Cryptomator Hub is a zero-knowledge key management solution that allows you to manage access to your vaults from a central component deployed on your own infrastructure.


  1. Decide, on which web addresses you want to deploy Hub and Keycloak (and set up DNS and TLS termination, if required)

  2. Use the Setup Wizard to generate a deployment descriptor template

  3. Customize the template if needed (e.g., adjust the Ingress settings) and deploy the software stack to your cluster

  4. Log in to Keycloak to

    • adjust authentication settings

    • set up users/groups or LDAP/AD

  5. Log in to Cryptomator Hub and start creating Hub-managed vaults

More Details

To get started, use the Setup Wizard to generate the necessary configuration files.

Cryptomator Hub depends on Keycloak, an open-source identity and access management solution. That means, Hub manages access to your vaults whereas Keycloak manages users, groups, and authentication. In the Setup Wizard, you will have the option to choose between deploying Keycloak alongside Hub or specifying an URL to an existing Keycloak installation.

Keycloak Administration

Using Keycloak, you can create users, delete users, manage groups, and optionally also synchronize users/groups to Keycloak using LDAP or other identity providers to whom you can then give access to vaults in Hub.


Subgroups are not supported at this time.


When Cryptomator Hub is freshly installed, it comes with a community license.

Billing shows community license

This license is valid for 5 seats. Only users assigned to a vault will occupy a seat.

The Get License button will direct you to an external website at where you can buy a license for this instance. If successful, you will be automatically redirected back to your Hub instance.

Billing shows standard license


Currently, we are evaluating the system requirements for Cryptomator Hub. If you can provide data, please send us an email to