Crypt: unexpected behaviour (file copies to same encrypted remote with different passwords allowed)

What is the problem you are having with rclone?

On an encrypted remote (with filename encryption disabled), rclone lets me copy files with different passwords. Is this expected behaviour?
I find it to be potentially problematic because this would allow mixing files with different encryption passwords on the same remote (I could be using the correct password to copy a file, and then inadvertently using the wrong password to copy other files later, without any warning. I would like to enforce using the same password for the remote, otherwise get a warning/error)

Run the command 'rclone version' and share the full output of the command.

rclone v1.68.1

  • os/version: debian 12.7 (64 bit)
  • os/kernel: 6.1.0-21-amd64 (x86_64)
  • os/type: linux
  • os/arch: amd64
  • go/version: go1.23.1
  • go/linking: static
  • go/tags: none

Which cloud storage system are you using? (eg Google Drive)

local (also tried B2, same issue)

The command you were trying to run (eg rclone copy /tmp remote:tmp)

I ran 2 rclone copy commands to the same encrypted remote, using different passwords, both completed without error:

rclone -vv --config crypt.conf copy ./srcdir/testfile1.txt mydestenc:./dstdir/
rclone -vv --config crypt-wrongpw.conf copy ./srcdir/testfile2.txt mydestenc:./dstdir/

Running rclone lsf with either password gives me the list of files correctly:

$ rclone -vv --config crypt.conf lsf  mydestenc:./dstdir/
$ rclone -vv --config crypt-wrongpw.conf lsf  mydestenc:./dstdir/

Running rclone cat succeeds as long a I use the respective password (otherwise I get an error):

# these 2 commands return the file content correctly:
$ rclone -vv --config crypt.conf cat mydestenc:./dstdir/testfile1.txt
$ rclone -vv --config crypt-wrongpw.conf cat mydestenc:./dstdir/testfile2.txt

# these 2 commands produce an error:
$ rclone -vv --config crypt-wrongpw.conf cat mydestenc:./dstdir/testfile1.txt
$ rclone -vv --config crypt.conf cat mydestenc:./dstdir/testfile2.txt

Please run 'rclone config redacted' and share the full output. If you get command not found, please make sure to update rclone.

For both config files (crypt.conf and crypt-wrongpw.conf) it looks like below (the difference between them is the values of password and password2

$ rclone --config crypt.conf config redacted
[mydest]
type = local

[mydestenc]
type = crypt
remote = mydest:
password = XXX
password2 = XXX
filename_encryption = off

A log from the command that you were trying to run with the -vv flag

$ rclone -vv --config crypt.conf copy ./srcdir/testfile1.txt mydestenc:./dstdir/
2024/09/26 19:12:18 DEBUG : rclone: Version "v1.68.1" starting with parameters ["rclone" "-vv" "--config" "cr
ypt.conf" "copy" "./srcdir/testfile1.txt" "mydestenc:./dstdir/"]
2024/09/26 19:12:18 DEBUG : Creating backend with remote "./srcdir/testfile1.txt"
2024/09/26 19:12:18 DEBUG : Using config file from "/home/<REDACTED>/rclone-tests/crypt.conf"
2024/09/26 19:12:18 DEBUG : fs cache: adding new entry for parent of "./srcdir/testfile1.txt", "/home/<REDACTED>/rclone-tests/srcdir"
2024/09/26 19:12:18 DEBUG : Creating backend with remote "mydestenc:./dstdir/"
2024/09/26 19:12:18 DEBUG : Creating backend with remote "mydest:dstdir/.bin"
2024/09/26 19:12:18 DEBUG : fs cache: renaming cache item "mydest:dstdir/.bin" to be canonical "mydest:/home/<REDACTED>/rclone-tests/dstdir/.bin"
2024/09/26 19:12:18 DEBUG : Creating backend with remote "mydest:dstdir"
2024/09/26 19:12:18 DEBUG : fs cache: renaming cache item "mydest:dstdir" to be canonical "mydest:/home/<REDACTED>/rclone-tests/dstdir"
2024/09/26 19:12:18 DEBUG : testfile1.txt: Need to transfer - File not found at Destination
2024/09/26 19:12:18 DEBUG : testfile1.txt.57d21d1c.partial: md5 = 3713d6fb9ae56ac69ef16d11181532d7 OK
2024/09/26 19:12:18 DEBUG : testfile1.txt.57d21d1c.partial: renamed to: testfile1.txt
2024/09/26 19:12:18 INFO  : testfile1.txt: Copied (new)
2024/09/26 19:12:18 INFO  :
Transferred:             72 B / 72 B, 100%, 0 B/s, ETA -
Transferred:            1 / 1, 100%
Elapsed time:         0.1s

2024/09/26 19:12:18 DEBUG : 7 go routines active

$ rclone -vv --config crypt-wrongpw.conf copy ./srcdir/testfile2.txt mydestenc:./dstdir/
2024/09/26 19:13:05 DEBUG : rclone: Version "v1.68.1" starting with parameters ["rclone" "-vv" "--config" "crypt-wrongpw.conf" "copy" "./srcdir/testfile2.txt" "mydestenc:./dstdir/"]
2024/09/26 19:13:05 DEBUG : Creating backend with remote "./srcdir/testfile2.txt"
2024/09/26 19:13:05 DEBUG : Using config file from "/home/<REDACTED>/rclone-tests/crypt-wrongpw.conf"
2024/09/26 19:13:05 DEBUG : fs cache: adding new entry for parent of "./srcdir/testfile2.txt", "/home/<REDACTED>/rclone-tests/srcdir"
2024/09/26 19:13:05 DEBUG : Creating backend with remote "mydestenc:./dstdir/"
2024/09/26 19:13:05 DEBUG : Creating backend with remote "mydest:dstdir/.bin"
2024/09/26 19:13:05 DEBUG : fs cache: renaming cache item "mydest:dstdir/.bin" to be canonical "mydest:/home/<REDACTED>/rclone-tests/dstdir/.bin"
2024/09/26 19:13:05 DEBUG : Creating backend with remote "mydest:dstdir"
2024/09/26 19:13:05 DEBUG : fs cache: renaming cache item "mydest:dstdir" to be canonical "mydest:/home/<REDACTED>/rclone-tests/dstdir"
2024/09/26 19:13:05 DEBUG : testfile2.txt: Need to transfer - File not found at Destination
2024/09/26 19:13:05 DEBUG : testfile2.txt.57d21d1c.partial: md5 = 6829ce69592c19270ed1fe81e0dbac47 OK
2024/09/26 19:13:05 DEBUG : testfile2.txt.57d21d1c.partial: renamed to: testfile2.txt
2024/09/26 19:13:05 INFO  : testfile2.txt: Copied (new)
2024/09/26 19:13:05 INFO  :
Transferred:             72 B / 72 B, 100%, 0 B/s, ETA -
Transferred:            1 / 1, 100%
Elapsed time:         0.1s

2024/09/26 19:13:05 DEBUG : 7 go routines active

welcome to the forum,

yes, that is expected behavior.

you create the remote, you are the enforcer.

well, you explicitly told rclone to use a particular config file, so that is the correct config file.

using multiple config files is not common.
using multiple config files with crypt remotes, each with different passwords, never heard of that before.

how is rclone to know?
which is the correct config file, which is the wrong config file, which passwords are correct, which password are not correct??

Thank you for your reply. Possible scenarios I could think of: the config gets changed (by mistake), or rclone is run on another machine to the same encrypted remote with a config that is incorrect (with different passwords). So it seems that rclone alone would not be able to catch this, correct?

yes, no, maybe, depends.
sorry, not going to go down that rabbit hole, too many edge cases.

you have a few options.

  1. start a new topic, using the feature template and request a new feature.
    let's see what other forum members think.

  2. write a simple script, to protect the crypt remote. something like

rclone lsd mydestenc:
if exit code == 0, then run rclone copy ...
else echo 'error: incorrect password used'
1 Like

Yes, I was thinking something along these lines (when initially setting up the remote, copy a known file to it that I could check each time I access the remote). Also keeping filename encryption on (the default option) seems to be better than disabling it (so that e.g., rclone lsf could be used to check if using the correct password)