How to one-off decrypt files

I've seen this asked a few places about how to decrypt rclone-encrypted files if they are accessed in a different way.

There are many options but I figured I would demonstrate a few ways to do it.

My personal use case is that I have some rclone encrypted files on a server. I use this to modify and re-encrypt them there since I cannot install FUSE on there for a mount.

This was v1.53.1 though I suspect it'll work just fine on others. And macOS but this should hold for linux. No idea about Windows since I don't use rclone when I have to bite the bullet and use it.

Setup

Lets say you have the following config to upload to DropBox

[dropbox]
type = dropbox
token = {"access_token":"***","token_type":"bearer","expiry":"0001-01-01T00:00:00Z"}

[secret]
type = crypt
remote = dropbox:secret
filename_encryption = off
directory_name_encryption = false
password = 4rqu0lDxCrc0Zv6Rs-_ouBSco2qM
password2 = 4hVpWAUdWmHd9P2iBZaidXlnwlRY

In this example, I turn off filename_encryption to make it easier. This does still work with it on but the names become much (much!!!!) harder to track.

Okay, so down the line I use Dropbox's web app to download mysecrets.txt.bin. Note that the .bin was added by rclone.

New Config

Now, you saved the above config but you want to decrypt mysecrets.txt.bin without using Dropbox.

  1. Generate a new config file. I will also set the env to this file to make my life easier. All this does is stop me from having to write --config tmp.cfg every time

     $ cd path/where/I/stored/mysecrets.txt.bin
     $ export RCLONE_CONFIG=tmp.cfg 
     $ rclone conifg
    
  2. Create a new crypt remote

     $ rclone conifg
     
     No remotes found - make a new one
     n) New remote
     s) Set configuration password
     q) Quit config
    

    Choose n

     name>
    

    I use something short like cc (I actually usually just do c but that may be confusing for Windows users)

     Type of storage to configure.
     Enter a string value. Press Enter for the default ("").
     Choose a number from below, or type in your own value
     ...
     10 / Encrypt/Decrypt a remote
        \ "crypt"
     ...
    

    Enter "crypt"

     Remote to encrypt/decrypt.
     Normally should contain a ':' and a path, eg "myremote:path/to/dir",
     "myremote:bucket" or maybe "myremote:" (not recommended).
     Enter a string value. Press Enter for the default ("").
     remote>
    

    type . (BTW, if you just press ENTER, it does not use the default. It needs to be set. Minor bug...)

     How to encrypt the filenames.
     Enter a string value. Press Enter for the default ("standard").
     Choose a number from below, or type in your own value
      1 / Encrypt the filenames see the docs for the details.
        \ "standard"
      2 / Very simple filename obfuscation.
        \ "obfuscate"
      3 / Don't encrypt the file names.  Adds a ".bin" extension only.
        \ "off"
    

    Choose "off" since that is what we had before. Or just don't worry about it since we will update it later

    Option to either encrypt directory names or leave them intact.

     NB If filename_encryption is "off" then this option will do nothing.
     Enter a boolean value (true or false). Press Enter for the default ("true").
     Choose a number from below, or type in your own value
      1 / Encrypt directory names.
        \ "true"
      2 / Don't encrypt directory names, leave them intact.
        \ "false"
    

    Again, choose "false" to match but it doesn't matter

    Now, we get to password

     Password or pass phrase for encryption.
     y) Yes type in my own password
     g) Generate random password
     y/g>
    

    choose y and enter anything you want. I usually just do p. Enter it twice

     Password or pass phrase for salt. Optional but recommended.
     Should be different to the previous password.
     y) Yes type in my own password
     g) Generate random password
     n) No leave this optional password blank (default)
    

    Choose n

     Edit advanced config? (y/n)
     y) Yes
     n) No (default)
    

    Choose n

     Remote config
     --------------------
     [cc]
     type = crypt
     remote = .
     filename_encryption = off
     directory_name_encryption = false
     password = *** ENCRYPTED ***
     --------------------
     y) Yes this is OK (default)
     e) Edit this remote
     d) Delete this remote
    

    Choose y. Then q to exit

  3. Open tmp.cfg in a text editor. It'll look something like

     [cc]
     type = crypt
     remote = .
     filename_encryption = off
     directory_name_encryption = false
     password = gonXT-txaappm1HKFSVlIDA
    
  4. Copy the following from your old config to the new. Everything below remote. When it's done it should look like.

     [cc]
     type = crypt
     remote = .
     filename_encryption = off
     directory_name_encryption = false
     password = 4rqu0lDxCrc0Zv6Rs-_ouBSco2qM
     password2 = 4hVpWAUdWmHd9P2iBZaidXlnwlRY
    

And you're ready!

Quick Aside

There seems to be a lot of confusion about these passwords. I think the "best practice" when setting up crypt is to use two random 1024bit passwords. You will be shown them by rclone but don't worry about it. They will get obfuscated in the config but that's fine. You can always open up the config and manually paste them in as done above.

Then, encrypt your config! This of your config as your encryption key and your config encryption password as your password!

Decrypt the files

Recall, we still have

$ cd path/where/I/stored/mysecrets.txt.bin
$ export RCLONE_CONFIG=tmp.cfg 

The following will decrypt it

$ rclone copy cc:mysecrets.txt .

NOTICE that there is no .bin attached! That is very important.

You could also do

$ rclone move cc:mysecrets.txt .

to delete the other file as you go (this is good if you have a lot of big files and not a lot of buffer space)

Alternative

If you just need to see the contents (and it's text), you can do

$ rclone cat c:mysecrets.txt

Or you can do

$ rclone cat c:mysecrets.txt > mysecrets.txt

to save it. This is also useful if you are doing any of this programmatically such as in python.

Encrypt

These can also all be done in reverse:

$ rclone copy mysecrets.txt c:.

Or

cat mysecrets.txt | rclone rcat c:mysecrets.txt

(I am not sure there is a way to echo the encrypted version for programatic uses without a temp file. But I am looking into it...)

I hope this helps!

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.