Decrypt rclone-encrypted files independently

I have files encrypted with rclone. Suppose that rclone is discontinued, or the encryption algorithm is updated, and I have files encrypted with old versions of the rclone.

I have NACL library installed and have master key (password 1 and 2). How can I extract the "nonce" from each file and decrypt that based on nacl_secretbox(masterkey, nonce), directly without using rclone?

hello and welcome to the forum,

you could use a hex editor or tool to extract it.
i am curious if you can decrypt a crypted file using something other than rclone?

You definitely can. This project


The output of the "xxd FILE" is a number of rows, each with a sequence of 4 charcacter strings (except the last column which seems giberish).

Which one is nonce, which is magic number, and where is the beginning and end of the encrypted data?

It does not say explicitly.

If rcloe developers tell us how to extract the nonce, magic number and data from an encrypted file, then I guess we can use ANY program that wraps nacl library.


  • 8 bytes magic string RCLONE\x00\x00
  • 24 bytes Nonce (IV)

I mean. It's open source. It's not a secret. The docs also explain how.

Yes, sure, we can read the code and the RFC4648 data format. I thought it would be faster if someone has done it already, to point out the steps.

A 100 lines stand-alone Go program that parses the data, IV and calls the nacl would be valuable to have. It could also be even integrated as "rclone decrypt FILE" "rclone dump FILE" (to output IV, magic and data).

Right now this could be done if I download from remote. It seems convoluted to decrypt from a local-crypt:

type = local

type = crypt
remote = local:/home/xxxx/test
filename_encryption = standard
directory_name_encryption = true
password = xxxx
password2 = xxxx

This doesn't seem to work for me (with mounting, etc). But again, the best is to have that 100 lines code and not to rely on an ever-changing code base.

(I add that I just learned about rclone and it could well be that I am missing many things here).

You can mount locally encrypted files or directories. I'm not sure why you'd want another go program to decrypt it.

You can run rclone cat local-crypt:file > newfile also as an example.

Ok, thanks, I will look into the local to local case you mentioned.

If you have gcc, this source help to read.

1 Like

Thank you for your answer. However, I know I can do it from the rclone CLI, and I know how to do it. What I was asking was if there was a way or a tool to decrypt rclone-encrypted files locally? PrepaidGiftBalance

is there a reason you do not want to use rclone?

You can use rclone to decrypt files locally as well. You mean 'another tool'? Someone wrote a chrome extension before. You don't 'need' rclone to do it. That being said I dont think many people have bothered writing anything because rclone does it very well for most use cases.

rclone copyto encrypted.txt ./decrypted.txt -v \
--crypt-remote=lc: \
--crypt-filename-encryption=obfuscate \
--crypt-directory-name-encryption=false \
--crypt-password=TJ2tUcsyLRZNguAg2lkJdpRvdGonerAL  \
1 Like

it might be useful to decrypt a crypted file/folder without having to have a remote.
and vice-verse, to encrypt a file/folder without having a remote
perhaps --encrypt-local that would accept a local file/folder
perhaps --decrypt-local that would accept a local file/folder

i have a python script that i use for my copying and backup, using 7zip, fastcopy and of couse rclone.
i have a command line function that will encypt and decrypt text and/or files.
but with the above flags, i could use rclone instead.


rclone copyto decrypted.txt encrypted.txt --encrypt-local=true
rclone copyto encrypted.txt decrypted.txt --decrypt-local=true

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.