I want to encrypt my config. I am using passwordstore for various passwords.
I would like to be able to pass an option to rclone so that when it needs to decrypt the config, it would run the commands.
IE: --password-cmd="pass rclone/config"
This is similar to how borg backup allows me to store the password for a repo in passwordstore, which works quite nicely.
here is what i do.
rclone can get its password from an environment variable. RCLONE_CONFIG_PASS=password
i script rclone using python.
with python, as with any programming language, i can pass that environment variables to a script that runs rclone.
in that way, the password is not visible in the script.
I do not wish to have the password in the environment. It then persists in the ENV for a long as Rclone runs, which may be hours or days. A simple "ps -E" would then display it. I never wish to see/print/display/store-in-command-history/... the password. It is not known to me, and is only produced when needed.
This won't hide the password since whatever environment variables are set for a process can always be seen at /proc/<PID>/environ as long as the process is running
When set, use the standard output of the command (trailing newlines are stripped) to answer the passphrase question for encrypted repositories. It is used when a passphrase is needed to access an encrypted repo as well as when a new passphrase should be initially set when initializing an encrypted repo. Note that the command is executed without a shell. So variables, like $HOME will work, but ~ won’t. If BORG_PASSPHRASE is also set, it takes precedence. See also BORG_NEW_PASSPHRASE.
BORG_PASSPHRASE_FD
When set, specifies a file descriptor to read a passphrase from. Programs starting borg may choose to open an anonymous pipe and use it to pass a passphrase. This is safer than passing via BORG_PASSPHRASE, because on some systems (e.g. Linux) environment can be examined by other processes. If BORG_PASSPHRASE or BORG_PASSCOMMAND are also set, they take precedence.