Can rclone act as an encrypted WebDAV proxy (WebDAV → live encrypt/decrypt → WebDAV)?

Help and Support
1

Hi,

I’m wondering if the following setup is possible with rclone.

I have an existing WebDAV storage backend and I would like to add transparent encryption in front of it, but without storing files locally.

The idea would be something like this:

Client
→ WebDAV server (provided by rclone)
→ live encryption/decryption
→ existing WebDAV server (backend storage)

So effectively:

WebDAV client → rclone → encrypted → remote WebDAV

What I want:

  • rclone exposes a WebDAV server for users

  • files uploaded to this WebDAV server are encrypted on-the-fly

  • the encrypted data is streamed directly to the backend WebDAV server

  • no full files are stored locally (only streaming / minimal buffering)

  • downloads are decrypted on-the-fly

So conceptually something like:

incoming WebDAV
→ encrypt stream
→ upload to remote WebDAV

and the reverse for downloads.

Is this possible using the rclone crypt backend combined with rclone serve webdav?

Or would rclone still need to buffer the whole file locally during uploads?

My use case is using a remote WebDAV storage provider while ensuring that all files are stored encrypted on the remote server.

Thanks!

2

If I am understanding the question correctly, then yes. You can rclone serve webdav mycrypt: where mycrypt wraps another webdav remote.

But there are some issues to be aware of if you do not want it to ever sit locally. Notably, you have to use no vfs-cache mode which means that if something fails, you are out of luck. There is no way for rclone to retry the upload. And for reading, there is no buffer happening so if there is a bottleneck with your home webdav, it is going to be painful.

Also note that this is not really “end-to-end” if that is your goal since, even though it is uncached, the keys exist in memory on the server and you decrypt from the (presumed) https layer on WebDAV, to rclone crypt + (presumably) another https layer.

I do something like this but I (a) rclone serve webdav <home> so I access everything (basically, just a simple webdav server) and then I have an rclone mount of my crypt space. I could directly serve it but I want to keep it easier and also have filesystem access when I am SSHed in. And (b) I do have full caching on. This exposes my content possibly but I am already mounting it so it is visible there. I think it is worth the small risk.

1 Like