Proton Drive encryption error: openpgp: invalid argument: cannot decrypt encrypted session key ... with private key

What is the problem you are having with rclone?

I'm getting an encryption-related error:

Failed to copy: gopenpgp: error in decrypting: openpgp: invalid argument: cannot decrypt encrypted session key for key id <id1> with private key id <id2>

I found nothing on the forums here that seem relevant, and I don't think this git issue is related, but one commenter there appears to be reporting the present issue.

Please let me know if there's anything I can do to help clarify. I don't know how to go about narrowing this down.

Run the command 'rclone version' and share the full output of the command.

rclone v1.65.2

• os/version: ubuntu 20.04 (64 bit)
• os/kernel: 5.4.0-167-generic (x86_64)
• os/type: linux
• os/arch: amd64
• go/version: go1.21.6
• go/linking: static
• go/tags: none

(also tested on v1.64.0, posted as a github issue before I was told I should have posted here first!)

Which cloud storage system are you using? (eg Google Drive)

Proton Drive

The command you were trying to run (eg rclone copy /tmp remote:tmp)

rclone sync $folder proton:$folder_name --progress --exclude ".git/" --no-update-modtime --protondrive-replace-existing-draft=true

However, I've also seen it with copy as I was playing around.

The rclone config contents with secrets removed.

[google_drive]
type = drive
scope = drive
token = {"access_token":"<token>","token_type":"Bearer","refresh_token":"<token>","expiry":"<date>"}
root_folder_id = <id>

[proton]
type = protondrive
username = <user>
password = <pass>
clientUID = <UID>
clientAccessToken = <token>
clientRefreshToken = <token>
clientSaltedKeyPass = <salted_pass>
client_uid = <UID>
client_access_token = <token>
client_refresh_token = <token>
client_salted_key_pass = <salted_pass>

A log from the command with the -vv flag

I'll provide what I think are relevant excerpts, but let me know if more would be helpful:

2024/03/04 12:36:34 DEBUG : rclone: Version "v1.65.2" starting with parameters ["rclone" "-vv" "sync" "/media/desiderata/00-notes/articles/" "proton:00-notes/articles/" "--progress" "--exclude" ".git/" "--no-update-modtime" "--protondrive-replace-existing-draft=true"]
2024/03/04 12:36:34 DEBUG : Creating backend with remote "/media/desiderata/00-notes/articles/"
2024/03/04 12:36:34 DEBUG : Using config file from "/home/dorian/.config/rclone/rclone.conf"
2024/03/04 12:36:34 DEBUG : fs cache: renaming cache item "/media/desiderata/00-notes/articles/" to be canonical "/media/desiderata/00-notes/articles"
2024/03/04 12:36:34 DEBUG : Creating backend with remote "proton:00-notes/articles/"
2024/03/04 12:36:34 DEBUG : proton: detected overridden config - adding "{kpshc}" suffix to name
2024/03/04 12:36:34 DEBUG : proton drive root link ID '00-notes/articles': Has cached credentials
2024/03/04 12:36:36 DEBUG : proton drive root link ID '00-notes/articles': Used cached credential to initialize the ProtonDrive API
2024/03/04 12:36:38 DEBUG : fs cache: renaming cache item "proton:00-notes/articles/" to be canonical "proton{kpshc}:00-notes/articles"
2024/03/04 12:36:38 DEBUG : .git: Excluded

...

2024/03/04 12:53:14 DEBUG : the-amygdala-is-not-the-fear-centre.md: Size and modification time the same (differ by -792.641715ms, within tolerance 1s)
2024/03/04 12:53:14 DEBUG : the-amygdala-is-not-the-fear-centre.md: Unchanged skipping
2024/03/04 12:53:14 DEBUG : the-five-types-of-couple-gottman.md: Size and modification time the same (differ by -792.641715ms, within tolerance 1s)
2024/03/04 12:53:14 DEBUG : the-five-types-of-couple-gottman.md: Unchanged skipping
2024/03/04 12:53:14 DEBUG : the-human-perspective.md: Size and modification time the same (differ by -792.641715ms, within tolerance 1s)
2024/03/04 12:53:14 DEBUG : the-human-perspective.md: Unchanged skipping
2024/03/04 12:53:14 DEBUG : the-new-democracy.md: Size and modification time the same (differ by -792.641715ms, within tolerance 1s)
2024/03/04 12:53:14 DEBUG : the-new-democracy.md: Unchanged skipping
2024/03/04 12:53:14 DEBUG : the-point-of-love.md: Size and modification time the same (differ by -792.641715ms, within tolerance 1s)
2024/03/04 12:53:14 DEBUG : the-point-of-love.md: Unchanged skipping
2024/03/04 12:53:14 DEBUG : the-scientific-ritual.md: Size and modification time the same (differ by -332.498174ms, within tolerance 1s)
2024/03/04 12:53:14 DEBUG : the-scientific-ritual.md: Unchanged skipping

...

2024/03/04 12:53:21 ERROR : emotion-and-the-mind.md: Failed to copy: gopenpgp: error in decrypting: openpgp: invalid argument: cannot decrypt encrypted session key for key id <key_id> with private key id <priv_key_id>
2024/03/04 12:53:21 ERROR : everything-is-ideology.md: Failed to copy: gopenpgp: error in decrypting: openpgp: invalid argument: cannot decrypt encrypted session key for key id <key_id> with private key id <priv_key_id>
2024/03/04 12:53:21 ERROR : education-is-entertainment.md: Failed to copy: gopenpgp: error in decrypting: openpgp: invalid argument: cannot decrypt encrypted session key for key id <key_id> with private key id <priv_key_id>

hi, pretty sure, those flags do not belong in the config file.
tho, odds are, that is not the root cause of the error

for a deeper look, try --dump=headers --retries=1

Thanks for that. I deleted and re-created the proton remote, and indeed it did not re-create the camel case entries, only the kebab case ones. However, I still get the same error.

When I try with -dump=headers --retries=1, I get similar output. I will post excerpts here as before, but this time also track a couple which rclone notes have different sizes. I also wonder if these 'A file or folder with that name already exists' errors are related, because there are 8 warnings and 8 errors, which matches up with the 8 failed transfers (which fail for the encryption-related reason).

EDIT: I also note I/O errors when it tries to delete stuff?

2024/03/05 14:20:52 DEBUG : rclone: Version "v1.65.2" starting with parameters ["rclone" "-vv" "sync" "/media/desiderata/00-notes/articles/" "proton:00-notes/articles/" "--exclude" ".git/" "--no-update-modtime" "--protondrive-replace-existing-draft=true" "--dump=headers" "--retries=1"]
2024/03/05 14:20:52 DEBUG : Creating backend with remote "/media/desiderata/00-notes/articles/"
2024/03/05 14:20:52 DEBUG : Using config file from "/home/dorian/.config/rclone/rclone.conf"
2024/03/05 14:20:52 DEBUG : fs cache: renaming cache item "/media/desiderata/00-notes/articles/" to be canonical "/media/desiderata/00-notes/articles"
2024/03/05 14:20:52 DEBUG : Creating backend with remote "proton:00-notes/articles/"
2024/03/05 14:20:52 DEBUG : proton: detected overridden config - adding "{kpshc}" suffix to name
2024/03/05 14:20:52 DEBUG : proton drive root link ID '00-notes/articles': Has cached credentials
2024/03/05 14:20:54 DEBUG : proton drive root link ID '00-notes/articles': Used cached credential to initialize the ProtonDrive API
2024/03/05 14:20:57 DEBUG : fs cache: renaming cache item "proton:00-notes/articles/" to be canonical "proton{kpshc}:00-notes/articles"
2024/03/05 14:20:57 DEBUG : .git: Excluded

...

2024/03/05 14:29:56 DEBUG : _0-template.md: Sizes differ (src 1571 vs dst 1263)
2024/03/05 14:29:56 DEBUG : _christopher-alexander-design.md: Size and modification time the same (differ by -518.93685ms, within tolerance 1s)
2024/03/05 14:29:56 DEBUG : _1-collections.md: Modification times differ by -361h16m53.768641326s: 2023-08-03 14:26:17.768641326 +0100 BST, 2023-07-19 13:09:24 +0100 +0100
2024/03/05 14:29:56 DEBUG : _christopher-alexander-design.md: Unchanged skipping
2024/03/05 14:29:56 DEBUG : _collective-architecture.md: Size and modification time the same (differ by -518.93685ms, within tolerance 1s)
2024/03/05 14:29:56 DEBUG : _collective-architecture.md: Unchanged skipping
2024/03/05 14:29:56 DEBUG : _1-collections.md: sha1 = 962f6023822381f1809aa3bac276b4e8a9f02141 OK
2024/03/05 14:29:56 DEBUG : _1-collections.md: Unchanged skipping
2024/03/05 14:29:56 DEBUG : abstract-learning-in-the-honeybee.md: Sizes differ (src 12140 vs dst 12085)
2024/03/05 14:29:56 DEBUG : circularity-of-sustainability.md: Sizes differ (src 9321 vs dst 9320)

...


2024/03/05 14:29:57.478909 WARN RESTY 422 POST https://mail.proton.me/api/drive/shares/bExaQg6jeqHTocoU_Xc8fzUNEQudc2rqB2KvZMxd_OQSAArwrVlQL5wpSH2_1N7cY__jdpNJ6NhhXtzSUbu-jw==/files: A file or folder with that name already exists (Code=2500, Status=422), Attempt 1
2024/03/05 14:29:57.478976 ERROR RESTY 422 POST https://mail.proton.me/api/drive/shares/bExaQg6jeqHTocoU_Xc8fzUNEQudc2rqB2KvZMxd_OQSAArwrVlQL5wpSH2_1N7cY__jdpNJ6NhhXtzSUbu-jw==/files: A file or folder with that name already exists (Code=2500, Status=422)
2024/03/05 14:29:57.608154 WARN RESTY 422 POST https://mail.proton.me/api/drive/shares/bExaQg6jeqHTocoU_Xc8fzUNEQudc2rqB2KvZMxd_OQSAArwrVlQL5wpSH2_1N7cY__jdpNJ6NhhXtzSUbu-jw==/files: A file or folder with that name already exists (Code=2500, Status=422), Attempt 1
2024/03/05 14:29:57.608194 ERROR RESTY 422 POST https://mail.proton.me/api/drive/shares/bExaQg6jeqHTocoU_Xc8fzUNEQudc2rqB2KvZMxd_OQSAArwrVlQL5wpSH2_1N7cY__jdpNJ6NhhXtzSUbu-jw==/files: A file or folder with that name already exists (Code=2500, Status=422)
2024/03/05 14:30:00 ERROR : _0-template.md: Failed to copy: gopenpgp: error in decrypting: openpgp: invalid argument: cannot decrypt encrypted session key for key id <key> with private key id <priv_key>
2024/03/05 14:30:00 ERROR : circularity-of-sustainability.md: Failed to copy: gopenpgp: error in decrypting: openpgp: invalid argument: cannot decrypt encrypted session key for key id <key> with private key id <priv_key>
2024/03/05 14:30:00 ERROR : abstract-learning-in-the-honeybee.md: Failed to copy: gopenpgp: error in decrypting: openpgp: invalid argument: cannot decrypt encrypted session key for key id <key> with private key id <priv_key>

...
2024/03/05 14:30:03 ERROR : proton drive root link ID '00-notes/articles': not deleting files as there were IO errors
2024/03/05 14:30:03 ERROR : proton drive root link ID '00-notes/articles': not deleting directories as there were IO errors
2024/03/05 14:30:03 ERROR : Attempt 1/1 failed with 8 errors and: gopenpgp: error in decrypting: openpgp: invalid argument: cannot decrypt encrypted session key for key id <key> with private key id <priv_key>
2024/03/05 14:30:03 DEBUG : 6 go routines active
2024/03/05 14:30:03 Failed to sync with 8 errors: last error was: gopenpgp: error in decrypting: openpgp: invalid argument: cannot decrypt encrypted session key for key id <key> with private key id <priv_key>

In searching the forum for these 422 errors, I don't find anything similar. I can see some people have a 409 error with similar text, but no apparent encryption error.

On the github thread for the new proton drive backend, there is a report of a 422 error like this but no mention of the encryption thing (though the report is fairly vague). However, when I check my log for my copy command (identical to sync except it copies, not syncs, and only the last 25 hours) I get 422 errors with no encryption errors:

2024/03/05 03:06:36.287304 WARN RESTY 422 POST https://mail.proton.me/api/drive/shares/bExaQg6jeqHTocoU_Xc8fzUNEQudc2rqB2KvZMxd_OQSAArwrVlQL5wpSH2_1N7cY__jdpNJ6NhhXtzSUbu-jw==/files: A file or folder with that name already exists (Code=2500, Status=422), Attempt 1
2024/03/05 03:06:36.287392 ERROR RESTY 422 POST https://mail.proton.me/api/drive/shares/bExaQg6jeqHTocoU_Xc8fzUNEQudc2rqB2KvZMxd_OQSAArwrVlQL5wpSH2_1N7cY__jdpNJ6NhhXtzSUbu-jw==/files: A file or folder with that name already exists (Code=2500, Status=422)

each time you run rclone, the same exact 8 files error out?

Yes, I think so. Though I'm only testing in the most tractable of the things I sync every week (a folder of markdown files). When I look at the log from the sync this weekend of the containing folder, these files have produced the same error (along with others from the other folders in the top-level).

i would pick a single file and something like
rclone sync $folder/$file proton:$folder_name --retries=1 --dump=headers,responses,bodies,requests,auth

My observation is that we see more and more Proton drive remote related problems. And nobody really does anything about them.

Its maintainer and author went quiet in September last year. All rclone project is open source so nothing wrong about it - he did good job to make it happen initially - great. But unfortunately does not seem that anybody is willing to spend time on maintenance and further dev.

In conclusion I would say it is (at least for now) stalled development and better to avoid using it for anything but trying. It is still marked as beta and should be treated as such with a hint that do not expect anybody will do much - unless you are person willing to take it over and help.

Thanks, here's the log. I don't know if this provided any more output. Am I doing the dump command incorrectly?

2024/03/07 16:44:42 DEBUG : rclone: Version "v1.65.2" starting with parameters ["rclone" "-vv" "sync" "/media/desiderata/00-notes/articles/_0-template.md" "proton:00-not
es/articles/" "--exclude" ".git/" "--no-update-modtime" "--protondrive-replace-existing-draft=true" "--retries=1" "--dump=headers,responses,bodies,requests,auth"]
2024/03/07 16:44:42 DEBUG : Creating backend with remote "/media/desiderata/00-notes/articles/_0-template.md"
2024/03/07 16:44:42 DEBUG : Using config file from "/home/dorian/.config/rclone/rclone.conf"
2024/03/07 16:44:42 DEBUG : fs cache: adding new entry for parent of "/media/desiderata/00-notes/articles/_0-template.md", "/media/desiderata/00-notes/articles"
2024/03/07 16:44:42 DEBUG : Creating backend with remote "proton:00-notes/articles/"
2024/03/07 16:44:42 DEBUG : proton: detected overridden config - adding "{kpshc}" suffix to name
2024/03/07 16:44:42 DEBUG : proton drive root link ID '00-notes/articles': Has cached credentials
2024/03/07 16:44:44 DEBUG : proton drive root link ID '00-notes/articles': Used cached credential to initialize the ProtonDrive API
2024/03/07 16:44:47 DEBUG : fs cache: renaming cache item "proton:00-notes/articles/" to be canonical "proton{kpshc}:00-notes/articles"
2024/03/07 16:44:49 DEBUG : _0-template.md: Sizes differ (src 1571 vs dst 1263)
2024/03/07 16:45:50 DEBUG : rclone: Version "v1.65.2" starting with parameters ["rclone" "-vv" "sync" "/media/desiderata/00-notes/articles/_0-template.md" "proton:00-notes/articles/" "--exclude" ".git/" "--no-update-modtime" "--protondrive-replace-existing-draft=true" "--retries=1" "--dump=headers,responses,bodies,requests,auth" "--log-file=/home/dorian/tmp.log"]
2024/03/07 16:45:50 DEBUG : Creating backend with remote "/media/desiderata/00-notes/articles/_0-template.md"
2024/03/07 16:45:50 DEBUG : Using config file from "/home/dorian/.config/rclone/rclone.conf"
2024/03/07 16:45:50 DEBUG : fs cache: adding new entry for parent of "/media/desiderata/00-notes/articles/_0-template.md", "/media/desiderata/00-notes/articles"
2024/03/07 16:45:50 DEBUG : Creating backend with remote "proton:00-notes/articles/"
2024/03/07 16:45:50 DEBUG : proton: detected overridden config - adding "{kpshc}" suffix to name
2024/03/07 16:45:50 DEBUG : proton drive root link ID '00-notes/articles': Has cached credentials
2024/03/07 16:45:53 DEBUG : proton drive root link ID '00-notes/articles': Used cached credential to initialize the ProtonDrive API
2024/03/07 16:45:55 DEBUG : fs cache: renaming cache item "proton:00-notes/articles/" to be canonical "proton{kpshc}:00-notes/articles"
2024/03/07 16:45:58 DEBUG : _0-template.md: Sizes differ (src 1571 vs dst 1263)
2024/03/07 16:45:58.609568 WARN RESTY 422 POST https://mail.proton.me/api/drive/shares/bExaQg6jeqHTocoU_Xc8fzUNEQudc2rqB2KvZMxd_OQSAArwrVlQL5wpSH2_1N7cY__jdpNJ6NhhXtzSUbu-jw==/files: A file or folder with that name already exists (Code=2500, Status=422), Attempt 1
2024/03/07 16:45:58.609647 ERROR RESTY 422 POST https://mail.proton.me/api/drive/shares/bExaQg6jeqHTocoU_Xc8fzUNEQudc2rqB2KvZMxd_OQSAArwrVlQL5wpSH2_1N7cY__jdpNJ6NhhXtzSUbu-jw==/files: A file or folder with that name already exists (Code=2500, Status=422)
2024/03/07 16:46:01 ERROR : _0-template.md: Failed to copy: gopenpgp: error in decrypting: openpgp: invalid argument: cannot decrypt encrypted session key for key id f4f017a3b717a430 with private key id 41b1dc84ac791301
2024/03/07 16:46:01 ERROR : Attempt 1/1 failed with 1 errors and: gopenpgp: error in decrypting: openpgp: invalid argument: cannot decrypt encrypted session key for key id f4f017a3b717a430 with private key id 41b1dc84ac791301
2024/03/07 16:46:01 INFO  :
Transferred:              0 B / 0 B, -, 0 B/s, ETA -
Errors:                 1 (retrying may help)
Elapsed time:        10.9s

2024/03/07 16:46:01 DEBUG : 6 go routines active
2024/03/07 16:46:01 Failed to sync: gopenpgp: error in decrypting: openpgp: invalid argument: cannot decrypt encrypted session key for key id f4f017a3b717a430 with private key id 41b1dc84ac791301

Thank you for testing and reporting bugs... but please see my previous post...

Ah, I didn't realise that the author/maintainer had gone dark. Thanks for pointing this out. Well, I guess it gets most of my stuff up there so that's a plus.

I would contact Proton drive. At the end they make money (one would hope) with this cloud storage. They should maybe look at making life of 3rd party tools easier... You are their customer so you can have some voice.

Of course it is also possible that their business model is about charging money for as long as possible and keeping cost down by making sure that as little data is stored as possible. They would not be the first in such business:)

Ha! Let's hope they're not quite so capitalistic.

Hahaha. I would think opposite. If they were capitalistic they would make it easy to store data, set right price point and make fortune for service people love:)

It's top10 demand on their uservoice platform. You can vote here https://protonmail.uservoice.com/forums/932839-proton-drive/suggestions/43582125-proton-drive-api

Sure. But it means that people will start using it more heavily:) Funnily a lot of companies selling storage are not very keen of it:)

They prefer to sell something based on nice PR words (collaboration, security etc.) but do not want to deal with traffic.

This thread on Proton forum started 3 years ago... I would not hold my breath:)

I voted! Thanks.

We live in hope, don't we. In the meanwhile, the current setup by henrybear works for the most part. Small mercies.

So, I have a workaround that I'll explain shortly.

Firstly, I changed a couple of things:

1. the implementation of proton drive right now does not support updating modtimes. I already had in my command here --no-update-modtime but I have changed that to --checksum since this currently appears to imply no-update-modtime, while also checking based on size and checksum rather than just the size (which I think is what it does if you turn off updating modtimes). I don't know if it's important to my workaround, but I add it just in case.
2. I am doing --check-first so that the transfers don't interfere with the checking. I did this largely just to have all the transfer errors happen at the end of my logs rather than mixed in with everything else. Again, not sure if it's important.

The workaround:

I added --backup-dir. I wondered if moving the files serverside, rather than deleting them would address whatever this error is. It looks very much like it's working:

2024/04/15 19:12:57 INFO  : articles/emotion-and-the-mind.md: Moved (server-side)

...
2024/04/15 19:21:29 INFO  : articles/emotion-and-the-mind.md: Copied (new)

This was one of the repeatedly problematic files.

I have actually wanted to implement a versioned backup for a while, so this worked out well. But if I didn't want a versioned backup, I suppose I'd solve this by setting a backup-dir that I'd delete manually every now and then or something, or see if there was another way of automating the delete.

So there we go! That'll do me for this issue. I'll mark this as an answer so it gets pinned to the top, unless someone else provides a better solution.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.