From 6765303de4c2da23be7d81adc86c15602118d7e6 Mon Sep 17 00:00:00 2001 From: Samantha McVey Date: Wed, 25 Mar 2020 22:53:59 +0100 Subject: [PATCH] docs: unmystify how crypt stores encryption password in config Without explaining exactly how this is generated, it can be confusing and worrying to not know how the password that encrypts your data is stored. This also brings peace of mind to the user that even though the same password is obscured differently each time, all the data to get back to the original password remains. Explaining how it works is much better than the reader of the documentation having to trust a blackboxy/magical mechanism. --- docs/content/crypt.md | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/docs/content/crypt.md b/docs/content/crypt.md index d583abef2..41bec7ec7 100644 --- a/docs/content/crypt.md +++ b/docs/content/crypt.md @@ -101,10 +101,15 @@ y/e/d> y obscured so it isn't immediately obvious what it is. It is in no way secure unless you use config file encryption. -A long passphrase is recommended, or you can use a random one. Note -that if you reconfigure rclone with the same passwords/passphrases -elsewhere it will be compatible - all the secrets used are derived -from those two passwords/passphrases. +A long passphrase is recommended, or you can use a random one. + +The obscured password is created by using AES-CTR with a static key, with +the salt stored verbatim at the beginning of the obscured password. This +static key is shared by between all versions of rclone. + +If you reconfigure rclone with the same passwords/passphrases +elsewhere it will be compatible, but the obscured version will be different +due to the different salt. Note that rclone does not encrypt