Rclone 1.68 Released
Written by Dominik Pantůček on 2024-10-10
rcloneyubikeyIn a previous blog two months ago we have shown an ongoing progress on improving protection of secret keys in rclone configuration. On 8th September 2024 new version 1.68 has been released which finally contains all the building blocks for implementing such protection in a very user-friendly manner. Let us see the important new features of this version.
Since this spring we have been working on analysis of what is possible with the current configuration encryption format for protecting shared secret keys. Then early summer a proof-of-concept was created and it turned out the concept is viable.
A credit should be given where credit is due and in August the maintainer of rclone
project Nick Craig-Wood worked hard and
implemented all the needed changes with respect to the --password-command
option and related config
and rc
commands. Finally at the
beginning of September all these features hit the new stable release of rclone.
The important parts of ChangeLog say:
- New commands
- config encryption: set, remove and check to manage config file encryption (Nick Craig-Wood)
- New Features
- config
- Internal config re-organised to be more consistent and make it available from the rc (Nick Craig-Wood)
- Use --password-command to set config file password if supplied (Nick Craig-Wood)
- config
Some nitty-gritty details are omitted from the ChangeLog. Not only is the
--password-command
now used both for decrypting and encrypting the
configuration but it can also signal to the command which type of invocation it is by
providing an environment variable RCLONE_PASSWORD_CHANGE=1
if it is being
used for setting a new password.
Suppose we want to change the password using the Zenity dialog framework. A simple wrapper can be used:
#!/bin/sh
TITLE="Current password"
if [ $RCLONE_PASSWORD_CHANGE -eq 1 ] ; then
TITLE="New password"
fi
zenity --password --title "$TITLE"
This script can be saved as zenity-password.sh
for example. Now
changing a password on rclone configuration is as simple as:
rclone --password-command "./zenity-password.sh" config encryption set
If there is a current password set, the script first asks the user for the current password and after unlocking the encrypted configuration the script asks for a new one to be used for re-encrypting it.
Although it cannot be recommented, it is also possible to remove the configuration encryption programmatically:
rclone --password-command "./zenity-password.sh" config encryption remove
It is also possible to check whether the user knows the correct password by:
if rclone --password-command "./zenity-password.sh" config encryption check ; then
echo "Password OK"
else
echo "Incorrect password"
fi
All these changes allows for implementing the all the designed secret shared key protections using the mechanisms outlined earlier.
All the recent changes will allow you to improve the confidentiality of your encrypted rclone configurations containing secret key material. See ya at LinuxDays during the talk (Czech) about these exciting new confidentiality-enhancing features of rclone!