Encrypt of the configuration file not interactively

hello, is there any way to crypt the configuration file using rclone non-interactively?


You mean via the API maybe?

I think we got half way through a pull request to to that via the api but haven't finished it yet.

It would probably make sense for this to be a stand alone rclone command too.

ciao, yes rclone command like: rclone config encrypt --password-file xx or an env var like RCLONE_CONFIG_PASS or something else.


Yes, it should be possible to pass the password in via env variable.

I have not messed with this a lot myself yet, but let me call in @asdffdsa here and see if he can explain it to you as I know he uses this himself (as part of a more complex system that obscures it further, as he is very focused on data security). He has explained how in a couple of other posts so maybe he can just refer you to those or copypaste it for you.

hi @bbassotti,
i have several differents ways to pass the rclone config password to the rclone.exe
i am a windows user, not a linux user.
so if you are a windows user, can you explain what you are trying to do.
i will try to help

Even if the spesific implementation would be different, the general principle should work the same though right? Even if he is on Linux (I don't know) he would probably be able to learn a lot from a basic windows-based example.

well, it all depends on how paranoid you are.
level 1 paranoia. the least paranoid is to have a script file such as run_rclone.cmd

rclone.exe sync source dest:

but then if your system is compromised, simply viewing run_rclone.cmd file will reveal the password.

I totally agree, but explain him the basics (which cover his question) before you go on to the full paranoia setup ok? :smiley:

I guess you just did though...

here is a snippet from another post of mine,
paranioa level 10, i am scared to even share this...
if you played zork, if you were in the troll room, you would understand!

in this example, i use windows registry to pass the password.

for example, i use keepass to store passwords, each time i want to run keepass, i run this script, it will backup keepass and then start keepass for me.
same thing with firefox, i run this script, tell it to backup firefox and then start firefox for me.

it reads config info from an .ini file, there is a section for each backup job.
for example,


in this example, i want to backup keepass and i can do that in many ways

enable VSS
use fastcopy to copy the local source files to my local backup server.
create a password protected zip file of the local sources file and copy that to my local backup server.
rclone sync that zip file to wasabi
rclone check that zip file on wasabi
rclone sync the source files to wasabi
rclone check the source files on wasabi
use --backup-dir for rclone commands
after the backup has finished, analyze the logs files for errors and then email the following logs to me. fastcopy log, 7zip log, rclone log, vss log.
Netuse - as a paranoid feature, the script creates an on-the-fly net use a: \backupserver\backupfolder to the backup server, files are copied to that a: drive.
and after the backup to the backup server net use a: /delete /y . in that way, if the source computer was infected with ransomware, it would not be to access the backup server.
another paranoid feature, the username and password for net use are encrypted and cannot be seen from task manager.
and you might think that you could modify the batch file that run rclone, to get the net use username and password, but this is not possible, yet another paranoid feature, as those batch files that run rclone, fastcopy, zip are encrypted.
i decrypt the .cmd batch file on-the-fly, copy that batch file to the temp folder, execute the decrypted batch file, then the decrypted batch file is zeroed out, and then delete the decrypted batch file. and the username and passwords are written to the registry, then the .cmd batch file reads the passwords from registry, zeros out the registry entries and executes the .cmd file, then deletes the .cmd file
as the last step, run the post-op command, which will launch keepass

hello, sorry but maybe I was not clear: I would like to have the possibility to initialize the configuration of the initial encryption of the configuration, what is done using:

rclone config
Current remotes:
s) Set configuration password


sorry, not understanding what you want?

you want to create a rclone config file with a password, but using a script?

Seems that way.
If so then sorry for misunderstanding. I am not aware of a way to do this currently. But it's not really something I've had a reason to investigate either.

What is the use-case, for the sake of my curiosity... Some kind of automated deployment script?

not precisely: I invoke rclone from a process that set the environment variable which will then be used to initialize the file encryption.

yes, I'm building an orchestrator that needs to be able to initialize rclone and configure it non-interactively.

ok, now i understand.
perhaps one sunny day, rclone will have an API for that.
until then, in just 4 lines of code, you can create an encrypted rclone.conf file

create the file rclone.ahk

winactivate, rcloneconfig
send s{enter}a{enter}%1%{enter}%1%{enter}q{enter}q{enter}

create and run the file runrclone.cmd

start "rcloneconfig" rclone.exe config edit
autohotkey.exe rclone.ahk password

you can download autohotkey from https://www.autohotkey.com/

Yea, sometimes simulating input can be a perfectly workable solution.
I personally prefer autoit myself, but autohotkey is also good.
You can do surprisingly much with those frameworks. I remember back in the day writing semi-automated bot that let me tripple-box (play 3 characters at the same time) in an old MMO :stuck_out_tongue:

Making something that runs though rclone's installer is quite trivial using either.

yes, stimulating input can be fun and either choice works but

autoshit used to be open source.
autohotkey is the open source fork

Oh, are they actually forked of eachother? Didn't know that.
I fully admit my preference is mostly just based on me having more experience with one over the other - and that I initially found autoit to have more easily accessible documentation and examples.

But let's not derail this before the thread is solved at least hehehe...

yes ma, i will be a good boy

it would be nice for rclone to have a way to create an encrypted .conf