Is it possible to add more documentation to the README about where the different encryptions are triggered in the code?

[u93]

I mean adding references to the code functions that provide the following encryptions referred in the text below:

The files and folders are encrypted using [Rclone Crypt](https://github.com/rclone/rclone), which is also open source and available for your own auditing. Under the hood are [different encryption methods](https://rclone.org/crypt/) for different parts of the encryption (e.g. filenames vs files themselves) which utilise among others NaCl SecretBox based on XSalsa20 cipher and Poly1305 for integrity. It's content is encrypted using a randomly generated 1024 bit password which is unique for each device, and stored inside a configuration file. That configuration file is then encrypted with NaCl SecretBox using your own provided key generated from Secure Store and served by Secure Store Server to all your devices.

As with any encryption solution, this is not bullet proof. This project has been developed as a proof of concept designed to significantly increase the level of security of content, but does not make any guarantees.

In case everything is done by RClone Crypt is it possible to point to the functions that call it and make some references to that?

We find the need for this for understanding better the encryption process before applying to devices in our fleet

Thanks in advance!

[maggie44]

Hmm, a good but complicated question. .

RClone is called to do the config encryption here:

secure-store/cmd/secure-store/mount/mount.go

Line 42 in 21c9ec2

err = config.SetConfigPassword(passwd)

RClone is called to create a mount folder here:

secure-store/cmd/secure-store/mount/mount.go

Line 114 in 21c9ec2

_, err = rclone.CreateRcloneMount(context.Background(), mountParams)

Once it creates a mount, anything put in to that folder is encrypted and then copied to another folder (the storage folder). When you run the docker command to encrypt your local content, it is basically just creating an RClone mount, copying your files from source/ in to the created mount, then taking the encrypted output and putting it in encrypted/.

I think it would be quite complex for most users to be reading about that sort of thing in the docs, I could end up opening up a whole can of worms trying to explain it all. I know that's not ideal.

[u93]

Can I assume that all the encryption is done by RClone and not by the Golang code? I ask because there is quite the number of files for encryption in the source code, but those could be for generating the mTLS keys, etc

[maggie44]

Three methods:

1. MTLS keys done by Secure Store code:

   secure-store/cmd/secure-store/mtls/mtls.go

   Line 14 in 3a51a23

   func GenerateMTLSKeys() (string, string) {

2. Files done by Rclone:

   secure-store/cmd/secure-store/mount/mount.go

   Line 27 in 3a51a23

   func CreateMount(passwd string) error {

3. String encryption used to encrypt environment variables, done by Secure Store code:

   secure-store/cmd/secure-store/encrypt/encrypt.go

   Line 13 in 3a51a23

   func EncryptString(key string, text string) string {

There are corresponding decrypt for some of those in the same places.

[u93]

Great thanks for the info, will deep dive into those!