Would like to ask an advice on what could be the optimal approach with security in mind.
I actually have setup B2 with rclone this way:
1- A remote connected to an App Key that has read/write permissions on all buckets.
2- A bucket in remote 1 that uses crypt.
Now of course i can read/write data in 2 from 1 but i only see encrypted files.
So actually i have no intentions to use 1 to interact with 2 as per 2 will only contain encrypted files.
So what i was thinking was:
1- Create an App Key for bucket 2 only, and create a remote for that single bucket.
2- Edit configuration for my crypt to point to this new remote.
What you think about this solution? The only downside, correct me if i'm wrong is that when i will create the crypt with underlying a remote that points to a single bucket this process will also encrypt the bucket name.
So if i have a remote called remote: that is a single bucket and i create a crypt for this remote, the bucket name will be encrypted.
I would like to avoid this. The solution should be to point the crypt to a dir inside the bucket maybe?
Thanks in advance! Hope my message is clear.
This approach could maybe become too complex in the moment i add more and more crypt(s). So maybe i could just stand with my actual setup if the one i proposed could be too complex in the future.
Sorry but i'm having difficulties to properly understand this.
So basically i create an App Key for the single bucket. Create a remote in rclone with that App Key.
After this i will edit the crypt i have to point at the remote i just created.
as per the docs
"in the case of an S3 based underlying remote (eg Amazon S3, B2, Swift) it is generally advisable to define a crypt remote in the underlying remote s3:bucket. If s3: alone is specified alongside file name encryption, rclone will encrypt the bucket name."
so for the remote for the crypt, use something like under_remote:crypt
Yes, but under_remote:crypt means that only the 'crypt' directory in the bucket will be encrypted.
I was thinking using under_remote: for the crypt (where under_remote is in fact a single bucket). From there the assumption that the bucket name will be enceypted.
Uhm, so now i have created a new remote that as i said previously is just a bucket (because the app key can read/write only on that bucket).
And i am editing the crypt in order to use this new remote as the underlying.
I should put in under_remote:because i want basically to use only the crypt to interact with this bucket and also leave the actual directory structure intact.
What i did is just create a new remote that's configured with an app key in b2 that only reads and writes on that bucket. Only that.
And let's say i want to add a crypt on top of it.
So i'm at this point:
Remote to encrypt/decrypt.
Normally should contain a ':' and a path, eg "myremote:path/to/dir",
"myremote:bucket" or maybe "myremote:" (not recommended).
Enter a string value. Press Enter for the default ("").
remote>
Now in here i had "b2:the_bucket_name" because i had an app key for the "b2 remote" with access to all the buckets.
But now for security i want to put in here directly the remote that points only to that specific bucket.
I already have this setup as said in my first post.
I just wanted to get rid of my b2: remote because it was too much general and was useless because i do not want to operate with it with the encrypted buckets. This b2 bucket has an app key that can read/write in all the buckets. And that i would like to avoid for security or to avoid mistakes. I have no use for a remote that can see only encrypted names.
My situation is:
remote1 = b2: [app key with global read/write]
remote2 = aaa: [app key with read/write only on this bucket]
remote3 = crypt that points to "b2:aaa"
Now i want:
remote 4 = crypt that points to "aaa:"
This way i can delete remote 1 and change remote 3 to become remote 4
I mean, if i have to add a dir in the bucket only to avoid the bucket name encryption i can stick with my setup and just be careful.
Yes but at that point we return to the first argument.
If a remote points to a single bucket and i want to put a crypt remote on top of it, then the name of the bucket will be encrypted. This can only be avoided adding a directory in the bucket and point the crypt to that.
Correct?
Speaking of course in the scenario that i only have a remote for every bucket and no generic remote with access to all of them.