptomator will now automatically suggest the last chosen storage location. This makes setup more convenient, especially if you manage multiple vaults in similar folder structures. #### Fixes * Linux/KDE: QuickAccess Entries On KDE, each unlock process created a new QuickAccess entry in the Dolphin file manager, even if one already existed (e.g., after an unexpected app crash). This is now fixed – existing entries are reused, and no manual cleanup is needed. * Prevention of Huge Log Files On Windows, log files could in rare cases grow extremely large, causing system issues. The existing size limit of log files was bypassed in those cases. This has been fixed, so the app can safely run in the background without issues. * macOS: Stability When Saving Vault Passwords Some users experienced app crashes when trying to save a vault password. This bug has now been fixed, so password saving on macOS works reliably. * macOS: macFUSE Detection on macOS 26 In the upcoming macOS version 26, macFUSE was sometimes not detected, leading to problems when mounting vaults. This issue is fixed to ensure Cryptomator works smoothly on the latest macOS releases. __Download the Beta 1.18.0 here ## We Need Your Support! In addition to these updates, there’s something special this time: Our Windows installer is now signed with a new certificate. Since this certificate is not yet widely recognized in Microsoft’s trust network, Windows may display a security prompt when installing the beta version. The more people install the beta, the faster the certificate will gain trust – and the security dialog will disappear. Don’t worry: the installer is still safe and signed by us. Windows just needs to “learn” that the new certificate is trustworthy. ## Final Words With version 1.18.0, we’re making Cryptomator more convenient, stable, and future-proof. The beta is an important step – not only to test the new features and fixes, but also to establish our new certificate in the Windows ecosystem. We’re grateful for every bit of support from the community: * Install the beta and try out the updates. * Share your feedback if you notice anything. * Help us make the final release as stable and user-friendly as possible. Your feedback makes Cryptomator stronger – and ensures we can all keep our data securely encrypted. Thank you for your support – we can’t wait for the final release of 1.18.0! 🎉

When the days get shorter and the leaves fall, it’s time to refresh not only your wardrobe but also your digital security. Our fall offer helps you keep your data well protected throughout the darker months of the year. From **September 22** to **30** , the **Cryptomator Autumn Sale** is live – and that means: * **25 % off** Cryptomator With Cryptomator, you can encrypt your files locally before they go to the cloud—no complicated configuration or additional accounts required. * **25 % off** Cryptomator Hub for the first year Cryptomator Hub enables centralized management, user roles, and audit logs—perfect for NGOs, educational institutions, and companies that take data protection seriously. Whether you’re looking to encrypt your **personal cloud** or secure **sensitive data in your organization** – now is the perfect time to get started. 📦 The discount applies to **all editions** – including **team and business solutions**. 📅 Act fast! The offer is only available for a **limited time**. **Get the deal now!** Stay safe. Stay encrypted. **Your Cryptomator Team**

If you’re reading this, chances are you’ve heard about quantum computers and how they may eventually break some traditional ciphers. In this article, we outline how this affects Cryptomator and what our plan is to become fully quantum-secure. ## Cryptographic Breakdown First, let’s take a look at the ciphers involved in Cryptomator: Cryptographic Breakdown of Cryptomator & Cryptomator Hub As you can see, we mostly rely on AES- and EC-based algorithms. These are traditional algorithms whose security assumptions apply in a world of classical (non-quantum) computers. The general idea is that computations are efficient if you know the right key but practically impossible without. When I say “practically impossible” I mean on traditional computers, as the computations are just “too complex”. ## A Few Words About Complexity While we aim to avoid complexity when it comes to usability or code legibility, there is a specific kind of complexity that we strive for. Let me explain: When we want to express how many steps a certain computation requires, we categorize algorithms into classes of computational complexity. To illustrate this concept, here are some dog-related examples: Complexity Class | Example | Big O ---|---|--- Constant Time | Blowing the dog whistle always takes the same time, regardless of how many dogs are listening. | O(1) Logarithmic Time | Finding the phone number of a pet clinic is easy with a telephone book, as it’s sorted alphabetically and allows you to quickly narrow down the pages. | O(log n) Linear Time | Petting every dog. If every dog gets the same attention, it takes exactly n times longer, if you have n dogs. | O(n) Polynomial Time | If every dog at a party wants to sniff and greet every other dog. Dog 1 sniffs dog 2, 3, 4, … Dog 2 sniffs dog 3, 4, … and so on. | O(nᵏ) Exponential Time | Every dog has 4 puppies. That makes 16 dogs after two generations, 64 after three generations and 256 after four generations. | O(kⁿ) To ensure that breaking a cipher requires an insane amount of time and energy, cryptographic algorithms rely on hard-to-compute problems—i.e., we’re operating on the more complex side of the spectrum. The most illustrative example for this is the factorization problem: Determine the prime factors of 8633. The result is easy to verify through a simple multiplication (89 × 97), but finding the factors from the product is hard; harder than polynomial but subexponential. This is exactly what the RSA crypto scheme is based on (except with some _very_ large numbers), where the public key includes the product of two secret primes that are required to compute the private key. ## How Quantum Computers Weaken Ciphers ### Asymmetric Cryptography Quantum computers are not inherently faster, but they allow for a different set of algorithms to run. So, while a problem may be hard-to-compute for traditional algorithms, it could be far less complex when solved with quantum algorithms. One of the most infamous examples is Shor’s algorithm, which solves the factorization problem in polynomial time. While polynomial time is just one row above exponential time in the table above, it makes all the difference. The following graph illustrates the effect of an increasing problem size on the two complexity classes: Growth curves of polynomial and exponential functions If a quantum computer can be built that is capable of running Shor’s algorithm on large numbers, it would break most of today’s public-key cryptography—including ECDH. ### Symmetric Cryptography Imagine a number lock with four digits. To guess the correct combination, a traditional computer would have to check every possibility, starting with 0000 and ending with 9999. On average, it would take 5,000 guesses. Now, what if I told you that a quantum computer could do it in just 100 guesses? Sounds like magic? That is exactly what Grover’s algorithm can achieve. More generally, when a traditional algorithm takes \\(n/2\\) steps on average, a quantum computer only needs \\(\sqrt n\\) attempts—a speed-up that the BBBV theorem proves to be the best possible solution. If you want to understand how this works, there’s a great video by 3Blue1Brown about Grover’s Algorithm. This “magic” applies to any problem where it’s efficient to check if a guessed solution is correct. That’s obviously a problem if you don’t want an attacker to guess your secret key. Fortunately, the defense is simple: increase \\(n\\) to a size where even \\(\sqrt n\\) becomes large enough to make Grover’s algorithm impractical. Why is AES-256 quantum-secure? Ever wondered why we use AES-256 instead of AES-128? The “256” refers to the number of key bits, resulting in \\(2^{256}\\) possible keys. Guessing the correct key would therefore take \\(2^{256} / 2 = 2^{255}\\) attempts on a traditional computer and \\(\sqrt{2^{256}} = 2^{128}\\) attempts using Grover’s algorithm. Making \\(2^{128}\\) guesses is simply unfeasible. So, while AES-128 suffices on traditional computers, the post-quantum world demands for AES-256. ## A New Era of Ciphers Kyber and Dilithium So, while a sufficiently large key space is enough for AES, our asymmetric ciphers need to be replaced to withstand attacks from quantum computers. In 2016, the National Institute of Standards and Technology (NIST) launched a competition to identify quantum-resistant cryptographic algorithms. Electing algorithms through a competition has already proven successful in the past, as with AES and SHA-3. This approach attracts significant attention from experts, who do their best to uncover weaknesses. In 2022, after several rounds of eliminating dozens of candidates, NIST announced the winners. Kyber and Dilithium—named after crystals from Star Wars and Star Trek, respectively—became the first standardized post-quantum algorithms for encryption and digital signatures. They were officially named ML-KEM and ML-DSA. Tip Again, here is a great video explaining the underlying math of ML-based cryptography. Great! So let’s integrate ML-KEM and ML-DSA into Cryptomator Hub: Cryptomator Hub with Post-Quantum Cryptography “But wait, there is still ECDH in it!?” I hear you say. And you’re right. Despite the new ciphers being very promising, we have to face the fact that they simply haven’t been around for long. We just don’t know yet what kinds of attacks might be discovered in the future—or whether these algorithms will truly stand the test of time. So, to be extra cautious, we combine a traditional cipher and a post-quantum one. Think of it like a door with two locks: if one is broken, the other still protects what’s inside. It’s a simple design that ensures the system is no weaker than its individual components. This post-quantum/traditional (PQ/T) hybrid is called _X-Wing_. Cryptomator will use X-Wing X-Wing is still a work in progress, but I reached out to the RFC authors—Deirdre Connolly, Peter Schwabe, and Bas Westerbaan—to ask when we can expect the final specification to be published. Just ten minutes later, Bas replied: Quote X-Wing is final and being shipped by Google and Apple presumably in hardware. — Bas Westerbaan To be sure, I followed up and asked whether they expect any further changes to the current RFC draft—which they don’t: Quote No significant changes, no changes planned or expected at all. — Deirdre Connolly This confirmed our belief that now is the perfect time to begin adopting X-Wing as the future standard for key encapsulation. If PQ/T hybrids are preferable, what about a hybrid signature scheme? Yes, there are also efforts to standardize a combination of ML-DSA and ECDSA. Other than X-Wing, this is in an earlier phase, though. We are closely following developments in this area and will probably make use of this scheme once it is ready. ## Standardizing Cryptography ### Benefits of Standardization In every industry, standardization plays a key role. It ensures compatibility, promotes interoperability, and reduces costs by enabling different systems and organizations to work together using common protocols and specifications—maintaining consistency and reliability. In the security sector, standardization is even more critical. Algorithms, protocols, and data formats must not only function reliably across heterogeneous systems—they must also withstand rigorous scrutiny. The more experts peer review a standard, the better. As with the NIST competitions mentioned earlier, such scrutiny can uncover weaknesses _before_ a cipher is deployed in production. By adhering to established, transparent standards, both developers and users benefit from stronger, more trustworthy protection—especially as the threat landscape evolves with technologies like quantum computing. Ignoring such standards—sometimes in the name of speed or convenience—sets you on a path that may be paved with hidden flaws. Even the smallest change can introduce serious vulnerabilities that, without thorough peer reviews, are likely to be discovered first by someone smarter and less well-intentioned. At Cryptomator, we’ve always stood against “security through obscurity” (which is also why open source matters). Needless to say, we’ve never used home-cooked ciphers—that would pose a serious risk. And the more widely used an algorithm or protocol is, the easier it becomes to understand, verify, and audit the system as a whole. ### A Strong Foundation Many standards are built upon others. Without ML-KEM, there would be no X-Wing. Now that X-Wing is around the corner, what can we do with it? Use it in yet another standard: HPKE. HPKE stands for Hybrid Public Key Encryption—and to be precise, it doesn’t depend on X-Wing at all. Instead, it defines how to combine three different cryptographic ingredients—KEM, KDF, and AEAD—in a specific way that ensures well-defined security properties. And X-Wing can serve as one of these ingredients (the KEM). Another standard that we’ve come to love is JWE, a data format for exchanging encrypted payloads. And guess what—there are people working on standardizing the use of X-Wing-based HPKE in JWE. That’s exactly what we want to adopt in Cryptomator Hub, replacing the current ECDH-based JWEs. Beyond the aforementioned benefits of peer reviews, adopting standardized formats over proprietary ones provides several additional advantages: * Common APIs make it easy to swap out implementations—for example, HPKE usage remains the same regardless of the underlying algorithms. * Wide availability of well-established libraries. For instance, there are dozens of JWE/JWT libraries. * Official test vectors allows us to write tests that fail the build early if something goes wrong. * Faster vulnerabilities awareness: If a flaw is discovered in a widely used standard, it will likely be reported quickly—whereas a single proprietary implementation may go unnoticed for much longer. Both JWE and HPKE support interchangeable internal algorithms while maintaining a consistent external interface. This allows us to retain the overall structure and quickly replace internal components if vulnerabilities arise. Quote The moral is the need for cryptographic agility. It’s not enough to implement a single standard; it’s vital that our systems be able to easily swap in new algorithms when required. — Bruce Schneier ### Standardizing the Vault Format So, if all the ciphers used in Cryptomator products—as well as the exchange of secrets in Cryptomator Hub—are based on standards, what about the vault format? While we use well-established cryptography, the file formats themselves are our own. But we want to change that. Some time ago, we joined forces with developers of Cyberduck, gocryptfs, and rclone to derive a common format for encrypted directories—ensuring interoperability across our tools. Although the format is still a work in progress, we hope to share more details with you in a couple of months. In the meantime, you’re of course invited to review the format and contribute ideas for improvement on GitHub. One key benefit of this _Unified Vault Format_ is that it enables key rotation—which itself brings two major advantages: 1. **Access revocation** : After rotating keys, former vault members can no longer decrypt files added after their access got revoked. What is trivial with access control lists requires special care when we want to enforce this cryptographically. 2. **Cipher agility** : To some extent, it enables cipher upgrades. For example, if a vulnerability is found in one algorithm, we can flip a switch and transition to a new JWE algorithm—instantly protecting all newly added files. ## In Short: Where Do We Stand? ### Cryptomator As explained above, Cryptomator is already quantum-secure. Since it uses only symmetric ciphers with sufficiently large key spaces, quantum computers currently pose no known threat. ### Cryptomator Hub Cryptomator Hub, on the other hand, will need to migrate to different algorithms. These are the steps we want to take: 1. _(In progress)_ Implement X-Wing: As a 100% open-source company, we have always contributed to other libraries and projects. As mentioned before, we’re in contact with the authors of the X-Wing RFC and also with the JDK security team in order to add X-Wing support in the OpenJDK. 2. _(In progress)_ Implement HPKE in JWE libraries: We have been contributing to one of the most widely used JOSE libraries for Java from the very beginning of Cryptomator. Unsurprisingly, it is therefore in our interest to add HPKE support (and then X-Wing based HPHKE) as defined in JOSE HPKE RFC. The RFC authors (one of whom we know personally) are already eager to hear our feedback. 3. Migrate the JWEs used in Cryptomator Hub from traditional to PQ/T hybrid cryptography. We want to start this as soon as the standards are finalized and the aforementioned algorithm implementations can be published in upstream libraries. 4. Introduce a new vault format that will improve the cipher agility and has further benefits for Cryptomator Hub users. As you can see this is a collaborative effort. All to build a resilient foundation for the years ahead.

With the new update to version **1.17.0** , Cryptomator becomes even better — more stable, more compatible, and more user-friendly. In this blog post, we’ll take a look at the most exciting new features and explain why this upgrade is worth it. ## What’s New? **Windows Hello Integration** Starting now, you can unlock your vaults on Windows using **Windows Hello** — whether via facial recognition, fingerprint, or PIN. Added security meets maximum convenience. Once again, big thanks to Ralph (purejava on GitHub) for contributing to this feature! **Double-Click to Unlock Vaults** You can now unlock your vaults by simply **double-clicking the** `vault.cryptomator` **file** — no need to open the app interface first. This makes accessing frequently used vaults even easier. **Updated Graphical Framework: JavaFX 24** Under the hood, Cryptomator’s graphical foundation has been updated to **JavaFX 24**. This not only brings greater stability but also improves compatibility with modern systems. ## What’s Fixed? **WinFsp Update: Blue Screen on Windows Resolved** One of the most important updates concerns the **WinFsp driver** , which Cryptomator uses to mount vaults. The update to the latest version fixes a critical bug that, in combination with certain Trend Micro security products, could cause a blue screen. **Legacy Vaults Can Be Imported Again** A pesky bug has been squashed: **Importing legacy vaults now works smoothly again**. So if you have older backups, you can now restore them without any issues in this version. You can find all the other changes in the changelog on GitHub! ### And what about Windows ARM? Unfortunately, the native ARM app for Windows must be postponed due to a bug in the JDK framework. We are working on a fix but cannot announce a release date yet. ## Update Now! Cryptomator 1.17.0 is available as usual via our download page. We highly recommend updating. As always, we look forward to your feedback — whether on GitHub, Facebook, Instagram, Mastodon, or in our support forum.

Summer is just around the corner – and so is our **Summer Sale**! From **June 1 to 30** , you’ll get **25% off** all paid versions of Cryptomator as well as the **Supporter Certificate**. ☀️ Get Cryptomator now – for just €14.99*! Cryptomator Hub is also **25% off for the first year** – ideal for organizations looking to make the most of their security budgets before mid-year. ### Summer = Budget Season? For organizations and businesses, this is the perfect time to allocate remaining IT budgets before the mid-year deadline – and invest in **privacy that lasts**. **Cryptomator Hub** is the ideal solution for teams, NGOs, research institutions, and businesses that want to store sensitive data **encrypted and centrally managed in the cloud**. Now **25% off for the first year** – and ready for immediate deployment. ### What Cryptomator Offers * __**End-to-end encryption** for cloud services like Dropbox, Google Drive, OneDrive, or iCloud * __**Open source** for full transparency * __**Cross-platform support** : Windows, macOS, Linux, iOS, and Android * __**No subscription, no hidden costs** – just one-time payment ### Cryptomator Hub – Built for Teams and Organizations * __**Centralized management of encrypted vaults** – simple, secure, and efficient * __**Role-based access control** tailored to your team’s structure * __**Zero-knowledge architecture** – only you have access to your data * __ Perfect for NGOs, academic institutions, research environments, and companies Want to use **Cryptomator Hub** in your organization? Contact us for more details or check out our pricing. ### Save Now – Until June 30! Whether you’re an individual or an organization: If data privacy matters to you, this is your chance. **Get Cryptomator now for only €14.99** or start with **Cryptomator Hub – 25% off for the first year.**

**Passwords are the first line of defense for our digital identity – and yet, they ’re often neglected.** From simple number sequences to reused logins: weak passwords remain one of the leading causes of data breaches. In an age of increasing cyberattacks and near-daily data leaks, it’s more important than ever to raise awareness for better password hygiene. ## The Reality: “123456” is Still a Classic According to the NordPass 2024 password report, “123456” is once again the most commonly used password worldwide. In Germany, “admin” tops the list. Millions of people still rely on passwords that are easy to guess – with serious consequences. Cybercriminals use automated tools to crack weak passwords in seconds. When a data breach occurs, these passwords are often tested across multiple platforms – a huge problem if you’ve reused them. ## “I have nothing to hide” – Really? This belief is common, but dangerously misleading. Even if your data seems “unimportant” at first glance, attackers can abuse it to: * Steal your identity * Send emails in your name * Access other linked accounts * Extort or scam you or your contacts It’s not just about private photos or chats – it’s about your entire digital identity and your trust in online services. ## Three Everyday Examples That Show How Quickly It Can Happen 1. **The compromised streaming account** Your streaming service password was leaked. Attackers use it to send phishing emails or test access to other services. 2. **The reused password** You use the same password for your personal email and your work account. If one gets hacked, both are compromised. 3. **Social engineering with weak passwords** An attacker guesses your password using public info (e.g., birthdate + pet’s name) and gains access to your cloud storage. ## When It Gets Expensive: Three Real-World Scenarios 1. **Hacked email leads to identity theft** An attacker gains access to your email via a weak password. * Resets your other account passwords * Uses your email for scams or phishing * Orders goods in your name **Outcome:** Financial loss, damage to reputation, tedious recovery process 2. **Online banking access through password recycling** A leaked password from a forum is reused for online banking. A bot tests major banking sites. **Outcome:** Drained account, legal issues, possible criminal report 3. **Ransomware in a company via weak admin password** A VPN login is compromised due to a weak password. Attackers install ransomware. **Outcome:** Business shutdown, ransom demand, data loss, GDPR breach ## Password Check: How Safe Are You? Run a quick self-check: * I use a unique password for each account * My passwords are at least 12 characters long and include numbers & symbols * I use a password manager * I have activated two-factor authentication (2FA) * I reviewed or changed my passwords in the last 12 months **Tip:** Check if your data has been exposed in a breach: haveibeenpwned.com ## Tools Instead of Headaches: Use a Password Manager Nobody can remember dozens of complex passwords – and they don’t have to. **Password managers** like Bitwarden, 1Password or KeePass help you generate, store and autofill strong passwords. The biggest advantage: You only need to remember one master password – the app takes care of the rest. ## Extra Protection With Two-Factor Authentication Even the strongest password could end up in a data leak. That’s why you should **always enable two-factor authentication (2FA)** wherever possible. In addition to your password, you’ll enter a code sent via app or SMS. This makes it much harder for attackers to access your accounts – even if they have your password. ## Conclusion: Password Security Isn’t a “Nice-to-Have” The effort required for strong passwords is small – but the benefits are huge. By changing a few habits, you protect yourself from real threats and ensure long-term digital safety. **Now is the best time to update weak passwords, start using a password manager, and enable 2FA.** _Your digital future will thank you._

The latest version of our desktop app has been released! **Cryptomator 1.16.0** introduces several exciting new features that make working with encrypted files even more convenient. This update focuses on new functions that provide greater transparency and control over your vaults – and even **biometric unlocking** on Mac! ### What’s New? **EventView: Overview of Important Vault Events** Want to know if any conflicts occurred when unlocking a vault or if corrupted files were detected? With the new **EventView** , you now get a clear overview of relevant events within an unlocked vault – such as conflict resolutions or notifications about corrupted files. This way, you always stay informed about what’s happening inside your vault. **Decrypt File Names** With the new **Decrypt File Name** feature, you can select encrypted files within a vault and retrieve their original, unencrypted filenames – without needing to open the file itself. A handy tool for anyone needing a quick overview! **Touch ID Support for macOS** Starting now, you can unlock your vaults on **Mac** easily with **Touch ID**! This makes using Cryptomator not only faster but also more convenient and secure – especially on devices with biometric authentication. Thanks to Ralph (purejava on GitHub) for the great support! ### Bugfixes Of course, we also **fixed several bugs** – here’s a quick overview: * The **main window** is now displayed correctly again on Windows. * The **tray icon** now reliably adapts to the OS theme on Linux. Thanks again to Ralph for the help! * The app now properly quits when the main window is closed (if no tray is active). * **Supporter certificates** can now be properly removed again. * In case of **filename conflicts** , the original suffixes provided by your cloud service are now largely preserved – instead of being replaced by a simple numbering system. ### Full Changelog on GitHub In addition to the highlights mentioned above, there are also **several smaller improvements and updates** – such as enhancements to vault settings, better symbolic icon support on Linux, and translation updates. You can find the complete list of changes as always in the **Changelog** on GitHub. **Thanks to all contributors** from the community – and **enjoy the new update**!

With the release of version 1.4.0, **Cryptomator Hub** receives a major feature upgrade that offers more control and transparency — while also improving the overall user experience. At the heart of this release are a new **Web of Trust** , finer-grained **permission management** , extended **audit logging** , and deeper **insights into user profiles**. Let’s take a closer look at what’s new! ## Web of Trust: Mutual Verification for Better Security One of the highlights of this release is the new **Web of Trust (WoT)**. Users can now mutually verify each other’s identities by signing public keys. This creates a network of trust that protects against the injection of manipulated or forged public keys. This feature directly addresses so-called **“ key injection” risks** and strengthens the protection of sensitive data across organizations. The verification process is based on a simple but effective principle: **Only when a person’s public key is confirmed by trusted peers is their identity considered verified.** Admins can configure how many verifications are required. ## New Create-Vaults Role: Granular Permissions for Vault Creation With the introduction of the new `create-vaults` role, admins now have full control over who is allowed to create new vaults within the organization. Previously, this permission was available to all users by default — now, admins can specify whether only certain teams, individuals, or everyone should have access to this feature. Especially in large organizations, this is a key improvement for maintaining order and managing infrastructure growth in a more controlled way. ## Audit Log: Even More Precise Activity Tracking Monitoring security-relevant actions is a key responsibility in IT operations. With version 1.4.0, the **audit log** becomes even more powerful: * **Filter by event type:** You can now filter audit log entries by type — such as key changes, access attempts, or account activity — to quickly isolate relevant data during incidents. * **New events:** Several new event types were added to better capture security-critical actions. * **Register Device** – A user registered a new device, e.g., Cryptomator app or browser session. * **Remove Device** – A user removed a device. * **Signed Identity** – A user signed another user’s identity. * **Account Key Changed** – A user regenerated their account key, which also affects user keys. * **Reset User Account** – A user reset their account. * **User Keys Change** – A user changed their keys, e.g., during initial setup or account key updates. * **Claim Vault Ownership** – A user claimed ownership of a vault that was created with a Hub version prior to 1.3.0 using the Vault Admin Password. * **Retrieve Vault Key event enhanced:** This audit event now includes the **IP address and device ID** — making it easier to trace who unlocked a vault and from which device. ## More Transparency in User Profile The user interface has also been updated to offer more transparency about devices and access patterns: * **Legacy devices:** Users can now see if they’re still using devices linked to vaults created with older versions of the Hub. This helps with migrations to the current user-key-based encryption introduced in version 1.3.0. * **Last IP and vault access timestamp:** The device overview now shows the **last known IP address** and the **most recent vault access timestamp** for each device — ideal for identifying suspicious activity. ## New Languages and Improved Usability * **More language support:** Cryptomator Hub is now available in **Dutch, French, Italian, Korean, Portuguese, and Turkish** — making it even more accessible for international teams. * **Language preference is preserved:** Your selected language setting is now saved in your user profile and no longer resets after logout. ## Provenance Attestation for Container Images A frequently overlooked but critical area of security is the **authenticity of software containers**. Starting with version 1.4.0, we now publish **provenance attestations** for our container images. These attestations document the origin and integrity of our images and provide additional assurance for automated deployments and CI/CD pipelines. ## Full Changelog All technical details, fixes, and improvements can be found in the release notes and the new CHANGELOG file. ## Closing Remarks **Cryptomator Hub 1.4.0** is a release that builds trust — through greater visibility, more refined controls, and solid technical foundations. Whether it’s security management, role-based permissions, or user-facing transparency: This update lays the groundwork for even more robust data infrastructures in organizations that take encryption seriously.

Spring is here – and so is our Spring Sale! From March 20 to 31, get 25%* off all paid Cryptomator versions and the Supporter Certificate. Get Cryptomator now – for only €14.99!* Cryptomator Hub is also 25%* off for the first year! Contact us for more details or check out our pricing. ## Why Now Is the Best Time March 31 is World Backup Day – the perfect opportunity to not only back up your data but also encrypt it! After all, a backup alone won’t protect you from unauthorized access. Only strong encryption truly safeguards your privacy. Take World Backup Day as an opportunity to level up your data security! ### Why Cryptomator? * Simple end-to-end encryption for cloud services like Dropbox, Google Drive, OneDrive, and iCloud Drive. * Open source for full transparency and security. * Available on Windows, macOS, Linux, Android, and iOS. * No subscription, no hidden costs – pay once, use forever! ### Why Cryptomator Hub? * Centralized management of encrypted vaults for teams and organizations. * Flexible access control – ideal for NGOs, research institutions, and companies. * Zero-knowledge architecture – no one but you can access your encrypted data. ## Get It Now and Save! The Spring Sale is the perfect opportunity to protect your cloud data – with a one-time purchase and no subscription model. Get Cryptomator for just €14.99* or enjoy 25%* off Cryptomator Hub for your team in the first year. But hurry – this offer is only valid until March 31!

We’re excited to announce a major update for the Cryptomator iOS app: **Cryptomator now supports SharePoint!** This means that businesses and organizations can now store their encrypted vaults directly in SharePoint. Additionally, **Microsoft Teams is also supported** , as files in Teams are stored in SharePoint by default. With this integration, users can now protect their team documents with **end-to-end encryption**. ## Why is this important? Companies, universities, and NGOs increasingly rely on cloud services like Microsoft 365 for flexible and efficient collaboration. With SharePoint integration, users can ensure that **sensitive documents are not only stored in the cloud but also protected with zero-knowledge encryption**. Even Microsoft has no access to the unencrypted content. ## How the SharePoint Integration Works Using Cryptomator with SharePoint is just as easy as with other cloud services: * **Create a new vault or add an existing one** : Select SharePoint as the storage location in the Cryptomator iOS app. * **Work securely with encrypted files in Microsoft 365** : Access your protected documents within SharePoint or Microsoft Teams. * **Flexible access across all devices** : Your encrypted files are available on both desktop and mobile devices. ## Maximum Security for Microsoft 365 Users The integration of SharePoint in Cryptomator 2.7.0 is a **major step forward for businesses that prioritize data protection and compliance**. With this solution, you can: * Enhance the security of confidential data while continuing to benefit from Microsoft 365. * Meet compliance requirements such as **GDPR** and **NIS-2** more easily. * Maintain full control over your sensitive information, no matter where it is stored. ## Try It Now! The **new 2.7.0 update is now availableon the App Store**. Update your Cryptomator iOS app today and enjoy **secure SharePoint encryption in the cloud**! Do you have any questions or feedback? We’d love to hear from our community!

In a world where digital communication and cloud services dominate our daily lives, protecting personal data is crucial. Many companies promise secure encryption, but recent events show that this protection is often insufficient or compromised by government mandates. ## Apple Complies with UK Government Demand Apple has announced that it will no longer offer its “Advanced Data Protection” (ADP) service, which provides enhanced end-to-end encryption for iCloud data, in the United Kingdom. This decision follows an order from the UK government under the “Investigatory Powers Act” of 2016, which requires Apple to provide access to encrypted user data. Rather than implementing a direct backdoor for the government, Apple has chosen to make ADP unavailable to UK users. This means that files stored in iCloud, iMessage chats, and photos will no longer be protected with the highest available encryption standard. Apple has justified this step as a necessary response to legal requirements—highlighting that even major tech corporations cannot escape regulatory pressure. In an official statement, Apple reiterated that the company has “never created a backdoor or a master key to any of our products or services […].” Similar measures are not planned for the future. Furthermore, Apple emphasized that it is “more urgent than ever” to secure cloud files with end-to-end encryption. The company hopes to reintroduce the feature in the UK in the future. Existing users in the UK must now disable end-to-end encryption, while new users will no longer be able to enable the feature. Apple itself cannot deactivate the encryption, as doing so would contradict the principles of end-to-end security. However, certain cloud services such as passwords, health data, and payment information will remain end-to-end encrypted. This development sends a strong signal: Those who want to keep their data truly private should not rely solely on cloud providers’ promises but instead take independent action. ## Why You Should Take Data Encryption Into Your Own Hands The Apple case demonstrates that even well-intentioned security measures can be quickly undermined. The implications of such government demands are far-reaching: * **Provider Access to Data:** Apple may be forced to make further concessions regarding data security in the future. * **Apple Sets a Precedent:** The UK may be a single case for now, but other governments could follow suit with similar demands. * **Data Breaches and Hacks:** Even if a provider does not introduce intentional backdoors, new infrastructure requirements can create unintended vulnerabilities. To mitigate these risks, users should take responsibility for encrypting their data before uploading it to the cloud. ### Practical Steps for Your Own Encryption * **Encrypt Data Before Uploading:** Tools like Cryptomator consistently use end-to-end encryption, securing your files locally before they are uploaded to the cloud. This ensures that you retain control over your data—even if your cloud provider no longer offers end-to-end encryption, as is now the case with iCloud in the UK. * **Use Trusted Open-Source Software:** Open-source programs like Cryptomator allow independent security audits and offer transparency that proprietary software often lacks. * **Regular Updates and Security Checks:** Keep your software up to date and conduct regular backups to prevent security vulnerabilities. ## The Political Dimension: Data Privacy Under Siege The UK government’s demands on Apple are not an isolated case. Governments worldwide are attempting to weaken encrypted communication: * **The EU and Client-Side Scanning:** The European Commission is discussing “client-side scanning” (CSS), where content is analyzed on user devices before being encrypted. This could pave the way for widespread surveillance. * **The US and the FBI:** In the United States, the FBI has long pushed for access to encrypted devices and cloud services. Such “backdoors” could be exploited not only by authorities but also by cybercriminals and authoritarian regimes. Recent reports indicate that the FBI has intensified its warnings about security vulnerabilities in iPhones and Android devices, emphasizing the need for greater control over encryption to combat emerging cyber threats. * **Australia and the Decryption Law:** Australia’s “Telecommunications and Other Legislation Amendment (Assistance and Access) Act” requires companies to provide technical solutions for decryption upon government request. This law could set a global precedent for weakened security standards. ## Conclusion: Personal Responsibility is the Best Protection These recent developments make it clear that users should not blindly trust cloud providers’ security promises. Taking responsibility for your own encryption is the only way to ensure that private data remains truly private. With the right tools and methods, anyone can effectively protect their data from unauthorized access—and reclaim a piece of digital sovereignty.