B2 version support with encrypted filenames

I didn’t want to bring back this other thread from the dead, but did want to request a feature anyways.

Back in January, here’s the thread with someone else running into it : Possible to use b2-versions with crypt?

The issue here is that with an encrypted b2 remote, that backblaze automatically appends a time/date stamp onto the end of encrypted filename when it versions a file, and then your decryption fails because half of the filename is encrypted and half is the stamp.

Here’s an example:

2017/05/21 00:22:13 DEBUG : 4ut259jrn5v9elp3ebquqgii0o-v2017-05-21-041908-000: Skipping undecryptable file name: illegal base32 data at input byte 26

I use backup dir with ACD right now, and that’s a super useful feature — and sounds like it works similarly to b2’s versions. However, as you point out, it’s not supported with b2’s lack of server-side moves.

I’m not sure what the ideal solution to supporting versioning given this setup.

I’m thinking strongly about migrating away from ACD given the hopefully temporary problem…

Thanks for the hard work on the tool – really useful.

It seems to be possible to decrypt previous versions from B2 using rclone and some shell scripting, although I have not tested this extensively. TL;DR, you have to remove the timestamp from the filename first.

To set this up, add two local 'remote’s as described in this comment:

type = local
nounc =

type = crypt
remote = local:[encrypted local path]
filename_encryption = standard
password = [hashed password from remote config]
password2 = [hashed password from remote config]

Then, to get the previous version and decrypt it, use this proof of concept shell script that I pieced together. It’s far from complete, but should give you an idea of the steps involved.


FILENAME=[file you want to get a previous version of]
REMOTE=[name of your b2 remote]
BUCKET=[name of your b2 bucket]
SECRET=[your crypt remote]
DEST=[path to save the decrypted previous version to]
ENC_DEST=[encrypted local path from above]

# find the encrypted filename
echo "looking for encrypted filename of" $FILENAME
ENC_FILENAME=`rclone -v --crypt-show-mapping ls $SECRET: 2>&1 | grep $FILENAME | awk -F '"' '{print $2}'`
echo "...found" $ENC_FILENAME

# get the filename of the encrypted previous version
VER_FILENAME=`rclone -q --b2-versions ls $REMOTE:$BUCKET | grep $ENC_FILENAME | awk '{ if (NR==2) print $0 }' | sed -e 's#.*\s\(\)#\1#'`
echo "getting previous version" $VER_FILENAME

# copy the encrypted previous version to the local disk
rclone -q --b2-versions copy $REMOTE:$BUCKET/$VER_FILENAME $ENC_DEST 
echo "...saved to $ENC_DEST"

# rename file to remove the timestamp

# get an unencrypted copy of the file
rclone -q copy $CRYPT_LOCAL:/$FILENAME $DEST
echo "...decrypted to $DEST/$FILENAME"