I am trying to use password-command argument with pass rclone/config (https://www.passwordstore.org) setup to use rclone in a script without having to enter my configuration password
What have I done previously:
Installed pass using home-brew on Mac M1
generated a gpg key (no expiration, password protected, ultimate trust)
pass init for the key
added rclone/config password
created a script rclone-pass.sh
content of the script
#!/bin/echo Source this file don't run it
export RCLONE_PASSWORD_COMMAND="pass rclone/config"
Did not make this executable.
In terminal tried pass rclone/config, entered password to unlock pass with result of pass showing the right rclone config password.
I am assuming I am doing something wrong in this setup, maybe the rclone-pass.sh. I am ok using scripts but for example do not fully understand #!bin/echo... and if .sh is the right extension here.
Run the command 'rclone version' and share the full output of the command.
YES
Which cloud storage system are you using? (eg Google Drive)
multiple: S3, Koofr
The command you were trying to run (eg rclone copy /tmp remote:tmp)
rclone ls koofr:/ -vv --password-command /Users/benjamin/rclone-pass.sh
The rclone config contents with secrets removed.
Config is working fine, all commands are working when I manually type in my password
Thank you for the quick reply. So at least my setup was not completely wrong, I guess .
I did that now. Was not sure about this due to the #!bin/echo....
Beginner mistake I guess but now I am getting
...
rclone ls koofr:/ -vv --password-command /Users/Antergosgeek/rclone-pass.sh
2023/01/14 09:12:07 DEBUG : rclone: Version "v1.61.1" starting with parameters ["rclone" "ls" "koofr:/" "-vv" "--password-command" "/Users/Antergosgeek/rclone-pass.sh"]
2023/01/14 09:12:07 DEBUG : Creating backend with remote "koofr:/"
2023/01/14 09:12:07 ERROR : Couldn't decrypt configuration, most likely wrong password.
2023/01/14 09:12:07 Failed to load config file "/Users/Antergosgeek/.config/rclone/rclone.conf": using --password-command derived password, unable to decrypt configuration
....
I checked the password, it is ok but it has special characters.
The other thing is when I issue
pass rclone/config
It asked for the password of the gpg key. So I unlocked it in the terminal and then once I do pass rclone/config again it gives the password but I am wondering if it asks for the password when it is called by the script.
Unrelated: How do I do a nice code block like you did in the forum?
Sorry, I thought you knew. It was in the original post
I wanted to get the command
rclone ls koofr:/ -vv --password-command /Users/Antergosgeek/rclone-pass.sh
working so that I can then later on use that command with "copy" or "sync" instead of "ls" in another script that I have yet to write for unattended backups with encrypted config so that I do not have to enter my configuration password but it gets passed to the command using the --password-command flag and retrieving the rclone configuration password from the passwordstore application.
Last edit:
Do you think not having a password on the gpg key (if that is possible) could solve this?
Or am I using this completely wrong?
What I am trying to do is what is outlined here under encrypted configuration.
But here you are storing the password in clear text in the script as "test!@#" aren't you?
I hope I understand that right.
What I am however trying to do is not store it in clear text but retrieve it from a password manager application called passwordstore (https://www.passwordstore.org) which is possible according to the rclone documentation. I setup passwordstore but I am failing to retrieve the password from it.
This is the section from the rclone documentation:
An alternate means of supplying the password is to provide a script which will retrieve the password and print on standard output. This script should have a fully specified path name and not rely on any environment variables. The script is supplied either via --password-command="..."command line argument or via the RCLONE_PASSWORD_COMMAND environment variable.
One useful example of this is using the passwordstore application to retrieve the password:
If the passwordstore password manager holds the password for the rclone configuration, using the script method means the password is primarily protected by the passwordstore system, and is never embedded in the clear in scripts, nor available for examination using the standard commands available. It is quite possible with long running rclone sessions for copies of passwords to be innocently captured in log files or terminal scroll buffers, etc. Using the script method of supplying the password enhances the security of the config password considerably.
I may be doing this completely wrong...
rclone by itself works, passwordsstore (alias pass) works by itself, but not sure how to get rclone to retrieve the password from passwordstore. I thought I needed a script so I wrote the rclone-pass.sh but not sure of what needs to go in the script...