Fork me on GitHub

Encrypt your Cloud Storage

Want to encrypt your Dropbox, Google Drive, OneDrive, or other cloud storage? Here's how to choose the right tool.

Encrypting your cloud storage

Disclaimer: This article is written by the developers of CryFS. We (think we) kept it objective and linked to sources for all information presented.

Cloud storage is incredibly convenient—access your files from anywhere, automatic backups, seamless sharing. But convenience comes with risks. Data breaches happen regularly, and you don't want your private photos, documents, or financial records exposed. Even if you trust your cloud provider's security against external hackers, their employees can still access your files, and their systems may analyze your data for advertising or AI training purposes. You also don't want attackers to be able to silently modify your files without you noticing.

All these risks can be avoided when you encrypt your files before uploading them. You could add important files to a zip archive and set a password for example. However, that is complicated and you would have to zip/unzip the archive each time you want to access your files.

Better solutions use the concept of a virtual filesystem. You enter your password (called mounting the filesystem) and get a directory where you can work with your files normally. Behind the scenes, everything is encrypted—only the encrypted data is stored and synchronized to the cloud. This happens transparently, so you get strong security without changing how you work.

In the following, we will explain the available tools and explain how they can be used with cloud storage. If you're just interested in the results, scroll down.

Quick Overview

ToolVerdictDescription
CryFSRecommendedMost secure option with full metadata encryption; ideal for single-user cloud storage
CryptomatorGood choiceUser-friendly with strong file encryption; exposes file sizes
gocryptfsGood choiceFast and audited; doesn't hide metadata or directory structure
VeraCryptLocal onlyExcellent for local disk encryption; not designed for cloud sync
EncFSNot recommendedKnown security vulnerabilities; no longer maintained
eCryptfsNot recommendedNot designed for cloud storage; may cause sync issues

Proprietary Solutions

There are proprietary solutions on the market, but that means you don't know what the software is doing. Nobody can check it for vulnerabilities or backdoors. It might be secure, or it might just as well not be. The developers might have been approached by government organizations and have been forced to put backdoors into the software. Or maybe hackers found a way to smuggle bad code into the software and nobody noticed.

A recent example illustrates another risk of proprietary solutions: Boxcryptor, once a popular cloud encryption tool, was acquired by Dropbox in late 2022 and abruptly discontinued. Users had to scramble to decrypt their files and find alternatives. With open-source tools, even if the original developers abandon the project, the community can continue maintaining it or users can at least always access their data.

In short: It's a bad idea to use proprietary cryptography software. For open source cryptography software, the source code is open. Everyone can see and check it. Vulnerabilities can be found and fixed, backdoors can be noticed. This is why we only describe open source solutions here.

VeraCrypt

VeraCrypt

VeraCrypt is an open-source disk encryption tool that runs on Windows, Linux, and Mac. It is an unofficial successor to TrueCrypt, which was discontinued in 2014 and has known vulnerabilities.

VeraCrypt is believed to be a secure encryption tool to encrypt your files locally. It keeps your files confidential, but does not protect the integrity, i.e. a hacker can't read your files, but they could modify them without you noticing. Like all solutions presented here, it offers you a virtual filesystem and the unencrypted files are never actually stored on your hard disk. VeraCrypt then stores all filesystem data in one encrypted container file. If you want to use it to encrypt your Dropbox, you could put the encrypted container file in your Dropbox folder and it would get automatically synchronized to all devices connected to your Dropbox. If these devices are also running VeraCrypt, they will (after you entered your password) also offer you a directory where you can work on your files.

This is very convenient to use and it is secure. However, there is a problem with it. VeraCrypt is not designed to be used in the cloud and a container file can get very large. Actually, you have to choose a maximal size for your filesystem in advance and the container file will have this size, no matter how much of the space you actually use.

Say now you have a large filesystem, i.e. a large container file. Everything is already uploaded to your cloud. Now you change a small file. In reality, this means that the large container file changes. Your cloud will notice that and might try to re-upload the whole container file, which can take a lot of time and will use a lot of internet bandwidth. Even if you're lucky and your cloud is intelligent enough to notice that only a small part of the container file changed, you will have a problem when you modify a file on another computer before synchronization finished. Both computers now made different changes to the container file at the same time. Because your cloud doesn't know about the VeraCrypt file format, it doesn't have a chance of merging these changes and will (in the best case) offer you two versions of your container file, i.e. you suddenly end up having two filesystems and in each there is only one of the changes. Ugly.

So VeraCrypt is a good choice if you are only encrypting your files locally and do not need integrity, but it is not a good idea to use it in a Dropbox.

gocryptfs

Gocryptfs, like VeraCrypt, offers you a virtual filesystem, so the encryption is happening in the background and doesn't interfere with your workflows. It doesn't natively support Windows, and macOS support is in beta. For Windows users, there is a third party client (cppcryptfs). As opposed to VeraCrypt, it doesn't store your files in one big container file, but encrypts your files individually. For each of your files, there is an encrypted version in your Dropbox. This solves the problem we described for VeraCrypt.

Gocryptfs

When you change a small file, only that small file has to be re-uploaded and when you modify different files on different computers at the same time, they modify different encrypted files in the Dropbox and the Dropbox client is able to handle that. However, that is also a disadvantage. Since there is an encrypted file for each of your files, a hacker can exactly see how many files you have, how large each file is and how they are structured into directories. While gocryptfs does encrypt file names, this is only metadata obfuscation, not full metadata encryption—the directory structure, file sizes, and file counts remain visible. This might not seem like a problem at first, but metadata leakage can reveal a surprising amount about what you're storing.

Gocryptfs uses GCM cipher mode and has been independently audited. This means it doesn't only protect confidentiality, i.e. against adversaries reading your files, but also integrity, i.e. against adversaries modifying your files without you noticing it. The same restriction mentioned for confidentiality also applies for integrity though. It only ensures that the file contents you're reading were at some point written by you. Attackers can change directory structure, add or delete files or folders, re-add files deleted earlier by you, replace files with earlier versions of themselves or replace their content with the content of other files, or earlier versions of those other files, and you wouldn't necessarily notice any of that. Solutions with full metadata encryption like CryFS protect against these kinds of attacks.

EncFS

EncFS

EncFS was my tool of choice for an encrypted Dropbox for quite some time. It doesn't support Windows (only Linux and Mac), but there are third party clients for Windows (encfsmp, encfs4win). The way it works is very similar to gocryptfs and it exists for a much longer time already. It offers you a virtual filesystem, encryption is in the background, and it encrypts files individually. Feel free to read the gocryptfs section above for more information, the advantages and disadvantages of this approach also apply to EncFS, namely it works well with cloud synchronization, doesn't interrupt your workflows, but only protects file contents and does not fully encrypt file sizes and directory structure (see why this matters).

Also note that the setting whether your client should prevent attackers from modifying your files is stored with the encrypted data in the cloud by default and an attacker can simply switch it off for you. So if you want to rely on this feature, make sure you store the config file locally.

A probably even larger issue with EncFS is a security audit from 2014 that attests EncFS to deviate from established security standards and also found some vulnerabilities in the current EncFS implementation. The original C++ codebase is no longer actively maintained. The maintainer is working on a Rust port focused on reading legacy encrypted data, but recommends gocryptfs for new encrypted filesystem setups. Among other vulnerabilities, the security audit found one that is especially a problem with cloud storage. EncFS is not secure when an attacker gets multiple versions of the same encrypted file at different times. So if you upload your files to your Dropbox and then modify them, they are not securely encrypted anymore.

Due to the unpatched security vulnerabilities and unmaintained status, EncFS is not recommended for new encrypted filesystems.

eCryptfs

eCryptfs is a tool for Linux, historically known for encrypting home directories in Ubuntu Linux. However, Ubuntu removed the home directory encryption option from its installer in version 18.04, recommending full-disk encryption (LUKS) instead. eCryptfs can still be set up manually after installation. Like EncFS, it doesn't encrypt file sizes or directory structure (see why this matters).

Furthermore, eCryptfs is not designed for cloud storage. It uses heavy caching and assumes that it is the only software accessing the encrypted files. When it is used for home directory encryption, this assumption is correct and eCryptfs can gain a little bit of performance with that. However, when you synchronize your files with Dropbox, the Dropbox client will also modify the encrypted files, for example when you changed them on another computer. eCryptfs doesn't support that and could either crash or just overwrite your changes with old versions.

eCryptfs

Cryptomator

Cryptomator

Cryptomator is one of the most popular open-source encryption tools for cloud storage. It is developed by Skymatic GmbH, a company that also offers commercial products like Cryptomator Hub for teams, but the core desktop application remains open source under the GPLv3 license. Cryptomator offers excellent cross-platform support with native apps for Windows, Mac, Linux, iOS, and Android. Like gocryptfs and EncFS, Cryptomator encrypts files individually rather than in a single container, making it well-suited for cloud synchronization—but at the cost of exposing metadata like file sizes and directory structure.

Cryptomator provides a polished graphical user interface, making it very accessible for non-technical users. It uses AES-256 encryption with GCM mode for content encryption and encrypts both file contents and file names. Unlike gocryptfs and EncFS, Cryptomator does flatten the directory hierarchy so that all encrypted directories are stored as siblings rather than preserving the original nested structure. This provides better protection than gocryptfs, where the directory tree is visible 1:1. However, Cryptomator still exposes file sizes and the number of files per directory (see why this matters). An attacker can still see how many files and folders you have and how large each file is—they just can't see the nesting depth.

Cryptomator uses a WebDAV or FUSE-based virtual filesystem to present decrypted files. It has been independently audited by Cure53 in 2017. The audit confirmed that Cryptomator provides strong confidentiality for file contents, noting that "the cryptographic implementation exhibited a quite exceptional level of robustness."

For integrity protection, Cryptomator uses HMAC to detect tampering with file contents. However, similar to gocryptfs, it primarily protects individual file integrity—directory structure modifications, file deletions, or replacing files with earlier versions may not be detected.

Cryptomator is a great choice if you want a polished, user-friendly experience with good security for file contents. However, if hiding your file sizes and directory structure is important for your threat model, consider CryFS instead—in fact, Cryptomator's developers recommend CryFS for users who need this level of metadata protection.

CryFS

Since all of the solutions above have significant disadvantages when used with cloud storage, we developed CryFS. Like all other solutions described here, it offers a virtual filesystem and you can work with your files without thinking about the encryption that is happening in the background. While it can also be used for local encryption as an alternative to the other tools listed here, it was built specifically to be used together with cloud storage providers like Dropbox, Google Drive, OneDrive, and others. It supports Linux, Mac, and has experimental Windows support.

CryFS

CryFS follows established security standards and is the only tool in this list that works well together with cloud storage while providing comprehensive security. As opposed to VeraCrypt, it keeps its data in small encrypted blocks and changing a small file results in only a small amount of data to be re-uploaded. As opposed to gocryptfs, Cryptomator, EncFS, and eCryptfs, it doesn't only encrypt your file contents, but also file sizes, file metadata and directory structure. See why metadata encryption matters to understand how much information can leak through unencrypted metadata. More information on how this is achieved can be found here. The security of CryFS has been proven in a master's thesis in 2015. As far as we know, CryFS is the only solution in this list for which this has been done.

CryFS offers confidentiality and integrity of your data. This means, attackers cannot read your files, file sizes or directory structure, and also prevents attackers from modifying any of that. CryFS has been actively developed since 2015 and is now a mature, stable solution used by thousands of users. As with any encryption tool, regular backups are still recommended as a best practice.

The increase in security when compared to other file systems comes at a performance cost. CryFS is fast enough to be used in practice. I'm getting a read speed to 170MB/s and a write speed of 80MB/s on my SSD machine, but other file systems are even faster.

CryFS currently does not support concurrent access from multiple devices. If you need to access your encrypted files from multiple computers simultaneously, you should ensure only one device has the filesystem mounted at a time.

Why Metadata Encryption Matters

Many encryption tools—including gocryptfs, EncFS, and eCryptfs—encrypt file contents and may even encrypt file names. However, there's an important distinction between metadata obfuscation and full metadata encryption:

Metadata obfuscation (what most tools offer):

  • File names are encrypted, so attackers can't read them directly
  • But file sizes, file counts, and directory structure remain visible
  • An attacker can see you have a folder with 3 subfolders containing 47, 112, and 89 files respectively

Full metadata encryption (what CryFS offers):

  • File contents, names, sizes, and directory structure are all hidden
  • An attacker sees only uniformly-sized encrypted blocks with no visible organization
  • No information about your files leaks through the encryption

This distinction matters because metadata alone can reveal a surprising amount about what you're storing. For example:

  • Photo libraries: Folders organized by year and month, each containing dozens of 2-8 megabyte files, clearly indicate a photo collection—and could reveal which events or trips you documented based on dates and photo counts.
  • Pirated movies or TV shows (not that we recommend that): Large files of 1-4 gigabytes with sizes matching known releases make identification trivial, since encoding groups use standard settings.
  • Tax returns and financial records: PDFs organized by year with sizes matching standard government forms reveal your filing history.
  • Medical imaging: X-rays, MRIs, and CT scans stored as DICOM files have characteristic sizes and structures that can reveal what tests were performed and potentially what medical conditions you have.
  • Whistleblower documents: If authorities request your encrypted files from your cloud provider, they can match the file structure against known document sets to identify what you're storing.

Some metadata patterns can also signal to attackers that you're a worthwhile target:

  • Cryptocurrency wallet backups: Bitcoin, Ethereum, and other wallets have distinctive directory structures and file sizes—revealing not just that you hold crypto, but potentially which wallets and how much.
  • Password manager databases: Small files matching known formats (KeePass, 1Password) indicate you likely have credentials worth stealing.

This is also relevant for watermarking attacks, which we will not explain in detail here.

Summary

There are many tools available, but most have not been designed to be used in the cloud.

Gocryptfs, EncFS, and eCryptfs don't encrypt directory structure. Cryptomator flattens directory hierarchy but still exposes file counts and sizes. EncFS has unpatched security vulnerabilities and is no longer actively maintained. eCryptfs might cause crashes or undefined behavior if there is more than one device connected to your Dropbox. VeraCrypt works, as long as your container file is small, i.e. you don't mind synchronizing the whole container file on each change, and if you always let it finish synchronization before modifying the files on another computer. Cryptomator is an excellent choice if you want a polished GUI experience with good security for file contents, though it doesn't hide file sizes or directory structure. CryFS solves all of these issues, but the increased security comes with a slight performance trade-off. CryFS is available for Linux and Mac, with experimental Windows support.

CryFS
gocryptfs
Cryptomator
EncFS
eCryptfs
VeraCrypt
Easy to use
Performancea)
Works well with cloud storageb)
Small changes cause only small amount of data to be re-uploaded
No known security flaws
Encrypts file contents
Encrypts file metadata and file sizes
Encrypts directory structureh)
Protects file contents from malicious modificationsc)d)d)e)
Protects file metadata and file sizes from malicious modifications
Protects directory structure from malicious modifications
Available for Linux
Available for Mac OS X
Available for Windowsf)g)g)
Graphical user interfacei)i)i)i)
Footnotes:
  1. CryFS is fast enough to be used in practice, but some of the other file systems in the list are faster.
  2. VeraCrypt causes unresolvable conflicts when modifying the filesystem on two machines without full synchronization inbetween.
  3. CryFS supports this.
  4. Gocryptfs and Cryptomator only make sure that the data you're reading was at some point written by you. They do not protect against attackers who replace the content of a file with the content of a different file, or with an earlier version of the same or a different file.
  5. Like in (d), EncFS also only makes sure that the data you're reading was at some point written by you. Furthermore, the current implementation is flawed because a hacker can simply disable the integrity check.
  6. There is experimental Windows support for CryFS.
  7. There are third-party Windows clients: cppcryptfs for gocryptfs and encfs4win for EncFS.
  8. Cryptomator flattens the directory hierarchy so all encrypted directories are stored as siblings, hiding the nesting structure. However, attackers can still see the number of directories and which files belong to each directory.
  9. Third-party GUIs available: SiriKali (CryFS, gocryptfs, EncFS, eCryptfs), Plasma Vault (CryFS, gocryptfs, EncFS), gocryptfs-ui/Cryptor/Cloak (gocryptfs), and Gnome Encfs Manager (EncFS).

Get started with the

CryFS Tutorial