Config password - mount without password or with different password from the config one?

Help and Support
1

What is the problem you are having with rclone?
Hi! I am a technical artist and I've been asked to deploy rClone to mount our GCS bucket. I've been messing around with the tool to figure out the nuts and bolts of it. I've been handed a client ID and Secret and have mounted the drive successfully but since I will have to deploy it around 50-60 times to other devices I figured I would just pack up the config with the software and plop it right to colleagues computers and just generate a new token for them afterwards and create a task in windows to execute a .cmd on login.
The issue is that the rclone config file stores the values in plain text. Okay - config password it is.
Except this will now require the password to mount the share. The problem is that I'd be stored as plain text in the batch file.

Here is the proper question then - is there an option to either set a different password for accessing the config and a different one for mounting? Have I missed something in the crypt documentation?

I guess my secondary idea would be to obfuscate the .cmd file with something like bat2exe or write a Python program and build it with pyinstaller?

I am sorry if I somehow missed an obvious answer here, I've been googling the topic for a FEW hours and further reading only stirs more confusion into me.

Full output of rclone version

rclone v1.62.2
- os/version: Microsoft Windows 10 Enterprise 22H2 (64 bit)
- os/kernel: 10.0.19045.3086 Build 19045.3086.3086 (x86_64)
- os/type: windows
- os/arch: amd64
- go/version: go1.20.2
- go/linking: static
- go/tags: cmount

Which cloud storage system are you using?
That'd be GCS (Google cloud storage)

The rclone config contents with secrets removed.

[GCS]
type = google cloud storage
client_id = [REDACTED]
client_secret = [REDACTED]
project_number = [REDACTED]
object_acl = authenticatedRead
bucket_acl = authenticatedRead
location = eu
token = [REDACTED]
2

Assuming the GCS credentials are properly locked down, this won't give the user any more capabilities than using the mount will it?

If you want to store the password in an OS password safe (don't know if Windows has such a thing) then investigate the --password-command flag.

4

hello and welcome to the forum,

that is what i do, in addition, use upx to compress/scramble the .exe.
so the hacker would have to know upx was used, unpack the exe. and de-compile the .exe created by pyinstaller.
also, a cheap trick is to hide the password in a crypted state in the registry, not inside the .exe.

i do not use a rclone config file at all, the config is generated on the fly.
using a simple client/server model, whereby, the server creates, on the fly, a temporary session token that expires.
and that is what the client uses.

tho i use S3, the concept is the same, to lock down the bucket/folder with polices.

and write a script using rclone config create, to create a unique client_id per client machine.

1 Like
5

I will have to look at automating rclone with Python, which could potentially save me tons of time per deployment AND help me make things server. Also cheers on the advice about UPX! This could be a game-changer for me!

Do you perhaps have an example of how to create a config file with Py?

6

i am not 100% sure about GCS credentials security when it comes to how it is set up and since I am not entirely confident I just want to be more safe than sorry

7

yeah, it works well but not without some controversy.
https://forum.rclone.org/t/rclone-1-5-6-windows-finds-trojan-win32-cryptinject-msr/26172/35
https://forum.rclone.org/t/rclone-exe-is-a-virus-workarounds/26223/1

  1. use rclone create - easy. but credentials are visible on the command line, not able to use environment variables.
  2. use connection strings, easy. but credentials are visible on the command line.
    tho able to use environment variables
  3. use environment variables

in my scripts, i use a 2+3.
convenience of connection strings, secrets using environment variables.

to convert this script

@set RCLONE_CONFIG_WASABI_TYPE=s3
@set RCLONE_CONFIG_WASABI_ACCESS_KEY_ID=xyzLSI7YXRMTYNN
@set RCLONE_CONFIG_WASABI_SECRET_ACCESS_KEY=xzmh7HOLraG0sBNWerCRB53CCvSd0zCJc4n
@set RCLONE_CONFIG_WASABI_ENDPOINT=s3.us-east-2.wasabisys.com

rclone lsd wasabi:

into this something like this, using pseudo code.

  1. create a dictionary with environment variables
  2. create the rclone command.
  3. feed 1+2 to subprocess.run
RcloneEnv={"RCLONE_CONFIG_WASABI_TYPE":"s3", "RCLONE_CONFIG_WASABI_ACCESS_KEY_ID":"xyzLSI7YXRMTYNN", "RCLONE_CONFIG_WASABI_SECRET_ACCESS_KEY": "xyzCmh7HOLraG0sBNWerCRB53CCvSd0zCJc4n", "RCLONE_CONFIG_WASABI_ENDPOINT": "s3.us-east-2.wasabisys"}

CMD='rclone lsd wasabi:'

x=subprocess.run(CMD, shell=True, capture_output=True, text=True, env=RcloneEnv)

if you are already using gcs command line tool, there is --gcs-env-auth

8

if you are going to script rclone and create remotes on the fly.

  1. use service accounts
  2. you can use IAM user/bucket polices to lock down. for example do end-users needs to delete files.
    --- if not, remove that permission.
    --- run rclone mount with --read-only
9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.