Rclone 1.68 Released

Written by Dominik Pantůček on 2024-10-10

rcloneyubikey

In a previous blog two months ago we have shown an ongoing progress on improving protection of secret keys in rclone configuration. On 8th September 2024 new version 1.68 has been released which finally contains all the building blocks for implementing such protection in a very user-friendly manner. Let us see the important new features of this version.


Since this spring we have been working on analysis of what is possible with the current configuration encryption format for protecting shared secret keys. Then early summer a proof-of-concept was created and it turned out the concept is viable.

A credit should be given where credit is due and in August the maintainer of rclone project Nick Craig-Wood worked hard and implemented all the needed changes with respect to the --password-command option and related config and rc commands. Finally at the beginning of September all these features hit the new stable release of rclone.

The important parts of ChangeLog say:

  • New commands
    • config encryption: set, remove and check to manage config file encryption (Nick Craig-Wood)
  • New Features
    • config
      • Internal config re-organised to be more consistent and make it available from the rc (Nick Craig-Wood)
      • Use --password-command to set config file password if supplied (Nick Craig-Wood)

Some nitty-gritty details are omitted from the ChangeLog. Not only is the --password-command now used both for decrypting and encrypting the configuration but it can also signal to the command which type of invocation it is by providing an environment variable RCLONE_PASSWORD_CHANGE=1 if it is being used for setting a new password.

Suppose we want to change the password using the Zenity dialog framework. A simple wrapper can be used:

#!/bin/sh
TITLE="Current password"
if [ $RCLONE_PASSWORD_CHANGE -eq 1 ] ; then
  TITLE="New password"
fi
zenity --password --title "$TITLE"

This script can be saved as zenity-password.sh for example. Now changing a password on rclone configuration is as simple as:

rclone --password-command "./zenity-password.sh" config encryption set

If there is a current password set, the script first asks the user for the current password and after unlocking the encrypted configuration the script asks for a new one to be used for re-encrypting it.

Although it cannot be recommented, it is also possible to remove the configuration encryption programmatically:

rclone --password-command "./zenity-password.sh" config encryption remove

It is also possible to check whether the user knows the correct password by:

if rclone --password-command "./zenity-password.sh" config encryption check ; then
  echo "Password OK"
else
  echo "Incorrect password"
fi

All these changes allows for implementing the all the designed secret shared key protections using the mechanisms outlined earlier.

All the recent changes will allow you to improve the confidentiality of your encrypted rclone configurations containing secret key material. See ya at LinuxDays during the talk (Czech) about these exciting new confidentiality-enhancing features of rclone!