Doubt about B2 configuration with crypt

Hi :slight_smile:

Would like to ask an advice on what could be the optimal approach with security in mind.

I actually have setup B2 with rclone this way:

1- A remote connected to an App Key that has read/write permissions on all buckets.
2- A bucket in remote 1 that uses crypt.

Now of course i can read/write data in 2 from 1 but i only see encrypted files.

So actually i have no intentions to use 1 to interact with 2 as per 2 will only contain encrypted files.

So what i was thinking was:

1- Create an App Key for bucket 2 only, and create a remote for that single bucket.
2- Edit configuration for my crypt to point to this new remote.

What you think about this solution? The only downside, correct me if i'm wrong is that when i will create the crypt with underlying a remote that points to a single bucket this process will also encrypt the bucket name.

So if i have a remote called remote: that is a single bucket and i create a crypt for this remote, the bucket name will be encrypted.

I would like to avoid this. The solution should be to point the crypt to a dir inside the bucket maybe?

Thanks in advance! Hope my message is clear.

This approach could maybe become too complex in the moment i add more and more crypt(s). So maybe i could just stand with my actual setup if the one i proposed could be too complex in the future.

Sounds good!

You still need to put the bucket name in, so just put the bucket name in the crypt remote, so remote = b2:bucket

I use exactly this setup for various backup jobs and it works well.

1 Like

Sorry but i'm having difficulties to properly understand this.

So basically i create an App Key for the single bucket. Create a remote in rclone with that App Key.
After this i will edit the crypt i have to point at the remote i just created.

For example:

underlying remote (single bucket) = under_remote
crypt remote = under_remote_crypt

This will encrypt the bucket name right? I would like to avoid this.

as per the docs
"in the case of an S3 based underlying remote (eg Amazon S3, B2, Swift) it is generally advisable to define a crypt remote in the underlying remote s3:bucket. If s3: alone is specified alongside file name encryption, rclone will encrypt the bucket name."

so for the remote for the crypt, use something like

Yes, but under_remote:crypt means that only the 'crypt' directory in the bucket will be encrypted.

I was thinking using under_remote: for the crypt (where under_remote is in fact a single bucket). From there the assumption that the bucket name will be enceypted.

only the 'crypt' directory in the bucket will be encrypted
are you asking about the contents of the bucket or the bucket name?

Uhm, so now i have created a new remote that as i said previously is just a bucket (because the app key can read/write only on that bucket).

And i am editing the crypt in order to use this new remote as the underlying.

I should put in under_remote:because i want basically to use only the crypt to interact with this bucket and also leave the actual directory structure intact.

Hope it's clear.

point under_remote: to that new remote

What i did is just create a new remote that's configured with an app key in b2 that only reads and writes on that bucket. Only that.

And let's say i want to add a crypt on top of it.

So i'm at this point:

Remote to encrypt/decrypt.
Normally should contain a ':' and a path, eg "myremote:path/to/dir",
"myremote:bucket" or maybe "myremote:" (not recommended).
Enter a string value. Press Enter for the default ("").

Now in here i had "b2:the_bucket_name" because i had an app key for the "b2 remote" with access to all the buckets.
But now for security i want to put in here directly the remote that points only to that specific bucket.

are you asking a question?

I was in fact replying because i'm in line with the docs and was unsure about the reply i received.

Before the "crypt remote" was on top of "b2:a bucket".
Now it should only be "a bucket:"

From the config dialog and from the docs i agree that the bucket name will be encrypted.

@ncw said "You still need to put the bucket name in, so just put the bucket name in the crypt remote, so remote = b2:bucket"

And that is the sentence i do not understand :smiley:

I totally agree with you that the solution is to point the crypt to under_remote:crypt.

But in this case a directory called "crypt" will be created in the bucket if i'm correct. And that's that i do not want to.

what is the name of the top level b2 remote?
what is the name of the b2 bucket to be use used for the crypt?

I already have this setup as said in my first post.

I just wanted to get rid of my b2: remote because it was too much general and was useless because i do not want to operate with it with the encrypted buckets. This b2 bucket has an app key that can read/write in all the buckets. And that i would like to avoid for security or to avoid mistakes. I have no use for a remote that can see only encrypted names.

My situation is:

  • remote1 = b2: [app key with global read/write]
  • remote2 = aaa: [app key with read/write only on this bucket]
  • remote3 = crypt that points to "b2:aaa"

Now i want:

  • remote 4 = crypt that points to "aaa:"

This way i can delete remote 1 and change remote 3 to become remote 4 :smiley:

I mean, if i have to add a dir in the bucket only to avoid the bucket name encryption i can stick with my setup and just be careful.

point remote4 to remote3:

Well this seems a little redundant and/or confusing and i think will stop working if i delete remote 1.

I think i will stay with my current config :smiley:

kind of confusing, as you wrote This way i can delete remote 1

Yes after i have access to only that bucket i have no use for a remote that can see all the buckets.
The idea was to have a remote for every bucket.

In order to avoid errors etc.

that is a good idea, i do that

Yes but at that point we return to the first argument.

If a remote points to a single bucket and i want to put a crypt remote on top of it, then the name of the bucket will be encrypted. This can only be avoided adding a directory in the bucket and point the crypt to that.


Speaking of course in the scenario that i only have a remote for every bucket and no generic remote with access to all of them.

i hope you do not mind, but you might be over thinking this.

  1. - create a remote locked to a single bucket
  2. point the crypt to that bucket.