Doubt about B2 configuration with crypt

steakhutzeee · December 16, 2020, 1:38pm

Hi

Would like to ask an advice on what could be the optimal approach with security in mind.

I actually have setup B2 with rclone this way:

1- A remote connected to an App Key that has read/write permissions on all buckets.
2- A bucket in remote 1 that uses crypt.

Now of course i can read/write data in 2 from 1 but i only see encrypted files.

So actually i have no intentions to use 1 to interact with 2 as per 2 will only contain encrypted files.

So what i was thinking was:

1- Create an App Key for bucket 2 only, and create a remote for that single bucket.
2- Edit configuration for my crypt to point to this new remote.

What you think about this solution? The only downside, correct me if i'm wrong is that when i will create the crypt with underlying a remote that points to a single bucket this process will also encrypt the bucket name.

So if i have a remote called remote: that is a single bucket and i create a crypt for this remote, the bucket name will be encrypted.

I would like to avoid this. The solution should be to point the crypt to a dir inside the bucket maybe?

Thanks in advance! Hope my message is clear.

This approach could maybe become too complex in the moment i add more and more crypt(s). So maybe i could just stand with my actual setup if the one i proposed could be too complex in the future.

ncw · December 16, 2020, 4:09pm

Sounds good!

You still need to put the bucket name in, so just put the bucket name in the crypt remote, so remote = b2:bucket

I use exactly this setup for various backup jobs and it works well.

steakhutzeee · December 16, 2020, 4:22pm

Sorry but i'm having difficulties to properly understand this.

So basically i create an App Key for the single bucket. Create a remote in rclone with that App Key.
After this i will edit the crypt i have to point at the remote i just created.

For example:

underlying remote (single bucket) = under_remote
crypt remote = under_remote_crypt

This will encrypt the bucket name right? I would like to avoid this.

asdffdsa · December 16, 2020, 4:25pm

as per the docs
"in the case of an S3 based underlying remote (eg Amazon S3, B2, Swift) it is generally advisable to define a crypt remote in the underlying remote s3:bucket. If s3: alone is specified alongside file name encryption, rclone will encrypt the bucket name."

so for the remote for the crypt, use something like
under_remote:crypt

steakhutzeee · December 16, 2020, 4:39pm

Yes, but under_remote:crypt means that only the 'crypt' directory in the bucket will be encrypted.

I was thinking using under_remote: for the crypt (where under_remote is in fact a single bucket). From there the assumption that the bucket name will be enceypted.

asdffdsa · December 16, 2020, 4:41pm

only the 'crypt' directory in the bucket will be encrypted
are you asking about the contents of the bucket or the bucket name?

steakhutzeee · December 16, 2020, 4:44pm

Uhm, so now i have created a new remote that as i said previously is just a bucket (because the app key can read/write only on that bucket).

And i am editing the crypt in order to use this new remote as the underlying.

I should put in under_remote:because i want basically to use only the crypt to interact with this bucket and also leave the actual directory structure intact.

Hope it's clear.

asdffdsa · December 16, 2020, 4:46pm

point under_remote: to that new remote

steakhutzeee · December 16, 2020, 4:51pm

What i did is just create a new remote that's configured with an app key in b2 that only reads and writes on that bucket. Only that.

And let's say i want to add a crypt on top of it.

So i'm at this point:

Remote to encrypt/decrypt.
Normally should contain a ':' and a path, eg "myremote:path/to/dir",
"myremote:bucket" or maybe "myremote:" (not recommended).
Enter a string value. Press Enter for the default ("").
remote>

Now in here i had "b2:the_bucket_name" because i had an app key for the "b2 remote" with access to all the buckets.
But now for security i want to put in here directly the remote that points only to that specific bucket.

asdffdsa · December 16, 2020, 4:55pm

are you asking a question?

steakhutzeee · December 16, 2020, 4:58pm

I was in fact replying because i'm in line with the docs and was unsure about the reply i received.

Before the "crypt remote" was on top of "b2:a bucket".
Now it should only be "a bucket:"

From the config dialog and from the docs i agree that the bucket name will be encrypted.

@ncw said "You still need to put the bucket name in, so just put the bucket name in the crypt remote, so remote = b2:bucket"

And that is the sentence i do not understand

I totally agree with you that the solution is to point the crypt to under_remote:crypt.

But in this case a directory called "crypt" will be created in the bucket if i'm correct. And that's that i do not want to.

asdffdsa · December 16, 2020, 5:05pm

what is the name of the top level b2 remote?
what is the name of the b2 bucket to be use used for the crypt?

steakhutzeee · December 16, 2020, 5:18pm

I already have this setup as said in my first post.

I just wanted to get rid of my b2: remote because it was too much general and was useless because i do not want to operate with it with the encrypted buckets. This b2 bucket has an app key that can read/write in all the buckets. And that i would like to avoid for security or to avoid mistakes. I have no use for a remote that can see only encrypted names.

My situation is:

remote1 = b2: [app key with global read/write]
remote2 = aaa: [app key with read/write only on this bucket]
remote3 = crypt that points to "b2:aaa"

Now i want:

remote 4 = crypt that points to "aaa:"

This way i can delete remote 1 and change remote 3 to become remote 4

I mean, if i have to add a dir in the bucket only to avoid the bucket name encryption i can stick with my setup and just be careful.

asdffdsa · December 16, 2020, 5:26pm

point remote4 to remote3:

steakhutzeee · December 16, 2020, 5:28pm

Well this seems a little redundant and/or confusing and i think will stop working if i delete remote 1.

I think i will stay with my current config

asdffdsa · December 16, 2020, 5:29pm

kind of confusing, as you wrote This way i can delete remote 1

steakhutzeee · December 16, 2020, 5:31pm

Yes after i have access to only that bucket i have no use for a remote that can see all the buckets.
The idea was to have a remote for every bucket.

In order to avoid errors etc.

asdffdsa · December 16, 2020, 5:33pm

that is a good idea, i do that

steakhutzeee · December 16, 2020, 5:34pm

Yes but at that point we return to the first argument.

If a remote points to a single bucket and i want to put a crypt remote on top of it, then the name of the bucket will be encrypted. This can only be avoided adding a directory in the bucket and point the crypt to that.

Correct?

Speaking of course in the scenario that i only have a remote for every bucket and no generic remote with access to all of them.

asdffdsa · December 16, 2020, 5:40pm

i hope you do not mind, but you might be over thinking this.

https://rclone.org/b2/#application-keys - create a remote locked to a single bucket
point the crypt to that bucket.