Safe decryption of encrypted RClone config at unsafe site

Help and Support
1

I need to encrypt the config file, ship it to a site and use that encrypted config file there for file transfers so that no one knows what's inside the config. Plus, no one can retrieve the password to decrypt the config.

I have tried encrypting the file. But whenever I need to use it it requires password. Is there a way around this?

TIA

Version:

rclone v1.63.0
- os/version: Microsoft Windows 11 Home Single Language 22H2 (64 bit)
- os/kernel: 10.0.22621.1928 (x86_64)
- os/type: windows
- os/arch: amd64
- go/version: go1.20.5
- go/linking: static
- go/tags: cmount

Using Google Drive

The command:

subprocess(['rclone', 'copy', 'tmp_remote:tmp_folder', 'C:\tmp\dir'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, universal_newlines=True)

The rclone config contents with values removed.

[]
type = drive
client_id = 
client_secret = 
root_folder_id = 
token = {}
team_drive =
2

I do not think you can achieve what you want using rclone only. It is not possible to have secret (encrypted config file) and use it without not revealing keys to the secret at some stage (password).

3

Hi Hamza,

It is generally impossible to keep secrets 100% hidden in an untrusted environment. That is the reason that Microsoft, Apple, Google etc. spend a lot of effort on building a chain of trust starting from (trusted) hardware.

If you however trust the setup and administrators of the target Windows computer, and you are the only one with access to the account being used then you can be reasonable safe when using the approach in this wiki article:
https://github.com/rclone/rclone/wiki/Windows-Powershell-use-rclone-password-command-for-Config-file-password

You may also need the trick mentioned in this thread:
https://forum.rclone.org/t/the-configuration-password-cannot-be-read/34001

4

You can also do this other way around. Provide rclone config without any password but configure it to use storage where only required data is available e.g. on your server setup SFTP account with access to only specific directory.

5

welcome to the forum,

no matter what trick you choose, you are still stuck with plain text python + token based remote.
so the best you can do is add levels of obfuscation as mentioned above.

here are some additional things i do.

--- python:
turn python script into .exe and scramble that with upx. now a hacker has to figure out that:

  • the .exe was scrambled with upx and de-scramble that .exe is back to original .exe
  • the original .exe is compiled python script.
  • how to de-compile the original .exe back into python code.

--- config file:

  • avoid tokens, use a service file. then rclone never needs to update/edit/change the config file. this offers a lot more flexibility.
  • use a config file, but leave out information. without that info, rclone cannot work
    for example:
  • with S3 providers, use SSE-C encryption but do not put the key inside the config file.
    that way if someone get the config file, it is useless,
  • use 2FA/MFA to generate one-time on-the-fly temporary session token and feed that to rclone.
    option 3: what i do, not use a config file at all. create on-the-fly remotes.

--- storage provider:

  • use compliance to prevent overwrite of existing files.
  • use IAM/bucket polices to prevent deletion of files, downloading of existing files, force use of MFA temporary session tokens, lock rclone to a single directory.
  • if the site has a public static ip address, hardcode that into the policy. that way, if someone steals the config file, cannot use it on another machine.

if you decide to use a config file and need to feed password/tokens/secrets/stuff to rclone or any executable, can use environment variables, never pass anything on the command line.
something like this pseudo code. which also works with 7z, fastcopy, restic, net use, etc...

cmd=r'c:\data\rclone.exe lsd remote:'
env= {'RCLONE_CONFIG_PASS' : 'password'}
x=subprocess.run(cmd, cwd=r'c:\data\rclone', shell=True, capture_output=True, text=True, input=input, env=env)

also, can feed the password as input, tho i would not use this. but comes in handy with 7z.exe

cmd=r'c:\data\rclone.exe lsd remote:'
input= 'password'
x=subprocess.run(cmd, cwd=r'c:\data\rclone', shell=True, capture_output=True, text=True, input=input, env=env)

what i do, create a very simple client/server setup.
the client asks the server for a set of commands to run and data/config needed to run the commands.
then the client, in a dumb loop, runs the commands using that data/config.
combine that with one-time temporary 2FA/MFA session tokens and might have a reasonable solution.
in this way, no data is stored on the client including the config file.

6

Hi All!

Thanks everyone for the response. Each of them was really helpful.

What I opted for is to make a script that is not very obvious, like scrambling variables and stuff and using regex to unscramble them back. This script sets environment variable for the password for that shell and has subprocess that launches rclone with sys.argv[1:] so that I can call this script regularly including all my flags using another subprocess in my main script.

After that I converted that to binary. BOOM!!

(Well, I know that it might be possible to still reverse engineer it but still, it helps. Plus the drive is always additive so at least wont loose anything.)

Thanks again everyone.

7

Sorry to say, but this scrambling approach seems easy to circumvent without needing to reverse engineer anything.

Here is a way to do it with your skills: Create a small binary that writes the arguments and environments variables passed to the terminal (or a file). Replace the rclone binary with this evil binary and you have all the information sent from your scrambled script.

The sneakier approach is to replace the rclone binary with a slightly modified version of rclone which silently sends the information to an evil server.

8

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.