Currently when user shares E2E encrypted files we're appending the master key to the end of the URL using https://s3.endpoint.com#masterKeyHere It's not giving access to other files, but it's not ideal for a user to reveal their master key. It's leaking some security context which in principle could be used as an additional info in a more targeted attacks. Instead we should generate specific share key applicable only to shared resources. Rclone discussion: https://github.com/rclone/rclone/issues/7192