Thank you for the tip!
I have successfully used the same PowerShell trick in other cases. Did not notice the new password command flag in latest rclone version, and your post made me realize I could utilize this for hazzle-free configuration encryption.
Your version probably works great, but hope you don't mind me sharing my variation. It is an all-in-one code block that checks if the password file exists, if it does not then prompts the user to enter the configuration password which is then stored encrypted in the file. Later it will just read and decrypt this file without user interaction. The code can be stored in a PowerShell script file and referred to like your example, but also it can be specified directly as command line argument to powershell.exe.
Base PowerShell code:
[Console]::OutputEncoding = [Text.Encoding]::UTF8
if (-not (Test-Path -LiteralPath 'C:\Path\To\Password.sec'))
{
Read-Host -Prompt 'Enter rclone configuration password' -AsSecureString | ConvertFrom-SecureString | Out-File -LiteralPath 'C:\Path\To\Password.sec' -NoNewline
}
New-Object -TypeName System.Net.NetworkCredential -ArgumentList '', (Get-Content -LiteralPath 'C:\Path\To\Password.sec' -Raw | ConvertTo-SecureString) | Select-Object -ExpandProperty Password
It can be condensed into a single-liner that can be supplied as command line argument to rclone, although not very convenient in every day use:
rclone lsd remote: --password-command "powershell -NoProfile -Command [Console]::OutputEncoding = [Text.Encoding]::UTF8; if (-not (Test-Path -LiteralPath 'C:\Path\To\Password.sec')) { Read-Host -Prompt 'Enter rclone configuration password' -AsSecureString | ConvertFrom-SecureString | Out-File -LiteralPath 'C:\Path\To\Password.sec' -NoNewline } New-Object -TypeName System.Net.NetworkCredential -ArgumentList '', (Get-Content -LiteralPath 'C:\Path\To\Password.sec' -Raw | ConvertTo-SecureString) | Select-Object -ExpandProperty Password"
More convenient is to store it in environment variable:
SET RCLONE_PASSWORD_COMMAND=powershell -NoProfile -Command [Console]::OutputEncoding = [Text.Encoding]::UTF8; if (-not (Test-Path -LiteralPath 'C:\Path\To\Password.sec')) { Read-Host -Prompt 'Enter rclone configuration password' -AsSecureString ^| ConvertFrom-SecureString ^| Out-File -LiteralPath 'C:\Path\To\Password.sec' -NoNewline } New-Object -TypeName System.Net.NetworkCredential -ArgumentList '', (Get-Content -LiteralPath 'C:\Path\To\Password.sec' -Raw ^| ConvertTo-SecureString) ^| Select-Object -ExpandProperty Password
Edit: Added setting of [Console]::OutputEncoding, like you did. It may be needed (only) if you have non-ascii characters in your password, because PowerShell by default writes to standard output using the legacy OEM code page for compatibility with the windows console, and rclone assumes the data is UTF-8 encoded when reading the command output.
Edit 2: I took the liberty to update the wiki page that was already created based on the original post.