How to safely use Rclone on a server?

I have a crypt remote on my personal GDrive that i use for private stuff. I also have a VPS that has a cron job that downloads some stuff for me every few hours if there is new stuff to download. I would like to upload them to my GDrive with Rclone automatically. If someone gains access to my server and checks the remote with rclone ls i don't want them to see my private stuff.

So, whats the best way to do this? Lets say my GDrive setup is this:

  • gdrive remote is in a rclone directory on GDrive
  • The crypt remote is at gdrive:/crypt

I have thought of 2 simple ways to accomplish this:

  1. Create a new crypt remote with a different password than the one with my private stuff at gdrive:/vps. But doesnt this make it possible to see my private encrypted stuff, altough still encrypted?
  2. Use a different client_id which makes it impossible to see stuff that was created using my private stuff client_id. Or have i misunderstood that completely?

Also, everytime changes are made to the config it needs to be reapproved via the browser right? For example if the scope was to be changed. I feel like i explained this very poorly so feel free to ask more about my setup.

EDIT: Change "mount" to "remote"

if you crypt the config file, then no one can run rclone ls without entering the password

How would this work with automated commands? Lets say every two hours the command rclone move . crypt: is run automatically without any input from me. It asks for the password but i can't type it in since im not manually running the command.

in the end, if you do not trust the server, there is no solution to securing rclone or any other app.

in the link i shared, it explains how to feed the password to rclone in scripts.

I dont care if someone sees the stuff ive put to GDrive from the server. I just dont want them to see the stuff ive put to GDrive from my own local machine. If i create a new remote with rclone config and set the scope as drive.file (Access to files created by rclone only) can they then see the stuff i've created from my own local machine or only by the rclone on the server? And if i put the root_folder_id to an empty directory, it should be fine? And if they were to make changes to the config i would need to approve it from my browser right?

i do not use gdrive.
tho running a few tests would should provide the answers.

might need to lock down the client_id in the gdrive admin console.
or use a service account file and lock that down.

i know with s3 backend, what you want can be done easily.

hey man, good questions -- this sounds like a case where re-configuring your remote to use the root_folder_id parameter would be useful. run through the config for Google Drive (or edit config for the existing remote) and then for the step that reads:

Option root_folder_id.
ID of the root folder.
Leave blank normally.
Fill in to access "Computers" folders (see docs), or for rclone to use
a non root folder as its starting point.
Enter a value. Press Enter to leave empty.

...we want to open a browser tab, go to whichever Drive folder the server is uploading data to, (e.g. My Drive/folder1). for your case let's say this server was always depositing things to folder1 and subdirectories of folder1.

next, with folder1 open in a browser, note the URL reads something like:

that last part, 1bBASFDff8284dFHFJASF, is what we want to enter for the root folder ID. walk through the rest of the config settings as you see fit and then that remote should only show you the contents of folder1 and nothing else from your My Drive with no ability to climb up. hope this helps!

This seems like the best and easiest solution. When going to rclone config and editing a remote and changing the root_folder_id it requires me to authorize via a browser. Thats great. There is no way to bypass the authorization right?

that's correct, when modifying a configuration for any existing remote or when creating a new remote, you'll need to re-authorize rclone from a web browser. after you accept the terms, it will let you know you're all set and you can return to the remaining config steps in your terminal or command prompt.

of course if you are worried about breaking your existing remote and want to make sure this solution works as you intend, then you can do a new remote and test it out then delete the other one (but be sure to update any crontabs, scripts, etc that call the old remote). up to you!

I'll give this a try, I think it'll work the way i want it to. I'll mark your earlier reply as the solution. Thanks!

awesome, probably the first rclone solution I've offered on this forum rather than at work :nerd_face: good luck and happy uploading!

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.