If you sync files on your PC to cloud storage, you're probably aware of the privacy risks involved. Services like Google Drive and OneDrive have access to everything you upload unless you encrypt it first. That's where an encryption tool like Cryptomator comes in. It's a free, open-source tool that creates encrypted vaults on your PC before anything gets synced.
I trust Cryptomator over other tools
It's zero-knowledge and open-source
Cryptomator creates encrypted vaults on your PC that work like regular folders. When you drop a file into a vault, it gets encrypted immediately using AES-256 encryption. The encrypted version then syncs to your cloud storage, whether that's Google Drive, OneDrive, Dropbox, or any other service you use.
The key difference here is zero-knowledge encryption. Cryptomator doesn't store your password anywhere, and it never touches a server. Everything happens locally on your device. If someone breaches your cloud account, all they'll find is encrypted gibberish they can't decrypt without your vault password.
Being open-source adds another layer of trust. The code is publicly available on GitHub, which means security researchers and developers worldwide can audit it for vulnerabilities. There's no hidden backdoor and no telemetry that sends your data somewhere. Unlike end-to-end encrypted cloud services that force you to abandon your current setup, Cryptomator works alongside whatever you're already using. You don't need to migrate files or learn a new sync client. Your existing cloud service handles the syncing and Cryptomator handles only the encryption.
What makes it handy for cloud sync is file-based encryption rather than container-based. Each file in your vault gets encrypted individually. When you modify a document, only that single encrypted file needs to re-sync—not an entire multi-gigabyte container. This keeps sync times fast and bandwidth usage reasonable, even with large vaults.
Here's my complete workflow for setting it up on Windows 11
Use the vault like a normal hard drive
The setup process takes about five minutes from start to finish. Download Cryptomator from the official website and run the installer. It's a standard Windows installation. Once installed, launch Cryptomator and you'll see an empty vault list. Click the plus icon to create your first vault. You'll need to choose two things: a name for the vault and where to store it.
Here's the important part. Place your vault inside your cloud sync folder. If you use OneDrive, create the vault somewhere like C:\Users\YourName\OneDrive\Encrypted. For Google Drive, put the vault in your Google Drive folder. This ensures the encrypted files sync automatically without any extra configuration.
After choosing the location, Cryptomator will prompt you to create a password. This is the only key to your encrypted data, so make it strong and store it in your favorite password manager. If you lose your password, the recovery key file can help you regain access, but if you lose both, your files are gone for good.
Save the recovery key file somewhere separate from your vault, like a USB drive or a different cloud account. It's your backup if you ever forget the password.
Once the vault is created, you'll see it listed in the main Cryptomator window. Click Unlock and enter your password. Cryptomator will mount the vault as a virtual drive—it shows up in File Explorer just like a USB drive would, typically with a drive letter like Z:. Now you can use this mounted drive like any normal folder. Drag files into it, create subfolders, save documents directly to it from any application. Everything you put in gets encrypted on the fly. When you're done, click Lock in the Cryptomator window to unmount the drive.
The encrypted files live in your cloud sync folder, but they're unreadable without unlocking the vault first. When you modify a file in the unlocked vault, Cryptomator encrypts the changes and your cloud service syncs the updated encrypted file automatically.
If you want the vault to unlock automatically when you log in to Windows, right-click the vault in Cryptomator and enable Auto-unlock. You can also set it to lock automatically after a period of inactivity, which is useful if you step away from your PC often.
If you work with the same vault frequently, enable the option to show the vault in File Explorer's navigation pane. This makes it easier to access without opening Cryptomator every time.
It's not a perfect solution, but these trade-offs are small
It doesn't hide your activity
Cryptomator isn't without its limitations, but none of them have been deal-breakers for me. The biggest one is the mobile apps are not free. If you want to unlock your vaults on Android or iOS, you'll need to pay a one-time fee for each platform. However, you can use the read-only mode for free on iOS.
That said, the desktop apps for Windows, macOS, and Linux are completely free with no restrictions. If you primarily work on your PC and only occasionally need mobile access, the cost might be worth it. If not, you can still access your cloud files through the standard mobile apps—they just won't be decrypted.
Another thing to understand is that Cryptomator encrypts your files, but it doesn't hide your activity from your cloud provider. They can still see how many files you have, their encrypted file sizes, when you upload or modify them, and how often you access your account. The file and folder names get encrypted too, but the structure remains visible. Your cloud service knows there's a folder with 50 files inside, just not what those files are called or what they contain. If that level of metadata visibility concerns you, Cryptomator alone won't solve it.
Performance can take a minor hit with very large files. Since encryption happens in real time, working with multi-gigabyte video files directly in the vault might feel slightly slower than working with them unencrypted. For documents, spreadsheets, and most everyday files, the difference is negligible.
You also need to remember to unlock the vault before accessing your files, which adds one extra step to your workflow. It's not complicated, but it's easy to forget if you're rushing. Auto-unlock helps, but that reduces security if someone gains physical access to your unlocked PC.
Despite these trade-offs, the privacy benefits outweigh the inconveniences. You get strong encryption without changing your cloud service, paying a subscription, or dealing with complicated key management. For free, open-source software, that's a solid offering.
Start with your most sensitive files
You don't need to encrypt everything at once
If the idea of encrypting your entire cloud storage feels overwhelming, start small. Create one vault specifically for tax documents, medical records, or financial statements; the files you would panic about if they leaked. Once you're comfortable with the workflow, you can add more vaults for different purposes.
Multiple vaults make sense if you share cloud folders with other people. You can keep a personal vault locked down while leaving shared project folders unencrypted. Cryptomator also works well alongside other privacy tools. Pair it with a password manager that syncs its encrypted database through your vault for an extra layer of protection.