In this paper, we present Tresorium, a cryptographic file system designed for cloud based data storage. In Tresorium, files are encrypted before they are uploaded to the cloud storage providers, therefore, not even the cloud storage providers can access the users' data. Yet, Tresorium allows the sharing files within a group of users by using an underlying group key agreement protocol. A key feature of Tresorium is that it handles changes in group membership and modification of files in an extremely efficient manner, thanks to the usage of so called key-lock-boxes and a lazy re-encryption approach. Finally, Tresorium supports an ACL-like abstraction, so it is easy to use. We describe Tresorium, and analyze its security and performance. We also present some simulation results that clearly show the efficiency of the proposed system.