I've seen this asked a few places about how to decrypt rclone-encrypted files if they are accessed in a different way.
There are many options but I figured I would demonstrate a few ways to do it.
My personal use case is that I have some rclone encrypted files on a server. I use this to modify and re-encrypt them there since I cannot install FUSE on there for a mount.
This was v1.53.1 though I suspect it'll work just fine on others. And macOS but this should hold for linux. No idea about Windows since I don't use rclone when I have to bite the bullet and use it.
Setup
Lets say you have the following config to upload to DropBox
[dropbox]
type = dropbox
token = {"access_token":"***","token_type":"bearer","expiry":"0001-01-01T00:00:00Z"}
[secret]
type = crypt
remote = dropbox:secret
filename_encryption = off
directory_name_encryption = false
password = 4rqu0lDxCrc0Zv6Rs-_ouBSco2qM
password2 = 4hVpWAUdWmHd9P2iBZaidXlnwlRY
In this example, I turn off filename_encryption to make it easier. This does still work with it on but the names become much (much!!!!) harder to track.
Okay, so down the line I use Dropbox's web app to download mysecrets.txt.bin. Note that the .bin was added by rclone.
New Config
Now, you saved the above config but you want to decrypt mysecrets.txt.bin without using Dropbox.
-
Generate a new config file. I will also set the env to this file to make my life easier. All this does is stop me from having to write
--config tmp.cfgevery time$ cd path/where/I/stored/mysecrets.txt.bin $ export RCLONE_CONFIG=tmp.cfg $ rclone conifg -
Create a new crypt remote
$ rclone conifg No remotes found - make a new one n) New remote s) Set configuration password q) Quit configChoose
nname>I use something short like
cc(I actually usually just docbut that may be confusing for Windows users)Type of storage to configure. Enter a string value. Press Enter for the default (""). Choose a number from below, or type in your own value ... 10 / Encrypt/Decrypt a remote \ "crypt" ...Enter "
crypt"Remote to encrypt/decrypt. Normally should contain a ':' and a path, eg "myremote:path/to/dir", "myremote:bucket" or maybe "myremote:" (not recommended). Enter a string value. Press Enter for the default (""). remote>type
.(BTW, if you just press ENTER, it does not use the default. It needs to be set. Minor bug...)How to encrypt the filenames. Enter a string value. Press Enter for the default ("standard"). Choose a number from below, or type in your own value 1 / Encrypt the filenames see the docs for the details. \ "standard" 2 / Very simple filename obfuscation. \ "obfuscate" 3 / Don't encrypt the file names. Adds a ".bin" extension only. \ "off"Choose "
off" since that is what we had before. Or just don't worry about it since we will update it laterOption to either encrypt directory names or leave them intact.
NB If filename_encryption is "off" then this option will do nothing. Enter a boolean value (true or false). Press Enter for the default ("true"). Choose a number from below, or type in your own value 1 / Encrypt directory names. \ "true" 2 / Don't encrypt directory names, leave them intact. \ "false"Again, choose "
false" to match but it doesn't matterNow, we get to password
Password or pass phrase for encryption. y) Yes type in my own password g) Generate random password y/g>choose
yand enter anything you want. I usually just dop. Enter it twicePassword or pass phrase for salt. Optional but recommended. Should be different to the previous password. y) Yes type in my own password g) Generate random password n) No leave this optional password blank (default)Choose
nEdit advanced config? (y/n) y) Yes n) No (default)Choose
nRemote config -------------------- [cc] type = crypt remote = . filename_encryption = off directory_name_encryption = false password = *** ENCRYPTED *** -------------------- y) Yes this is OK (default) e) Edit this remote d) Delete this remoteChoose
y. Thenqto exit -
Open
tmp.cfgin a text editor. It'll look something like[cc] type = crypt remote = . filename_encryption = off directory_name_encryption = false password = gonXT-txaappm1HKFSVlIDA -
Copy the following from your old config to the new. Everything below
remote. When it's done it should look like.[cc] type = crypt remote = . filename_encryption = off directory_name_encryption = false password = 4rqu0lDxCrc0Zv6Rs-_ouBSco2qM password2 = 4hVpWAUdWmHd9P2iBZaidXlnwlRY
And you're ready!
Quick Aside
There seems to be a lot of confusion about these passwords. I think the "best practice" when setting up crypt is to use two random 1024bit passwords. You will be shown them by rclone but don't worry about it. They will get obfuscated in the config but that's fine. You can always open up the config and manually paste them in as done above.
Then, encrypt your config! This of your config as your encryption key and your config encryption password as your password!
Decrypt the files
Recall, we still have
$ cd path/where/I/stored/mysecrets.txt.bin
$ export RCLONE_CONFIG=tmp.cfg
The following will decrypt it
$ rclone copy cc:mysecrets.txt .
NOTICE that there is no .bin attached! That is very important.
You could also do
$ rclone move cc:mysecrets.txt .
to delete the other file as you go (this is good if you have a lot of big files and not a lot of buffer space)
Alternative
If you just need to see the contents (and it's text), you can do
$ rclone cat c:mysecrets.txt
Or you can do
$ rclone cat c:mysecrets.txt > mysecrets.txt
to save it. This is also useful if you are doing any of this programmatically such as in python.
Encrypt
These can also all be done in reverse:
$ rclone copy mysecrets.txt c:.
Or
cat mysecrets.txt | rclone rcat c:mysecrets.txt
(I am not sure there is a way to echo the encrypted version for programatic uses without a temp file. But I am looking into it...)
I hope this helps!