Is rclone a safety risk for my cloud storage account?

I'm considering running rclone on a web server to upload daily backups of some files to Google Drive. But I'm hesitant because of potential security risks, in case an attacker would gain access to the web server.

What exactly would the attacker be able to do? Looking in the rclone.conf file, I see "access_token" and "refresh_token". Could someone who gains access to the config file use that information to gain write access to my Google Drive account?

Is there any way to make things more secure?

I've tried searching, but the discussions I found were very technical and detailed. Explain like I'm your grandma please.

rclone v1.56.0

It's like losing your credit card, if an attacker gets your rclone.conf, they can access your stuff.

grandma, is that really you?

rclone can encrypt the config file rclone.conf.
take a read and let me know what is not clear?

and be safe, grandma, keep rclone up to date
rclone selfupdate


I notice that the documentation that you cited contains the following garbled line.

When executing a command line that you know are not actually using anything from such a configuration file [. . .]


and what is your concern?


I have no problem as such. Rather, I was pointing out that there is something incomprehensible - which, by dint of that, needs fixing - in the documentation to which you kindly pointed another user.

Thanks, your grandma here again.

Just wanted to let you know that I took your advice, encrypted the config file and replaced my automatic daily cron-job rclone script with one that must be manually invoked and the password manually supplied each time. Just have to remember to do it regularly...

I guess one could create a cron job on a different machine and invoke the script from there, supplying the password in the
request? For example via a PHP script that can be invoked via a URL. Then at least the password and the config files reside on different machines, so a bit more tricky for the average casual hacker as they would need to gain access to both in order to view the contents of the config file.

have you read about
many forum posts about how to use that

Thanks, I didn't see that option before, it seems useful.

Right now I'm actually doing what I was thinking about before - running a cron job on a different server (server A), which calls a PHP script on the original server (server B), supplying the password. The PHP script runs a shell script which sets the RCLONE_CONFIG_PASS environment variable and runs the rclone commands.

The password is stored on server A, which means if a hacker gains access to that machine all they can do is run my backup script on server B. Or, if a hacker gains access to server B, they can't decrypt the config file because the password is only known to server A. The servers are located on different continents and managed by different hosting companies.

So in short, they would need access to both servers to get the password and decrypt the config file.

i do something similar with a remote server.
tho in my case, do not use rclone config file, and so do not use RCLONE_CONFIG_PASS.

the server creates a set of commands for rclone, veeam, 7z, restic and fastcopy.
then client creates a vss snapshot, runs those apps using that snapshot as source.
and if somehow the hacker all id/secrets/passwords etc.., would not care, nothing the hacker can do with it.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.