Prevent hasher from leaking encrypted names

This may count as a bug or something else entirely, but it appears that the hasher backend can leak filenames.

Consider the example: (this is play so I keep the passwords. They aren't sensitive)

[mycrypt]
type = crypt
remote = cryptfiles
password = d-QuYuiS8LCm5b7CQJdhQIV82jTFKpvIAngn
password2 = M8NGPyUsERQROyzanv2SVr347r5AcPo_RdAK

[myhasher]
type = hasher
remote = mycrypt:

Then I add to it:

$ rclone copy secret.jpg myhasher:subdir/

The file and filename are properly encrypted but the database is not.

Using boltdb-dump:

$ boltdb-dump mycrypt~hasher.bolt

I get

[hasher]
  subdir/secret.jpg
    8��
hashRecord��Fp
              Hashes��Created���HashSums��

                                          ��Time������*41647,2021-11-02T23:58:43.912063861+0000,-sha1(1f738dfe3dbd583dfd85dc9471281b7127c1b711md5 62b5e9b57fea533f0f772ee1a9ac3f76��0�C���

I guess this isn't a critical issue since you can always not use hasher but at the very least, it may be worth noting this in the docs since people may get worried about this

EDIT/UPDATE: I was thinking about it and other things leak names too like the vfs-cache so it is important to know that. Except if I am mounting something, I can nuke the cache when I am done. If I nuke the hasher kv store, it doesn't do me any good. I guess I could encrypt that too but it is a bit ridiculous)

The name leaks should only ever be local, as in the VFS cache.

It will kill off the record of the local names, if that is what you mean?

You could always try putting the hasher after the crypt instead of before, so it keeps track of the encrypted hashes. Maybe not very useful, but it will mean it doesn't get access to any of the real names of the files!

Yes, but unlike in VFS where I don't care anymore, if I nuke the names, then it isn't caching.

This doesn't really save me anything since the idea would be to use hashes of the unencrypted files so I can use --track-renames with hashes locally.

It is, alas, not a critical issue for me but I can imagine a case where a user may not be aware of this and have sensitive file names leaked.

The lib/kv API provides generic get/put methods that pass values as byte blobs. We could add transparent encryption at that level.

Say, kv.EnableEncryption(password string) which will be called early by fs/config when rclone.conf is encrypted.

Bad or ugly?

I think there is a lot of things in rclone that leak file names to the local computer. Cache backend, VFS caching, logs, kv store, stuff in /tmp and more that I can't think of right now.

I'm not sure adding encryption to the kv store will be enough to plug all the leaks.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.