Read Config password from macOS Keychain


Title is pretty descriptive of my needs. I'm looking to store the rclone config password in my macOS keychain and Gnome keyring.

I've seen some references to using the macOS security command - but how to have rclone reference it ???

There is also the --password-command flag, but this reads from a Space Separated List - wouldn't this need to be in clear text somewhere?


I guess it depends on what problem you are trying to solve.

On the mac, you can create and read back a password using something like:

textere@seraphim Downloads % security add-generic-password -a textere -s test -w testing
textere@seraphim Downloads % security find-generic-password -a textere -s test -w
textere@seraphim Downloads %

With some scripting, you can read that in and start up rclone with a password'ed config and yes, when you read it in, it would be clear text as it has to be entered.

There are some complex ways to obfuscate the password using numerous tools and I think @asdffdsa as the resident paranoid can chime in :slight_smile:

a simple problem with a complex answer.

here is what i do on windows, but you can generalize it for macos

i have a python script, 350 lines of code, named cloner, to handle all my backup needs, including rclone, fastcopy and 7zip.
that script has my own encryption / decryption algorithm, combination of rot and xor and some secret sauce.

i use that python script to encrypt the rclone password and store it the windows registry, well hidden.

when cloner runs, it reads the crypted password, decrypts it and copies it to another location inside the windows registry.

given that python code is plain text, somebody could get my encryption algorithm, get the crypted password from the registry and then decrypt the password.
but i compile that code into a .exe and feed it to upx which compresses and scrambles the .exe

then cloner runs a .cmd batch file, which reads the password from registry and set the variable RCLONE_CONFIG_PASS, deletes the password from the registry and runs rclone.

i use cloner on a bunch of servers and desktops.

now you might say that somebody, on the personal computer, could modify that plain text batch file and thus obtain the rclone password.

but that batch script and all other scripts are themselves encrypted.

cloner, will on the fly, decrypt the batch file, copy it to a temp folder with random folder name and file name and execute that script, and then delete that script.

i use task scheduler to run cloner under a different username on a schedule.
that registry can only be accessed by that username.
the folder containing all the scripts can only be accessed by that username
the temp folder is also locked down to that username.

there is more to it but that is the gist of it.

Thanks for the replies.

I was hoping for something similar to how SSH can read keys stored in the Keychain.
My .ssh/config has this block:
Host *
UseKeychain yes
AddKeysToAgent yes


Is there a command line tool which can read a password from the keychain? If so then pass the command line to --password-command, eg --password-command "magic-macos-keyring-comand password-for-rclone -some-other-arg"


So I used @Animosity022 info on the security command and took your suggestion. I made an shell function that simply runs this:
rconf () {
rclone config --password-command "security find-generic-password -a $USER -s rclone -w"
This works great for the single action of running the config...But how does one pass it to other rclone comands? I've tried passing it to my One drive command that is currently an alias, but that fails. Perhaps store it as an environment variable??
Thanks for all the learning!!!

You can add it to all commands which might be a bit boring.

You can also set an environment variable

export RCLONE_PASSWORD_COMMAND="security find-generic-password -a $USER -s rclone -w"

That should work :crossed_fingers:

It might be worth writing up this use of the security command in the --password-command docs do you think?

Sounds good, are you suggesting I write it up? If so, happy to help.

If would be great if you'd like to :slight_smile:

Notes on contributing docs here:

This is the file which needs editing:

Great, I'll try to get to it this weekend. Quick question: I set the environment variable in my .zshrc and it works great. How does rclone know to reference it? Is that variable one of its internal environment variables? According to the docs it calls a passwordstore? I'm guessing that it looks at that variable?


If you set the variable in your .zshrc then it will be visible to all your programs. Try typing env at a shell to see the environment variables.

Rclone accepts either the command line flag ---command-line-flag or the environment variable RCLONE_COMMAND_LINE_FLAG - this is true for all flags so setting the environment variable is the same as supplying the flag.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.