Default to secure credentials storage in "rclone config" etc

[ringerc]

What problem are you are trying to solve?

rclone config defaults to storing credentials that can be used to access cloud storage in cleartext (weakly obfuscated) in a config file on disk at a well-known path. This is a high risk for credential-scraper attacks.

E.g. if rclone config is used to set up a GDrive connection with Oauth token/secret, rclone will store these and the token acquired using them in ~/.config/rclone/rclone.conf.

It does not recommend the use of a --password-command or password-helper (like git uses), recommend encryption of the config file, etc. This is an insecure default behaviour; while the user's homedir is hopefully safe from attacks, credentials for remote access to other systems are high-value targets that should have extra protection to limit attackers' ability to springboard from a compromised machine to other targets.

How do you think rclone should be changed to solve that?

rclone config should at display a prominent warning when an unencrypted configuration is used, recommend the "set configuration password" option be used, and direct the user to https://rclone.org/docs/#configuration-encryption for details.

IMO rclone should also print a short security warning to stderr at every invocation when using an unencrypted config, unless a flag/env-var is set to deliberately silence this.

Ideally rclone should natively support indirection of individual secrets and/or the rclone config file encryption secret into the operating system's secret store. Most OSes now provide a suitable secret store with SSO integration for user interactive login, timeouts and re-prompting, biometrics integration etc. OSX's Keychain and Linux (GNOME)'s libsecret are good examples. To keep OS dependencies down, this could be indirected via canned "password helper" commands, much as is done by git.

A discussion in #3386 points out that the rclone --password-command option exists, and could potentially be used to externalize secrets (or is it only for the config file encryption?), but this is difficult to find, and it's hard to figure out how to take an existing configuration with baked-in passwords and convert it for use this way. A post at https://forum.rclone.org/t/how-to-encrypt-a-configuration-file/11917 suggests I'm far from the only one to find this confusing.

How to use GitHub

• Please use the 👍 reaction to show that you are affected by the same issue.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

[Animosity022]

Did you want to submit a PR to make some enhancements? I don't think changing it to default encrypted is viable as that's a major breaking change for folks.

[KDreynolds]

I can take a crack at something here.

[KDreynolds]

Added a basic warning message. LMK.