-
-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Default to secure credentials storage in "rclone config" etc #7314
Labels
Comments
Did you want to submit a PR to make some enhancements? I don't think changing it to default encrypted is viable as that's a major breaking change for folks. |
I can take a crack at something here. |
Added a basic warning message. LMK. |
5 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What problem are you are trying to solve?
rclone config
defaults to storing credentials that can be used to access cloud storage in cleartext (weakly obfuscated) in a config file on disk at a well-known path. This is a high risk for credential-scraper attacks.E.g. if
rclone config
is used to set up a GDrive connection with Oauth token/secret,rclone
will store these and the token acquired using them in~/.config/rclone/rclone.conf
.It does not recommend the use of a
--password-command
or password-helper (like git uses), recommend encryption of the config file, etc. This is an insecure default behaviour; while the user's homedir is hopefully safe from attacks, credentials for remote access to other systems are high-value targets that should have extra protection to limit attackers' ability to springboard from a compromised machine to other targets.How do you think rclone should be changed to solve that?
rclone config
should at display a prominent warning when an unencrypted configuration is used, recommend the "set configuration password" option be used, and direct the user to https://rclone.org/docs/#configuration-encryption for details.IMO rclone should also print a short security warning to stderr at every invocation when using an unencrypted config, unless a flag/env-var is set to deliberately silence this.
Ideally
rclone
should natively support indirection of individual secrets and/or the rclone config file encryption secret into the operating system's secret store. Most OSes now provide a suitable secret store with SSO integration for user interactive login, timeouts and re-prompting, biometrics integration etc. OSX's Keychain and Linux (GNOME)'slibsecret
are good examples. To keep OS dependencies down, this could be indirected via canned "password helper" commands, much as is done by git.A discussion in #3386 points out that the
rclone --password-command
option exists, and could potentially be used to externalize secrets (or is it only for the config file encryption?), but this is difficult to find, and it's hard to figure out how to take an existing configuration with baked-in passwords and convert it for use this way. A post at https://forum.rclone.org/t/how-to-encrypt-a-configuration-file/11917 suggests I'm far from the only one to find this confusing.How to use GitHub
The text was updated successfully, but these errors were encountered: