VFS encrypted cache


Version: 1.58.1, Ubuntu 22.04
Setup: gdrive --> crypt
Mode: mount
Params: --vfs-cache-mode full --vfs-read-chunk-size-limit 500M --max-read-ahead 128M --buffer-size 500M --vfs-read-ahead 3G --vfs-cache-max-size 300G --allow-other


I used to use the following setup gdrive --> cache --> crypt but decided to give vfs a try since cache is apparently being depreciated.

I noticed that the vfs cache stores the unencrypted data!
Is there any way to set it up so that the cached data are the encrypted files that are then unencrypted in the system's RAM?

The mount has the decrypted data as well so it’s already available on the system.

There is no option to encrypt the cache.

Can you elaborate?

VFS cache mode full is for a mount.

The data stored locally on the system would be the same true system the mount runs on so it’s already there.

Can I not just
rclone mount gdrive: ~/local_drive_a --vfs-cache-mode full
to then just
rclone mount crypt ~/local_drive_b
with crypt pointing to ~/local_drive_a ?

Can you? Yes, that does work.

What’s the issue though as a user can see the mount and that is decrypted.

Well, the issue would be that the normally unencrypted files stored in the cache are easily accessible to anyone with physical access to the hard drive.

The split setup, as proposed above, makes it so that only the encrypted files are stored in the cache. At least that's how I understand it works. Correct me if I am wrong.

That's true for every file stored on a physical disk. You'd use disk encryption for that use case imo.

It would work like that, albeit no idea how performance would be.

In general, there are other tools for physical security if the disk being stolen is the use case you are going for. If someone has physical access, you need to encrypt the rclone.conf as well as that's another entry point. Logical access on the box means anyone with that access can see the decrypted files on the mount as well.

Yes except disk encryption on a remote server is a pain to set up and outside of my area of expertise.

Aware of that, already done. Even wrote a script to set up the two mounts and input the provided (manual input) password.

Not as concerning.

Ty for the help.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.