Using pass with encrypted config with passwordstore

Help and Support
1

What is the problem you are having with rclone?

I am trying to use password-command argument with pass rclone/config (https://www.passwordstore.org) setup to use rclone in a script without having to enter my configuration password

What have I done previously:

  1. Installed pass using home-brew on Mac M1
  2. generated a gpg key (no expiration, password protected, ultimate trust)
  3. pass init for the key
  4. added rclone/config password
  5. created a script rclone-pass.sh

content of the script

#!/bin/echo Source this file don't run it
export RCLONE_PASSWORD_COMMAND="pass rclone/config"

Did not make this executable.

  1. In terminal tried pass rclone/config, entered password to unlock pass with result of pass showing the right rclone config password.

I am assuming I am doing something wrong in this setup, maybe the rclone-pass.sh. I am ok using scripts but for example do not fully understand #!bin/echo... and if .sh is the right extension here.

Run the command 'rclone version' and share the full output of the command.

YES

Which cloud storage system are you using? (eg Google Drive)

multiple: S3, Koofr

The command you were trying to run (eg rclone copy /tmp remote:tmp)

rclone ls koofr:/ -vv --password-command /Users/benjamin/rclone-pass.sh

The rclone config contents with secrets removed.

Config is working fine, all commands are working when I manually type in my password

A log from the command with the -vv flag

"rclone" "ls" "koofr:/" "-vv" "--password-command" "/Users/Antergosgeek/rclone-pass.sh"]
2023/01/14 08:49:37 DEBUG : Creating backend with remote "koofr:/"
2023/01/14 08:49:37 ERROR : Using --password-command returned: fork/exec /Users/benjamin/rclone-pass.sh: permission denied
2023/01/14 08:49:37 Failed to load config file "/Users/Antergosgeek/.config/rclone/rclone.conf": password command failed: fork/exec /Users/Antergosgeek/rclone-pass.sh: permission denied
2

You need to add execute +x to the shell script.

[felix@gemini ~]$ ./test
-bash: ./test: Permission denied
[felix@gemini ~]$ chmod u+x test
[felix@gemini ~]$ ./test
test
3

Thank you for the quick reply. So at least my setup was not completely wrong, I guess :slight_smile: .
I did that now. Was not sure about this due to the #!bin/echo....
Beginner mistake I guess but now I am getting

...
rclone ls koofr:/ -vv --password-command /Users/Antergosgeek/rclone-pass.sh

2023/01/14 09:12:07 DEBUG : rclone: Version "v1.61.1" starting with parameters ["rclone" "ls" "koofr:/" "-vv" "--password-command" "/Users/Antergosgeek/rclone-pass.sh"]

2023/01/14 09:12:07 DEBUG : Creating backend with remote "koofr:/"

2023/01/14 09:12:07 ERROR : Couldn't decrypt configuration, most likely wrong password.

2023/01/14 09:12:07 Failed to load config file "/Users/Antergosgeek/.config/rclone/rclone.conf": using --password-command derived password, unable to decrypt configuration
....

I checked the password, it is ok but it has special characters.
The other thing is when I issue

pass rclone/config

It asked for the password of the gpg key. So I unlocked it in the terminal and then once I do pass rclone/config again it gives the password but I am wondering if it asks for the password when it is called by the script.

Unrelated: How do I do a nice code block like you did in the forum?

4

The first line of a shell script is (I'm not making this up) called the shebang and the shell being used to run it:

In my case, it's the bash shell

[felix@gemini ~]$ cat test
#!/usr/bin/bash
echo test

For code blocks, you put three backtics `

before

after

a section and it'll be a code block as that's called markup language.

5

Thank you for the explanation.

In my case it is -zsh

I have run other bash scripts fine though for example to tar.gz files and encrypt those with gpg.

Those scripts start with the normal bash script line

#!/bin/bash
6

I can't see your script nor your output so saying x works but y doesn't without details does help me help you.

You'd have to include what you are doing and the output.

7

What exactly do you need me to do?

I did execute

chmod +x /Users/Antergosgeek/rclone-pass.sh

It returned a blank line as you would expect. In the newly posted Debug it now looks like

What can I do to help? What do you need me to post?

I really appreciate it!

8

I can't see what your script contains.

9

Sorry, I thought you knew. It was in the original post :slight_smile:

I wanted to get the command

rclone ls koofr:/ -vv --password-command /Users/Antergosgeek/rclone-pass.sh

working so that I can then later on use that command with "copy" or "sync" instead of "ls" in another script that I have yet to write for unattended backups with encrypted config so that I do not have to enter my configuration password but it gets passed to the command using the --password-command flag and retrieving the rclone configuration password from the passwordstore application.

Last edit:
Do you think not having a password on the gpg key (if that is possible) could solve this?

Or am I using this completely wrong?
What I am trying to do is what is outlined here under encrypted configuration.

10

Doesn't seem like you checked my link.

The first line of a shell script is expecting a interpreter and then the command you want to run.

For this, you'd want to echo the password back.

etexter@Earls-Mac-mini ~ % rclone config --password-command ./test
Current remotes:

Name                 Type
====                 ====
DBTEST               dropbox

e) Edit existing remote
n) New remote
d) Delete remote
r) Rename remote
c) Copy remote
s) Set configuration password
q) Quit config
e/n/d/r/c/s/q> 


etexter@Earls-Mac-mini ~ % cat test
#!/bin/bash
echo "test!@#"
11

I guess I just did not fully get it...

Sorry...

I am completely self-taught...not an expert.

So the script should contain the export then

echo "$RCLONE_PASSWORD_COMMAND"

So

#!/bin/echo Source this file don't run it
export RCLONE_PASSWORD_COMMAND="pass rclone/config"
echo "$RCLONE_PASSWORD_COMMAND"

Not sure if I got the " " quotes right...

12

Are you seeing my example?

The script should be:

and the command I ran was

13

But here you are storing the password in clear text in the script as "test!@#" aren't you?

I hope I understand that right.

What I am however trying to do is not store it in clear text but retrieve it from a password manager application called passwordstore (https://www.passwordstore.org) which is possible according to the rclone documentation. I setup passwordstore but I am failing to retrieve the password from it.

This is the section from the rclone documentation:

An alternate means of supplying the password is to provide a script which will retrieve the password and print on standard output. This script should have a fully specified path name and not rely on any environment variables. The script is supplied either via --password-command="..."command line argument or via the RCLONE_PASSWORD_COMMAND environment variable.
One useful example of this is using the passwordstore application to retrieve the password:

export RCLONE_PASSWORD_COMMAND="pass rclone/config"

If the passwordstore password manager holds the password for the rclone configuration, using the script method means the password is primarily protected by the passwordstore system, and is never embedded in the clear in scripts, nor available for examination using the standard commands available. It is quite possible with long running rclone sessions for copies of passwords to be innocently captured in log files or terminal scroll buffers, etc. Using the script method of supplying the password enhances the security of the config password considerably.

I may be doing this completely wrong...
rclone by itself works, passwordsstore (alias pass) works by itself, but not sure how to get rclone to retrieve the password from passwordstore. I thought I needed a script so I wrote the rclone-pass.sh but not sure of what needs to go in the script...

14

Crawl/Walk/Run is a great process to take steps forward.

First, validate you get what you want to happen with clear text like I was sharing with the example.

Once you know the script works and the process works as your script before wasn't constructed properly, we can move on to the next phase.

The next step once you validate that would be adjusting the script to match your use case.

#!/bin/bash
/path/to/pass rclone/config

To find the location of the binary

which pass

and use the full path in the script.

etexter@Earls-Mac-mini ~ % which rclone
/usr/local/bin/rclone
1 Like
15

Ok, now I get what you are doing. Will try and report back.

16

LOL :smiley:

seriously....

Which is exactly what I would have done if I had not read the Documentation and gotten confused with the

export RCLONE_PASSWORD_COMMAND="pass rclone/config"

line.

WORKS like a charm.

THANK YOU!

Just for my understanding what was this for then:

export RCLONE_PASSWORD_COMMAND="pass rclone/config"
17

After reading something else today, is it possible that I could have called my original

rclone-pass.sh

After renaming it to rclone-pass.env

In another script, with

source /path/to/rclone-pass.env

And afterwards using --password-comand $RCLONE_PASSWORD_COMMAND

I have to try, that...

Seems to me also that --password-command="pass rclone/config" would have also done the trick without even creating the rclone-pass.sh script.

18

You mean exactly how it is documented? :wink:

19

Point taken, just missing a few important steps to be more newbie friendly :slight_smile: .

I guess took to work through it to understand it.

Thank you a lot for helping me along the way!

20

Any wording you'd suggest to change/rewrite to make more clear / helpful? That's pretty easy to update.

Not a problem at all!

1 Like