Rclone inside a script : safely disable password prompts with no fail


I am trying to make a scheduled task script using rclone without password prompts and with no fail. I read the docs :




I disabled password prompts but I don't understand how to use all the other stuff about reading config password (meaning RCLONE_CONFIG_PASS , set-rclone-password file, source set-rclone-password, --password-command, RCLONE_PASSWORD_COMMAND, passwordstore ...)

Here is the script I wrote in DSM task scheduler (Synology NAS) under the "Run command / User-defined script" section (screenshot at the end is just for you to see how looks like the Synology task scheduler GUI , the shown script in the picture is not the one I am talking about) :

/path/./rclone --ask-password=false --config /path/.config/rclone/rclone.conf sync path remote:path

What do I have to add in this script and/or anywhere else for rclone to automaticly read config password ? I really don't understand the docs.

Where is the password stored?

If you just want to provide it on the command line then you can use --password-command "echo password" which isn't very secure or --password command cat /path/to/file/with/password

Ok, but I dont't want to store rclone config password in a file for security reasons (apart from rclone.conf file). I want to use one of the methods described in the docs, but I don't know which one is the most safe, and I don't really understand any of them.

I thought the following was the most secure, but I don't understand how to do:

An alternate means of supplying the password is to provide a script which will retrieve the password and print on standard output. This script should have a fully specified path name and not rely on any environment variables. The script is supplied either via --password-command="..." command line argument or via the RCLONE_PASSWORD_COMMAND environment variable.

One useful example of this is using the passwordstore application to retrieve the password:

export RCLONE_PASSWORD_COMMAND="pass rclone/config"

If the passwordstore password manager holds the password for the rclone configuration, using the script method means the password is primarily protected by the passwordstore system, and is never embedded in the clear in scripts, nor available for examination using the standard commands available. It is quite possible with long running rclone sessions for copies of passwords to be innocently captured in log files or terminal scroll buffers, etc. Using the script method of supplying the password enhances the security of the config password considerably.

If you are running rclone inside a script, unless you are using the --password-command method, you might want to disable password prompts. To do that, pass the parameter --ask-password=false to rclone. This will make rclone fail instead of asking for a password if RCLONE_CONFIG_PASS doesn’t contain a valid password, and --password-command has not been supplied.

1 Like

Here is more info about pass: https://www.passwordstore.org/

This uses gpg agent for authentication so you'd need to run that and make sure the password for pass didn't expire.

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.