Encrypt of the configuration file not interactively

bbassotti · November 21, 2019, 8:26am

hello, is there any way to crypt the configuration file using rclone non-interactively?

thnx.

ncw · November 21, 2019, 10:31am

You mean via the API maybe?

I think we got half way through a pull request to to that via the api but haven't finished it yet.

It would probably make sense for this to be a stand alone rclone command too.

bbassotti · November 22, 2019, 7:16pm

ciao, yes rclone command like: rclone config encrypt --password-file xx or an env var like RCLONE_CONFIG_PASS or something else.

bb.

thestigma · November 22, 2019, 7:30pm

Yes, it should be possible to pass the password in via env variable.

I have not messed with this a lot myself yet, but let me call in @asdffdsa here and see if he can explain it to you as I know he uses this himself (as part of a more complex system that obscures it further, as he is very focused on data security). He has explained how in a couple of other posts so maybe he can just refer you to those or copypaste it for you.

asdffdsa · November 22, 2019, 7:44pm

hi @bbassotti,
i have several differents ways to pass the rclone config password to the rclone.exe
i am a windows user, not a linux user.
so if you are a windows user, can you explain what you are trying to do.
i will try to help

thestigma · November 22, 2019, 8:48pm

Even if the spesific implementation would be different, the general principle should work the same though right? Even if he is on Linux (I don't know) he would probably be able to learn a lot from a basic windows-based example.

asdffdsa · November 22, 2019, 8:56pm

well, it all depends on how paranoid you are.
level 1 paranoia. the least paranoid is to have a script file such as run_rclone.cmd

set RCLONE_CONFIG_PASS=password
rclone.exe sync source dest:

but then if your system is compromised, simply viewing run_rclone.cmd file will reveal the password.

thestigma · November 22, 2019, 9:02pm

I totally agree, but explain him the basics (which cover his question) before you go on to the full paranoia setup ok?

I guess you just did though...

asdffdsa · November 22, 2019, 9:07pm

here is a snippet from another post of mine,
paranioa level 10, i am scared to even share this...
if you played zork, if you were in the troll room, you would understand!

in this example, i use windows registry to pass the password.

for example, i use keepass to store passwords, each time i want to run keepass, i run this script, it will backup keepass and then start keepass for me.
same thing with firefox, i run this script, tell it to backup firefox and then start firefox for me.

it reads config info from an .ini file, there is a section for each backup job.
for example,

[keepass]
SourceDir=C:\data\u\keepass
DoVShadow=true
DoFastCopy=true
DoZip=true
DoRcloneSyncZip=true
DoRcloneCheckZip=true
DoRcloneSyncFiles=true
DoPostOp=true
UseArchiveDir=true
SendEmailLogs=true
NetUse=true
PostOpCmd=C:\data\rclone\scripts\rr\postop\start_keepass.cmd

in this example, i want to backup keepass and i can do that in many ways

enable VSS
use fastcopy to copy the local source files to my local backup server.
create a password protected zip file of the local sources file and copy that to my local backup server.
rclone sync that zip file to wasabi
rclone check that zip file on wasabi
rclone sync the source files to wasabi
rclone check the source files on wasabi
use --backup-dir for rclone commands
after the backup has finished, analyze the logs files for errors and then email the following logs to me. fastcopy log, 7zip log, rclone log, vss log.
Netuse - as a paranoid feature, the script creates an on-the-fly net use a: \backupserver\backupfolder to the backup server, files are copied to that a: drive.
and after the backup to the backup server net use a: /delete /y . in that way, if the source computer was infected with ransomware, it would not be to access the backup server.
another paranoid feature, the username and password for net use are encrypted and cannot be seen from task manager.
and you might think that you could modify the batch file that run rclone, to get the net use username and password, but this is not possible, yet another paranoid feature, as those batch files that run rclone, fastcopy, zip are encrypted.
i decrypt the .cmd batch file on-the-fly, copy that batch file to the temp folder, execute the decrypted batch file, then the decrypted batch file is zeroed out, and then delete the decrypted batch file. and the username and passwords are written to the registry, then the .cmd batch file reads the passwords from registry, zeros out the registry entries and executes the .cmd file, then deletes the .cmd file
as the last step, run the post-op command, which will launch keepass

bbassotti · November 22, 2019, 10:22pm

hello, sorry but maybe I was not clear: I would like to have the possibility to initialize the configuration of the initial encryption of the configuration, what is done using:

rclone config
Current remotes:
...
s) Set configuration password

thnx!

asdffdsa · November 22, 2019, 10:28pm

sorry, not understanding what you want?

you want to create a rclone config file with a password, but using a script?

thestigma · November 22, 2019, 10:31pm

Seems that way.
If so then sorry for misunderstanding. I am not aware of a way to do this currently. But it's not really something I've had a reason to investigate either.

What is the use-case, for the sake of my curiosity... Some kind of automated deployment script?

bbassotti · November 22, 2019, 10:33pm

not precisely: I invoke rclone from a process that set the environment variable which will then be used to initialize the file encryption.

bbassotti · November 22, 2019, 10:36pm

yes, I'm building an orchestrator that needs to be able to initialize rclone and configure it non-interactively.

asdffdsa · November 22, 2019, 11:23pm

ok, now i understand.
perhaps one sunny day, rclone will have an API for that.
until then, in just 4 lines of code, you can create an encrypted rclone.conf file

create the file rclone.ahk

winactivate, rcloneconfig
send s{enter}a{enter}%1%{enter}%1%{enter}q{enter}q{enter}

create and run the file runrclone.cmd

start "rcloneconfig" rclone.exe config edit
autohotkey.exe rclone.ahk password

you can download autohotkey from https://www.autohotkey.com/

thestigma · November 22, 2019, 11:51pm

Yea, sometimes simulating input can be a perfectly workable solution.
I personally prefer autoit myself, but autohotkey is also good.
You can do surprisingly much with those frameworks. I remember back in the day writing semi-automated bot that let me tripple-box (play 3 characters at the same time) in an old MMO

Making something that runs though rclone's installer is quite trivial using either.

asdffdsa · November 22, 2019, 11:59pm

yes, stimulating input can be fun and either choice works but

autoshit used to be open source.
autohotkey is the open source fork

thestigma · November 23, 2019, 12:04am

Oh, are they actually forked of eachother? Didn't know that.
I fully admit my preference is mostly just based on me having more experience with one over the other - and that I initially found autoit to have more easily accessible documentation and examples.

But let's not derail this before the thread is solved at least hehehe...

asdffdsa · November 23, 2019, 12:16am

yes ma, i will be a good boy

it would be nice for rclone to have a way to create an encrypted .conf

system · February 21, 2020, 12:16am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.