Cryptomator

Cryptomator solves the cloud-storage privacy problem without asking you to leave the cloud: it transparently encrypts your files on your own device before they ever sync to Dropbox, Google Drive, OneDrive, or any folder, so the provider stores only ciphertext and you keep the keys.

Background Open-source and developed by Skymatic (Germany), Cryptomator creates encrypted "vaults" — virtual drives that look like normal folders to you but are individually encrypted on disk. The desktop apps (Windows/macOS/Linux) are free and FOSS; the mobile apps are a modest one-time purchase. It has undergone independent security audits.

What you trust You trust open, auditable code and a zero-knowledge design: there are no accounts, no Cryptomator servers, and no telemetry — encryption happens entirely client-side with a password only you hold. File contents *and* filenames are encrypted, and each file is encrypted independently so cloud sync stays efficient.

Operational specs AES-256 encryption with scrypt-hardened password derivation. Per-file encryption means changing one document re-uploads only that file, not the whole vault. Works transparently over any sync client or local/network drive. Cross-platform with the same vault format everywhere. No proprietary lock-in — vaults are just encrypted files you can move freely.

Philosophy Cryptomator's stance is that you shouldn't have to choose between the convenience of mainstream cloud storage and confidentiality. By inserting a transparent encryption layer you control, it neutralizes provider access, lawful-access requests to the provider, and breaches — the cloud holds only opaque blobs.

Grade rationale Grade A. Open-source, audited, zero-knowledge, cross-platform, and provider-agnostic — it's the standard answer for client-side cloud encryption. Graded best-in-class for its role; it complements rather than replaces full-disk or end-to-end-encrypted storage services.

Useful when You use mainstream cloud storage but want the provider blind to your files; you need to encrypt a synced folder, USB drive, or backup; you want filenames hidden too; you value open-source you can audit and no account.

Caveats It protects data at rest in the cloud, not your endpoint — a compromised device with an unlocked vault is exposed. There's no password recovery: forget the vault password and the data is gone by design. Mobile apps are paid. It encrypts files, not the *fact* that you use cloud storage — metadata like vault size and sync timing remains visible to the provider.