Rclone can access many storage backends and has powerful sync/delete commands. Harden credentials, remote-control interfaces, and command execution paths.
¶ 1) Protect rclone config and credentials
- Encrypt
rclone.conf with a config password (rclone config password).
- Restrict file permissions for config and token caches.
- Use provider service accounts with least privilege.
- Rotate access tokens/keys on schedule.
¶ 2) Secure rclone rcd and API usage
- Do not expose
rclone rcd publicly.
- If
rcd is required, enable auth and TLS and bind to private interfaces.
- Restrict allowed remote commands through wrapper scripts.
- Log and audit remote-control requests.
- Use
--dry-run for policy changes and new jobs.
- Require explicit include/exclude rules before delete operations.
- Prefer
--backup-dir + versioning-capable backends.
- Apply immutable snapshots/object lock for critical datasets.
¶ Verification commands
rclone version
rclone config show 2>/dev/null | head
ls -l ~/.config/rclone/rclone.conf /etc/rclone/rclone.conf 2>/dev/null
ss -tulpn | grep -E ':5572|:443'
- Rclone docs: https://rclone.org/docs/
- Rclone security notes: https://rclone.org/commands/rclone_rcd/
- Rclone source/advisories: https://github.com/rclone/rclone/security