First of all, thank you so much to everyone involved behind this amazing tool.
I'm not an expert in cryptography, but I think it would be interesting to have a crypt module that generates a master key, allowing the user to change the password instead of having to decrypt and re-encrypt the data already encrypted with the crypt. This can be useful if in any case the password is leaked. For greater protection, this master key could be stored locally or in the cloud itself, in encrypted form with a password, as Cryptomator does.
I think that storing that rclone crypt password in a password manager already does this to needed level. I use KeePassXC, that is free and open source, but any password manager does the job. Storing that password database in cloud however means that this old file can (maliciously) be kept even after user deletes it. This is technically no different than with the mentioned cryptomator approach.
I also store it in a password manager, but I think it would be interesting to have a new crypt module with the possibility to change the password without re-encrypting the files.
I’m not a crypto expert. I also had a similar wish and thinking through it I had to question what purpose the password change would help with. I don’t believe there’s an algorithm that can take a users password and update the password without re encrypting everything to use the new password. That work needs to be done somewhere. Not re-encrypting the data with the new password would mean the old password could still be used to decrypt it. Also the secret would need to be somewhere secure if the user just used their password for a layer on top of the actual encryption so they can change their password without re encrypting the underlying data.
all of them have risks or trade offs and there is a way to “change” the password now by setting up a new remote with the new password at a different folder/path and using rclone copy or sync or even move to move data from the old encrypted remote with the old password over to the new encrypted remote with the new password. So the ability exists and maintains high level of security but it involves more intentional and correct use of Rclone to roll a password.
I didn't mean re-encrypting the data already encrypted with crypt, but rather the new ones with a new crypt module. And thinking about it, with the advancement of quantum computers this idea obviously only makes sense with post-quantum algorithms.