I am using rclone on seedbox for Plex gdrive. Configuration as follows: gdrive --> gcache --> gcrypt
I have no problem when mounting gcrypt without config password, but when I add password to rclone config, the mount will crash after a few minutes or hours and Plex cannot read the mount drive because its already empty but the mount service is still running. I have to reboot the seedbox to mount it again. What is the correct setting for rclone with encrypted config file? I don't want my seedbox provider to see the encryption key for my google drive.
What is your rclone version (output from rclone version)
rclone v1.49.1
os/arch: linux/amd64
go version: go1.12.9
Which OS you are using and how many bits (eg Windows 7, 64 bit)
Yes I want to use encrypted config. First, I mounted the gcrypt drive without config password, then checked if it is successfully mounted (i.e Plex was able to see and play the files), after that I add a config password, then checked again if the mount is still okay and there was no problem at that point, but after few minutes or hours, Plex can no longer see the files, I suspect that the timing of the mount crash is during Plex's regular scanning of new files.
rclone needs access to the config file though as it has to write key refreshes to the file so encrypting after it loads would effectively break the update process as it doesn't know the password.
It's the key refresh that causes it to stop so I believe you only have the options I listed above.
The problem is as Animosity says that the tokens in the config need to be updated from time to time, so that's what's causing the eventual malfunction. Anything you do to secure the config has to be readable and writable by rclone - which probably puts some significant limits on what you can really do in that regard.
I've had these sorts of use-cases discussed before with other users, and although this is a bit outside
my usual wheelhouse I think we came upon the idea that it might be best to look into controlling rclone via the RC, because there does exist some syntaxt for defining in-line configurations of remotes. I have never used this myself as I have little need for it, but the docs seem to indicate that the functionality does exist to do this.
So that would in theory allow you to send the passwords and secrets only when needed for operations (ideally though an encrypted connection) and they are otherwise not stored on that server when not actively in use and should never hit the harddrive. That would make it pretty hard to snoop the info unless you were really dedicated to it and started dumping memory and stuff while you also happen to be using it. That seems to be pretty unlikely to happen unless someone is really out to get you specifically and has full access to the server. Presumably you want reasonable security and not FBI-proofing
I think there exist ways to encrypt memory too if you went the whole nine yards, but that's probably not something you have the access to do unless you have full control over the server environment.