Need help understanding security

I need help understanding how to setup an automated, secure rclone config. I’ve read Cron job when using Config fie encryption, but I don’t understand how to implement rclone obscure and the RCLONE_CONFIG_PASS in a secure way.

My use case seems pretty typical in my mind. I’m running rclone from an automated script to access my dropbox, and if my computer is stolen, I don’t want it to be accessible by someone else. My config file isn’t readable to other users, but my HDD is not encrypted, so someone could always just mount my drive to another computer and read my files.

If I password protect the config file, I need to store the password in RCLONE_CONFIG_PASS, but in order to do that, I need to put the password in a file like .bashrc, which someone could easily find. If I obscure the password then set RCLONE_CONFIG_PASS to that obscure password, it’s the same problem, the password looks more difficult, but it’s still just as readable to someone with access to my drive.

What am I missing? How do you automatically set RCLONE_CONFIG_PASS in a way that others can’t read?

1 Like

NTFS/Windows has per-file encryption. Most linux distributions can have user’s homes encrypted.
Of course you need to have a good user-password and think about other things (like you might have a backup program that backups some of your files and stores them un-encrypted, etc. This is why it’s usually better to just have full disk encryption.

The proper way of doing this is to store the password in some agent, eg ssh-agent or gpg-agent and retrieve it from there when necessary.

Your OS may have a keyring feature you can use too.

This means that you need to put the master password into the agent before your script will run. So if your computer is stolen the agent won’t be running on startup and the thief will not have access to your password.

So practically speaking you could encrypt the password with gpg then use gpg-agent to decrypt it for you.

@e12’s solution of an encrypted partition is a good one too.

1 Like

Thank you both, this clarifies my understanding.

It sounds like neither of these approaches of encryption could be used in a way that still allows the computer to auto run rclone on startup without user login. With gpg-agent, I would still need to manually provide a password at some point, correct?


I think it is impossible to have both of these things at once:

  • something that starts up without user input of some kind
  • something that is completely secure