rcx icon indicating copy to clipboard operation
rcx copied to clipboard

Published 20 hours ago verified publisher icon x0b

At-rest encryption for rclone config

Open x0b opened this issue 4 years ago • 4 comments

EDIT 2020-11-07: Add detailed description

As described in our security policy, RCX should be able to...

  • [ ] Encrypt the config file at rest (using rclone configuration encryption)
  • [ ] Allow users to set a custom password or pin that is entered on app startup

@x0b in #62:

When you set a password with rclone on your computer, rclone encrypts its configuration file. When you want to use this encrypted configuration file with rclone, you need to enter your password.

RCX is different. RCX can only use a unencrypted configuration file. However, it can import an encrypted configuration file, prompt for the password, immediately decrypt it and then store it unencrypted.

The issue I linked, #12, is a plan to remove that difference - if implemented, we would encrypt the configuration files of every RCX user, and optionally allow you to use your own password or pin on top.

Progress has been slow because:

  • rclone does not have a defined interface for configuration encryption
  • cryptography is hard to get right
  • the crypto parameters are only supported on Android Marshmallow (6.0 / API 23), and Lollipop (5.0 / 5.1) has not yet been dropped (but it soon will be, there are < 5 users).
  • and, of course, because RCX is notoriously understaffed - RCX is kept alive by me spending some of my free time on this, not because of an unknown army of volunteers.

Ref: https://github.com/kaczmarkiewiczp/rcloneExplorer/issues/182

x0b avatar Sep 24 '19 09:09 x0b

This should definitely be added. Don't need any glowies having easy access to encrypted files

fullmetal1 avatar Feb 01 '21 22:02 fullmetal1

If Rclone encryption is tedious to implement in android, maybe we could have an optional AES256 encryption using fingerprint or passcode. While this is a deviation from what Rclone does, it would be a better option till the rclone encryption is supported.

esrk avatar May 14 '21 09:05 esrk

While the focus over the last month has been on getting v1.12 out of the door, we have continued to work on this. To update a few points:

  • rclone does not have a defined interface for configuration encryption

This is pretty much solved with the InteractiveRunner framework.

  • cryptography is hard to get right

Also (mostly) a solved problem.

  • the crypto parameters are only supported on Android Marshmallow (6.0 / API 23), and Lollipop (5.0 / 5.1) has not yet been dropped (but it soon will be, there are < 5 users).

As of v1.12 those versions are now officially deprecated and will be removed when config encryption is ready.

The first 90% are actually done - we have a very alpha version running with encryption. Missing is lifecycle awareness, import/export features, VCP, Services (Upload/Download/etc.), atomic encryption/decryption and of course making sure that all of this works reliably. I'd really hate for someone to lose access to their crypt-ed files just because we corrupted their config file.

As of now, there will be two encryption modes: default and user. Default mode will use the system TEE (if available) to encrypt the rclone config. This works seamlessly and does not require manual configuration. User will work with a user-provided password, that you'll need to enter to use RCX. There is no plan to support unencrypted configs, except maybe in debug mode.

x0b avatar May 14 '21 21:05 x0b