docs: unmystify how crypt stores encryption password in config

Without explaining exactly how this is generated, it can be confusing and worrying to not know how the password that encrypts your data is stored. This also brings peace of mind to the user that even though the same password is obscured differently each time, all the data to get back to the original password remains. Explaining how it works is much better than the reader of the documentation having to trust a blackboxy/magical mechanism.
2024-11-07 09:04:52 +01:00 · 2020-03-25 22:53:59 +01:00 · 2020-03-25 22:53:59 +01:00 · 6765303de4
commit 6765303de4
parent 304ee97944
1 changed files with 9 additions and 4 deletions
--- a/docs/content/crypt.md
+++ b/docs/content/crypt.md
@ -101,10 +101,15 @@ y/e/d> y
 obscured so it isn't immediately obvious what it is.  It is in no way
 secure unless you use config file encryption.

-A long passphrase is recommended, or you can use a random one.  Note
-that if you reconfigure rclone with the same passwords/passphrases
-elsewhere it will be compatible - all the secrets used are derived
-from those two passwords/passphrases.
+A long passphrase is recommended, or you can use a random one.
+
+The obscured password is created by using AES-CTR with a static key, with
+the salt stored verbatim at the beginning of the obscured password. This
+static key is shared by between all versions of rclone.
+
+If you reconfigure rclone with the same passwords/passphrases
+elsewhere it will be compatible, but the obscured version will be different
+due to the different salt.

 Note that rclone does not encrypt