S3Drive - Decrypt files on Android

Hi there, here is one use case and feel free to dismiss it if there's a better way. I have a bunch of files encrypted with a GPG key on Backblaze. I don't trust the service with my keys so I rolled my very easy script for that. These files are app backups, configuration, etc... Now, on PC it's very easy to have a sync-ed folder and something that decrypts. On Android sometimes I need a backup file (for the email app, say). So I download it and decrypt it with OpenKeyChain. This is a bit cumbersome and it would be awesome to have a better way

Thanks for listening!

... so you would be interested in S3Drive supporting PGP encrypted files natively? I will add this to our feature requests, we will consider implementing it once there is enough interest. At the moment we deem Rclone's encryption to be sufficient for files security and privacy. In the nearest future we plan to further improve cipher: https://github.com/rclone/rclone/issues/7192 and/or connect with Cryptomator cipher: https://docs.s3drive.app/setup/cryptomator/

Rclone encryption improvements discussion · Issue #7192 · rclone/rc...

We're running S3Drive (GUI for S3 on desktop, mobile, web) and recently aligned with Rclone's encryption scheme for better interoperability and features like drive mount and Webdav that we ...

Cryptomator - S3Drive

Zero Knowledge E2E encrypted storage compatible with any S3 provider

Yes well gpg via OpenKeychain, for instance, on Android would be awesome. Thanks for considering it!

6:21 PM

The thing is rclone can't be used on Android can it?

We've been integrated with Rclone crypt since release: [1.4.0] - 2023-07-21 (https://s3drive.app/changelog), it can be enabled in the Settings (it's called E2E on our end, but it's essentialy 1:1 compatible). Most recent release: [1.7.0] - 2023-12-29 provides full integration with Rclone allowing you to use 70+ back-ends on top of S3 (more on that here: https://docs.s3drive.app/setup/import_rclone/). One of the back-ends is crypt (https://rclone.org/crypt/) which means you can use S3Drive to encrypt your data and store it on Dropbox or whenever you want. In a 1.7.1 release which we will release in a few days there will be an option to sync from local file system as well as (on Android, iOS and macOS this option won't be initially available due to different permission systems, we'll need to provide workaround), between different back-ends, so you can e.g. upload some files to Dropbox, some files to Google Cloud and then sync certain folders between them as you need. (edited)

Oh that's cool then - in terms of permissions, the pattern other apps follow is to let you specify a folder yourself, and to ask permission for accessing that only. I will try to post an example of that flow. I guess the next release will solve my problem then, I can use rclone on desktop and on Android. that's cool and will save me a lot of scripting

6:03 PM

this is from the Neo Store app

Actually 1.7.1 release is now a thing ! We love the idea of permissions to only specific folder, the challenge is that these operate on so called Content URIs instead of classic file system (you can notice on your video it starts with content://). That makes it incompatible with classic software, Rclone included. That's why our best solution so far is to aim for MANAGE_EXTERNAL_STORAGE permission which fortunately and unfortunately gives access to the filesystem: https://developer.android.com/training/data-storage/manage-all-files#operations-allowed-manage-external-storage In the long run we could reimplement some syncing logic and make it compatible with these Content URIs... but since Rclone does damn good job already we're not really keen to reinvent the wheel, add maintenance/risks and spend at least couple months initially just to get it right. (edited)

It makes a lot of sense yeah. I guess it is fine to allow access to everything as temporary solution and then improve later. Many apps do that actually (but I always try to avoid giving that very broad permission if I can). Thanks for the thorough explanation!

So If I understand correctly I will be able to mount a bucket in Android and S3 will decrypt the contents of the files (and show me the files names?) transparently? (edited)

Ari

So If I understand correctly I will be able to mount a bucket in Android and S3 will decrypt the contents of the files (and show me the files names?) transparently? (edited)

You will be able to access S3 and other endpoints (regardless if they use client-side encryption), using native file explorer on Android, but that's a different feature than the one mentioned above: https://s3drive.canny.io/feature-requests/p/android-mount-point We're also working on it and making good progress. If things go well, then by the end of this month it will be available as an MVP (no streaming initially, so big files will require lots of RAM)

Android mount point | Feature Requests | S3Drive

Implement virtual file system on Android using Storage Access Framework / File provider which would allow users to list/open/save files directly from S3Drive,

5:23 PM

... but syncing is a different feature: https://s3drive.canny.io/feature-requests/p/add-syncbackup-for-folders-on-android which is almost there, except we need an approval from Google which we will hopefully get this month as well.

Add sync/backup for folders on Android | Feature Requests | S3Drive

Currently S3Drive supports one-way media (photos&videos) backup to S3. We should add support for custom file type.

Hey Tom, sorry to resurrect this but if I wanted to use S3Drive at rest encryption today - would you still suggest going the rclone route? I was looking around and found this other good idea around Cryptomator integration https://github.com/rclone/rclone/issues/7192

Rclone encryption improvements discussion · Issue #7192 · rclone/rc...

We're running S3Drive (GUI for S3 on desktop, mobile, web) and recently aligned with Rclone's encryption scheme for better interoperability and features like drive mount and Webdav that we ...

Current Rclone encryption is simple, robust and "safe enough", but has certain limitations as flagged in this issue. We've already submitted some improvements to Rclone cipher, but we need to spend more work to integrate it nicely in the Rclone ecosystem. Once new cipher is released user will have to reencrypt their file in order to benefit from its properties. New cipher will allow secure encrypted file sharing. Speaking of Cryptomator, haven't studied exactly it's properties, but its inherently more complex. In principle it's even more secure (since files are bound the folder), but the disadvantage is that that requires separate metadata file to store the encryption properties. In some cases, especially with S3 storage where there are not data consistency guarantess this may get out of sync leading to data corruption. This wouldn't happen with Rclone, at the cost of not having the: 4. No path protection as flagged in the: https://github.com/rclone/rclone/issues/7192 With my current knowledge I think that Rclone approach is better, since its simpler (complexity is an enemy in security field), robust and less prone to corruption/data loss.

Rclone encryption improvements discussion · Issue #7192 · rclone/rc...

We're running S3Drive (GUI for S3 on desktop, mobile, web) and recently aligned with Rclone's encryption scheme for better interoperability and features like drive mount and Webdav that we ...

thank you this is good to know, I'll proceed with rclone then

1:17 PM

I might have asked this already but does the Web tool support encryption on a custom provider (in my case b2)?

Yes, web also does support Rclone encryption on any S3 back-end.