### Example: Setting Cryptomator Plugin Directory Source: https://docs.cryptomator.org/desktop/admin-config This example demonstrates how to set the `cryptomator.pluginDir` property to allow loading of external plugins. The user home directory is represented by `@{userhome}`. ```properties cryptomator.pluginDir=@{userhome}/cryptomator/plugins ``` -------------------------------- ### Example `codesign` Output on macOS Source: https://docs.cryptomator.org/security/verify-installers This is an example of the expected output when verifying a properly signed Cryptomator application using the `codesign` command on macOS. ```text Executable=/Applications/Cryptomator.app/Contents/MacOS/Cryptomator Identifier=org.cryptomator ... TeamIdentifier=YZQJQUHA3L ``` -------------------------------- ### Technical Example: Cleartext Directory Structure Source: https://docs.cryptomator.org/desktop/encrypted-file-names Illustrates a typical directory structure within an unlocked Cryptomator vault before encryption. ```text . ├─ myProject.pptx ├─ Images for Project │ └─ ImageOfBees.jpg └─ ... ``` -------------------------------- ### Verify GPG Signature of Installer Source: https://docs.cryptomator.org/security/verify-installers Execute this command to verify the authenticity and integrity of a downloaded Cryptomator installer using its associated .asc signature file. Replace with the actual filename. ```bash gpg --verify .asc ``` -------------------------------- ### Technical Example: Encrypted Directory Structure Source: https://docs.cryptomator.org/desktop/encrypted-file-names Shows the obfuscated and encrypted directory structure on the hard drive/cloud storage as a result of Cryptomator's encryption. ```text . ├─ d │ ├─ BZ │ │ └─ R4VZSS5PEF7TU3PMFIMON5GJRNBDWA │ │ ├─ dirId.c9r # internal vault file │ │ ├─ 5TyvCyF255sRtfrIv**83ucADQ==.c9r # myProject.pptx │ │ └─ FHTa55bH*sUfVDbEb0gTL9hZ8nho.c9r # Linking entry for directory "Images for Project" │ │ └─ dir.c9r # contains information for the link │ └─ FC │ └─ ZKZRLZUODUUYTYA4457CSBPZXB5A77 # content of the directory "Images for Project" │ └─ 4lmrQYfE_5ETusEkVJlTJrcFzjwxNBymig==.c9r # ImageOfBees.jpg ├─ masterkey.cryptomator ├─ masterkey.cryptomator.DFD9B248.bkup └─ vault.cryptomator ``` -------------------------------- ### Install FUSE-T using Homebrew Source: https://docs.cryptomator.org/desktop/volume-type Installs FUSE-T, a user-space FUSE implementation for macOS, using Homebrew. This is an experimental alternative to macFUSE. ```bash brew tap macos-fuse-t/homebrew-cask brew install fuse-t ``` -------------------------------- ### Vault Structure Example (Format 7) Source: https://docs.cryptomator.org/misc/vault-format-history Illustrates the directory and file structure for a Cryptomator vault using Format 7, highlighting encrypted files, directories, symlinks, and shortened filenames. ```plaintext . ├─ d │ ├─ BZ │ │ └─ R4VZSS5PEF7TU3PMFIMON5GJRNBDWA │ │ ├─ 5TyvCyF255sRtfrIv__83ucADQ==.c9r # regular file │ │ ├─ FHTa55bH_sUfVDbEb0gTL9hZ8nho.c9r # irregular file... │ │ │ └─ dir.c9r # ...which is a directory │ │ ├─ gLeOGMCN358_UBf2Qk9cWCQl.c9r # irregular file... │ │ │ └─ symlink.c9r # ...which is a symlink │ │ ├─ IjTsXtReTy6bAAuxzLPV9T0k2vg=.c9s # shortened name... │ │ │ ├─ contents.c9r # ...which is a regular file │ │ │ └─ name.c9s # ...mapping to this full name │ │ ├─ q2nx5XeNCenHyQvkFD4mxYNrWpQ=.c9s # shortened name... │ │ │ ├─ dir.c9r # ...which is a directory │ │ │ └─ name.c9s # ...mapping to this full name │ │ ├─ u_JJCJE-T4IH-EBYASUp1u3p7mA=.c9s # shortened name... │ │ │ ├─ name.c9s # ...mapping to this full name │ │ │ └─ symlink.c9r # ...which is a symlink │ │ └─ ... │ └─ FC │ └─ ZKZRLZUODUUYTYA4457CSBPZXB5A77 │ └─ ... ├─ masterkey.cryptomator └─ masterkey.cryptomator.DFD9B248.bkup ``` -------------------------------- ### Verify Authenticode Signature (MSI) Source: https://docs.cryptomator.org/security/verify-installers Use this PowerShell command to verify the Authenticode signature of a Cryptomator MSI installer file. Ensure the file path is correct. ```powershell Get-AuthenticodeSignature -FilePath "~\Downloads\Cryptomator-*.msi" ``` -------------------------------- ### Verify Authenticode Signature (EXE) Source: https://docs.cryptomator.org/security/verify-installers Use this PowerShell command to verify the Authenticode signature of a Cryptomator EXE installer file. Ensure the file path is correct. ```powershell Get-AuthenticodeSignature -FilePath "~\Downloads\Cryptomator-*.exe" ``` -------------------------------- ### Vault Structure Example (Format 4) Source: https://docs.cryptomator.org/misc/vault-format-history Illustrates the directory and file naming conventions used in Cryptomator's vault format version 4, where directories are prefixed with '0' instead of a '_' suffix. ```plaintext . ├─ d │ ├─ BZ │ │ └─ R4VZSS5PEF7TU3PMFIMON5GJRNBDWA │ │ ├─ 0USJ7VD36K7YU2RARYJMEFTABZOGN6LUH63VRH5MADVOZ433VZ7EPSM2PLJPHTBL6 │ │ ├─ 0YWVRCCROEC3ZECD2UTJR7BGYERU3LG6R7QODBGMZ7EQ3BXGY24====== │ │ ├─ ... │ │ ├─ YWBBP7RC6FFX6ZN4YBLN4WXD6IIBTMKXHFFDQEZNYTQLNZWOGDT22EY= │ │ └─ ZTNHMICOWU6ZSNIR72ESLQSGDMLQYQ42XEKGOWSYYX5II=== │ └─ FC │ └─ ZKZRLZUODUUYTYA4457CSBPZXB5A77 │ └─ ... ├─ m │ └─ ... ├─ masterkey.cryptomator └─ masterkey.cryptomator.bkup ``` -------------------------------- ### Masterkey File Structure Example Source: https://docs.cryptomator.org/security/architecture Defines the JSON structure of the `masterkey.cryptomator` file, which stores encrypted master keys and parameters for KEK derivation. This file is located in the vault's root directory. ```json { "version": 999, /* deprecated, vault format is now specified in the vault configuration */ "scryptSalt": "QGk...jY=", "scryptCostParam": 32768, "scryptBlockSize": 8, "primaryMasterKey": "QDi...Q==", /* wrappedEncryptionMasterKey */ "hmacMasterKey": "L83...Q==", /* wrappedMacMasterKey */ "versionMac": "3/U...9Q=" /* HMAC-256 of vault version to prevent undetected downgrade attacks */ } ``` -------------------------------- ### Vault Format 3 Directory Structure Source: https://docs.cryptomator.org/misc/vault-format-history This example illustrates the typical directory structure of a Cryptomator vault using format 3, introduced in version 1.0.0. It shows the organization of encrypted data and master key files. ```tree . ├─ d │ ├─ BZ │ │ └─ R4VZSS5PEF7TU3PMFIMON5GJRNBDWA │ │ ├─ USJ7VD36K7YU2RARYJMEFTABZOGN6LUH63VRH5MADVOZ433VZ7EPSM2PLJPHTBL6_ │ │ ├─ YWBBP7RC6FFX6ZN4YBLN4WXD6IIBTMKXHFFDQEZNYTQLNZWOGDT22EY= │ │ ├─ ... │ │ ├─ YWVRCCROEC3ZECD2UTJR7BGYERU3LG6R7QODBGMZ7EQ3BXGY24======_ │ │ └─ ZTNHMICOWU6ZSNIR72ESLQSGDMLQYQ42XEKGOWSYYX5II=== │ └─ FC │ └─ ZKZRLZUODUUYTYA4457CSBPZXB5A77 │ └─ ... ├─ m │ └─ ... ├─ masterkey.cryptomator └─ masterkey.cryptomator.bkup ``` -------------------------------- ### Get Windows Domain and Username Source: https://docs.cryptomator.org/desktop/common-errors Run this PowerShell command to retrieve your current Windows domain and username, formatted as DOMAIN+USERNAME. This is required for configuring custom mount options for WinFsp volumes. ```powershell $env:USERDOMAIN+$env:USERNAME".ToUpper() ``` -------------------------------- ### Cryptomator Hub JWE Header Example Source: https://docs.cryptomator.org/security/architecture Illustrates the structure of the header within a JSON Web Encryption (JWE) object used by Cryptomator Hub for key exchange. This header specifies the encryption algorithm and parameters. ```json { "alg": "ECDH-ES", "enc": "A256GCM", "epk": { "crv": "P-384", "kty": "EC", "x": "p1J...g", "y": "8Il...H" } "apu": "", "apv": "" } ``` -------------------------------- ### Encoded Vault Configuration JWT Source: https://docs.cryptomator.org/security/architecture An example of an encoded vault configuration file for a Cryptomator vault. This JWT contains essential vault information and key specifications. ```plaintext eyJraWQiOiJtYXN0ZXJrZXlmaWxlOm1hc3RlcmtleS5jcnlwdG9tYXRvciIsInR5cCI6IkpXVCIsImFsZyI6IkhTMjU2In0.eyJmb3JtYXQiOjgsInNob3J0ZW5pbmdUaHJlc2hvbGQiOjIyMCwianRpIjoiY2U5NzZmN2EtN2I5Mi00Y2MwLWI0YzEtYzc0YTZhYTE3Y2Y1IiwiY2lwaGVyQ29tYm8iOiJTSVZfQ1RSTUFDIn0.IJlu4dHb3fqB2fAk9lf8G8zyEXc7OLB-5m9aNxOEXIQ ``` -------------------------------- ### Get Device JWE Source: https://docs.cryptomator.org/security/hub Retrieves the device-specific JWE which contains the User Private Key encrypted with the Device Public Key. This is the second step in the unlock flow. ```APIDOC ## GET /api/devices/{deviceId} ### Description Retrieves the device-specific JWE containing the User Private Key encrypted with the Device Public Key. ### Method GET ### Endpoint /api/devices/{deviceId} ### Parameters #### Path Parameters - **deviceId** (string) - Required - The ID of the device. ### Response #### Success Response (200) - **JWE** (string) - The User Private Key encrypted with the Device Public Key. #### Error Responses - **404 Not Found**: Device needs to be set up. ``` -------------------------------- ### Backup Postgres Database with Kubernetes Source: https://docs.cryptomator.org/hub/deployment Execute this command in a Kubernetes environment to perform a pg_dumpall operation on the Postgres deployment, saving the backup to a file on the host system. The filename incorporates the current date. ```bash kubectl exec -it deployments/postgres -n NAMESPACE \ -- /usr/local/bin/pg_dumpall -U postgres > "$(date +%F)-hub-backup" ``` -------------------------------- ### Legacy Get Vault Keys Source: https://docs.cryptomator.org/security/hub An older API endpoint for compatibility reasons, used for retrieving vault keys for existing data. New devices should use the new workflow. ```APIDOC ## GET /api/vaults/{vaultId}/keys/{deviceId} ### Description Legacy endpoint for retrieving vault keys for existing data. This endpoint is for compatibility and may not work for newly registered devices. ### Method GET ### Endpoint /api/vaults/{vaultId}/keys/{deviceId} ### Parameters #### Path Parameters - **vaultId** (string) - Required - The ID of the vault. - **deviceId** (string) - Required - The ID of the device. ``` -------------------------------- ### Backup Postgres Database with Docker Source: https://docs.cryptomator.org/hub/deployment Use this command within a Docker environment to execute pg_dumpall on the Postgres container and save the backup to a file on the host system. The filename includes the current date. ```bash docker exec -u postgres -it postgres /bin/bash -c /usr/local/bin/pg_dumpall \ > "$(date +%F)-hub-backup" ``` -------------------------------- ### Get Vault Access Token Source: https://docs.cryptomator.org/security/hub Retrieves the vault access token, which contains the vault's master key encrypted with the User Public Key. This is the first step in the unlock flow. ```APIDOC ## GET /api/vaults/{vaultId}/access-token ### Description Retrieves the vault access token, which contains the vault's master key encrypted with the User Public Key. ### Method GET ### Endpoint /api/vaults/{vaultId}/access-token ### Parameters #### Path Parameters - **vaultId** (string) - Required - The ID of the vault. ### Response #### Success Response (200) - **JWE** (string) - The vault's raw masterkey encrypted with the User Public Key. #### Error Responses - **402 Payment Required**: License needs upgrade. - **403 Forbidden**: User lacks permission to access the vault. - **410 Gone**: Vault has been archived. - **449 Retry With**: User account exists but hasn't been properly initialized (missing key pair). ``` -------------------------------- ### File Header Encryption Logic Source: https://docs.cryptomator.org/security/vault Illustrates the creation of a file header nonce, content key, and the AES-GCM encryption of the payload using the master key. This process secures metadata essential for file content encryption. ```go headerNonce := createRandomBytes(12) contentKey := createRandomBytes(32) cleartextPayload := 0xFFFFFFFFFFFFFFFF . contentKey ciphertextPayload, tag := aesGcm(cleartextPayload, encryptionMasterKey, headerNonce) ``` -------------------------------- ### File Content Encryption Logic Source: https://docs.cryptomator.org/security/vault Demonstrates the chunking of file content and the AES-GCM encryption of each chunk using a unique nonce, the file content key, and authenticated data including the chunk number and file header nonce. This ensures integrity and confidentiality of file data. ```go cleartextChunks[] := split(cleartext, 32KiB) for (int i = 0; i < length(cleartextChunks); i++) { chunkNonce := createRandomBytes(12) aad := bigEndian(i) . headerNonce ciphertextPayload, tag := aesGcm(cleartextChunks[i], contentKey, chunkNonce, aad) ciphertextChunks[i] := chunkNonce . ciphertextPayload . tag } ciphertextFileContent := join(ciphertextChunks[]) ``` -------------------------------- ### Verify GPG Key Fingerprint Source: https://docs.cryptomator.org/security/verify-installers Use this command to check if you have loaded the correct GPG key for Cryptomator. If not, you can download it from a keyserver or Cryptobot. ```bash gpg --list-keys --fingerprint 58117AFA1F85B3EEC154677D615D449FE6E6A235 ``` ```bash gpg --keyserver keys.gnupg.net --recv-keys 58117AFA1F85B3EEC154677D615D449FE6E6A235 ``` ```bash curl -sSL https://github.com/cryptobot.gpg | gpg --import - ``` -------------------------------- ### Cryptomator Hub JWE Payload Example Source: https://docs.cryptomator.org/security/architecture Shows the decrypted payload of a JWE token from Cryptomator Hub, which contains the raw master key necessary to unlock a vault. This key is protected by user's static private key. ```json { "key": "H7u...o==" /* 512 bit raw masterkey */ } ``` -------------------------------- ### Configure HTTP Proxy Host in Cryptomator Source: https://docs.cryptomator.org/desktop/network Set the HTTP proxy host by adding or modifying the 'java-options=-Dhttp.proxyHost=[1]' line in Cryptomator.cfg, replacing [1] with the proxy server's host address. ```plaintext java-options=-Dhttp.proxyHost=[1] ```