CryptoDrive secures end encrypts sensitive files in a virtual drive in the local.
A folder can be encrypted by a master password to a vault which can be mounted as a local drive. Data write into the drive will be encrypted automatically.
All files are encrypted with AES-256-GCM. The DEK (Data Encryption Key) is generated by secure random seed, and DEK is encrypted by AES key which derives from the master password by PBKDF2.
Key generation:
DEK: generated by secure random seed; Master-Password: input by user; Derived-AES-Key: derived from Master-Password by PBKDF2; Encrypted-DEK: Encrypt DEK by Derived-AES-Key.
DEK and Master-Password never saved on disk. Vault only keeps Encrypted-DEK.
The folder with encrypted files can be synchronized to cloud securely. CryptoDrive has builtin sync support of any S3-compatible services.