Difficult security question. Rclone and encryption

I would like to ask if my thinking is correct:

  1. rclone, config file is encrypted, gdrive is crypt

on VPS server like scaleway or online.net or vultr in ubunu 16 x64:

rclone --config=encrypted.conf --htpasswd bcrypt_file serve http --addr my.host.com:55643 --cert /etc/letsencrypt/live/my.host.com/cert.pem --key /etc/letsencrypt/live/my.host.com/privkey.pem gdrive:

  1. entered password.

since rclone does not save encrypted.conf ig password
and is using NaCl - very secure method with one time nonce
and access is protected with htpasswd file with BCRYPT hashes
and gdrive: is crypt share
and transfer to client is over ssl

is it possible that VPS owner will see my files?

Even if he will do memory dump - NaCl is very secure encryption method, and rclone does not save password in memory, it would be not usable since nonce is only one time in this secretbox.
Also Bcrypt with strong password htpsswd is very secure.

What vps owner would have to do to crack into my files?

(lets skip possibility where vps owner recompiles rclone and kills mine replacing with his doctored version)

If the VPS owner could use a memory dump then they could probably recover some unencrypted data (which will be in the memory transiently). rclone will store the key to the crypt in memory too (it needs to to decrypt stuff) so if they could potentially find that. rclone will also have the decrypted config file in memory (or at least the tokens).

So I think if the VPS provider can dump the memory of rclone they will be able to see your files. That wouldn’t be particularly easy, but it would be possible.

1 Like

I’m pretty sure there are plenty of ways for an attacking VPS owner to snoop on your tty (or whatever is used to enter the password). I remember even back in the 90s there were tools you could run on your server (albeit on the same non-virtualized os) that would keylog the people logged in remotely.

1 Like

so there is no way…physically controlled machine owner can do anything…

Yes… You can make life arbitrarily hard for them, but you’ll have to trust the provider at some level.

1 Like

Does go alllow to use mprotect mlock madvise PROT_NONE or some other memory protect functions?
can rclone use that to forbid dumping memory, swap reading etc?

That library you linked looks like it would do the trick.

What would you propose - that rclone kept the password for the config file in there?

I have a similar but slightly different question: what if the jobs in this cloud VM were executed with scheduling? Is there any way to protect passwords? Or anyone with access to the keyring would have access to the storages of origin and destination?

You’ll always have to trust some machine. You can encrypt the credentials but then you need to supply a password. You could store the credentials on a trusted machine and use that machine to manage the sync running remotely I believe. I think I saw an issue similar to this from mholt.

Found what I was looking for but it isn’t “quite” what you asked but referencing it anyway as you get what I mean.

What would be nice is to run a daemon mode without credentials and use ‘rc’ to remote execute by supplying the credentials. I know work was done on RC but I am not sure if this ever made it in or into an issue.

1 Like

Thanks @calisro. As you said, my use case is a bit different, but I will evaluate these options.

maybe like when someone type password, to keep decrypted config in such memory protected area.
If thats not happening already.

If currently after entering password, decrypted config information are stored in some not protected area, i propose to use that mechanism to store this temporary decrypted config info from entering password in protected memory region.

But such option, for example
–keep-decrypted-password-time = 1s to MAX_TIME_USER_CHOOSE

would also be great if possible