I'm in the process of writing some documentation on how to run Rclone as a Windows Service that automatically starts after login (including avoiding storing config passwords in plaintext). As part of this guide, I want to detail why I made certain design decisions, including which cloud service I used for storage. I remember when I made this decision I found some information online that detailed that one of four cloud providers had a feature that no others had, but this was a couple of months ago and I haven't been successful in finding the information again.
From what I remember, the feature was related to how changes to files are picked up, something similar to push notifications for file changes, but I could be wrong about that. Also, from memory I think that Rclone supported this feature with the following cloud storage services; Box, Google Drive, Nextcloud, OneDrive.
Does anyone know what I might be referring to? Perhaps I imagined it, but I don't think I did.
I regularly use on my own computers and on my customers computers the program Nssm to install rclone as a Windows service that launches when Windows boots and it works splendid.
If you try it be sure to select the tab to set the user ID it runs under to the user ID that you're logging in with and not the system login.
a very easy option is windows task scheduler, basically a GUI front end to windows service.
it is built-in to windows os.
triigers to run run tasks include at boot, at login, at specific date/time, day of week. repeat task every x minutes, event log entries, workstation locked/unlocked and a lot more...
in the forum, multiple times, i have posted details including screenshots.
very easy to write a simple batch script.
on the source machine
I'm glad to hear that other people have found their own solutions, but I'll share my own guide anyway. I suspect the method of storing passwords will be of interest.
SecureString passwords aren't plaintext, but they also don't offer much in the way of security. If all someone needs to do to access the plaintext version of the password is to run something like this in PowerShell (taken from the guide you linked to), then it's not particularly secure.
If that "someone" is able to run such a command as your user on that same machine, then that's "all" it takes... But the string is encrypted. On Windows by the Data Protection API (DPAPI) system component, where the encryption key is tied to your user account. Should the encrypted string be leaked to other users, they will not be able to decrypt it.
" Don't use SecureString for new code. When porting code to .NET Core, consider that the contents of the array are not encrypted in memory.
The general approach of dealing with credentials is to avoid them and instead rely on other means to authenticate, such as certificates or Windows authentication."
The method I have working uses Windows authentication instead of using .NET secure strings. If you prefer to use secure strings, be my guest, but I will document my method anyway.
The article you refer to is about use of SecureString in a .NET application, and encrypting the data in the memory of that. With rclone, that would have to be something rclone does in its go implementation. The wiki just uses the PSCredential, and via that also SecureString, as an easy method for encrypting the rclone config password at rest, persisted in a file on disk, and be able to use that (i.e. decrypt it) with rclone from interactive shell environments, scripts, scheduled tasks etc, without user interaction, without having to rely on credential manager, agent services etc. A simple method for anyone to achieve a (way) more secure alternative than having the plain text password in environment variable RCLONE_CONFIG_PASS. The SecureString representation is in fact only in the short-lived PowerShell process that rclone executes as part of its --password-command handling. On disk the password is encrypted regardless of SecureString, which is the main purpose.
The ConvertFrom-SecureString cmdlet converts a secure string (System.Security.SecureString) into an encrypted standard string (System.String ).
...
If no key is specified, the Windows Data Protection API (DPAPI) is used to encrypt the standard string representation.