Besides the joy of tinkering with containers and VMs, removing paid tools was the major reason why I started my expedition into the self-hosting ecosystem. But as I started looking into more FOSS utilities, I began to realize the privacy implications of relying on cloud-based services. As much as I’d like to replace cloud platforms with open-source alternatives running on Network-Attached Storage systems and home server rigs, there are times when I have to rely on Google Drive, Dropbox, and a bunch of other storage platforms.

As a stickler for privacy, I realized that I could just encrypt my files client-side before uploading them to a random company’s servers. Although there are a couple of tools that can render my files inaccessible to everyone besides myself, Cryptomator is by far the most accessible encryption app for my cloud storage needs.

Cloud platforms aren't ideal from a privacy standpoint

You’ve also got leaked credentials to worry about

While we’re on the subject of maintaining data privacy, most cloud platforms already use encryption to ensure unauthorized users can’t access your files. In fact, Google Drive and its rivals encrypt this data during transit and while it’s stored in the company’s servers, which is a great way to keep hackers at bay – for the most part (and I’ll get back to this in a bit).

The caveat? Since the cloud provider in question holds the decryption keys to my data, they can access it whenever they desire. Now, most companies have extensive service agreements about respecting user privacy. But considering that they retain full access to my files, cloud servers aren’t ideal for housing personal data that I wouldn’t want to share with others. Plus, I’ve been exposed to the Internet long enough to realize that storing anything even remotely sensitive on external servers is a terrible idea.

As if that’s not enough, it’s not entirely impossible for hackers to make their way into my cloud server. For example, if someone were to gain access to my credentials, it wouldn’t take too long before they manage to log into my account. And with all the credential database breaches affecting most platforms, I’d rather have some countermeasures to avoid unauthorized users (and even the underlying server) from gaining access to personal files.

Cryptomator makes your files unrecognizable to external agents

It also pairs well with most cloud storage platforms

The easiest way to render my files inaccessible to anyone besides myself is to encrypt them on my client devices before I upload them to the server. That way, I’d be the only one possessing the decryption key, and neither malware nor a cloud platform would be able to read the files. Since the password for accessing the files lies on my locally-hosted Vaultwarden instance, the chances of some random hacker gaining access to both the cloud credentials and infecting my (fairly hardened) server are pretty low.

Another perk of Cryptomator is that it can sync files with any cloud platform that stores data on my local devices. So, I can just install Google Drive, Dropbox, iCloud, OneDrive, or any other cloud app on my system, use its directory as the location for my Cryptomator vault, and the app will automatically sync files with the cloud’s servers. This way, I won’t have to manually encrypt the files and add them to the cloud every time I modify their contents.

Cryptomator is just as easy to configure, too

Encryption services are infamous for their complex UI and difficult-to-understand terminology, though Cryptomator is an exception. Even if you’re not a home labber or a self-hosting enthusiast, deploying it is a cakewalk. On Windows, you can just install the app from Cryptomator’s GitHub link. As for configuring it, all you have to do is create a vault for all the files you want to encrypt. I recommend enabling the passphrase toggle when you’re setting a password for your vault. That way, you’ll still have a means of recovering your files if you forget your password.

Cryptomator automatically selects the directory for certain clouds like Dropbox, though you’ll have to select the custom location option and browse the folder associated with Google Drive, iCloud, and other platforms. And that’s pretty much it. Once you’ve created the vault, you can unlock it with the password and use the Reveal Drive button to access the files. Do remember that these files will show up with gibberish names on the cloud, though you can use your password to access the encrypted files on client apps like Cyberduck and Mountain Duck.