docs: unmystify how crypt stores encryption password in config

Without explaining exactly how this is generated, it can be confusing
and worrying to not know how the password that encrypts your data is
stored.

This also brings peace of mind to the user that even though
the same password is obscured differently each time, all the data to
get back to the original password remains. Explaining how it works
is much better than the reader of the documentation having to trust
a blackboxy/magical mechanism.
This commit is contained in:
Samantha McVey 2020-03-25 22:53:59 +01:00 committed by Nick Craig-Wood
parent 304ee97944
commit 6765303de4

View File

@ -101,10 +101,15 @@ y/e/d> y
obscured so it isn't immediately obvious what it is. It is in no way obscured so it isn't immediately obvious what it is. It is in no way
secure unless you use config file encryption. secure unless you use config file encryption.
A long passphrase is recommended, or you can use a random one. Note A long passphrase is recommended, or you can use a random one.
that if you reconfigure rclone with the same passwords/passphrases
elsewhere it will be compatible - all the secrets used are derived The obscured password is created by using AES-CTR with a static key, with
from those two passwords/passphrases. the salt stored verbatim at the beginning of the obscured password. This
static key is shared by between all versions of rclone.
If you reconfigure rclone with the same passwords/passphrases
elsewhere it will be compatible, but the obscured version will be different
due to the different salt.
Note that rclone does not encrypt Note that rclone does not encrypt