S3Drive - Rclone.conf security on Windows

Hello. I am using Windows 11 and downloaded the app through the Microsoft Store. When i start the application or switch accounts in the application creates an rclone.conf file in plain text in ....AppData\Roaming\rclone folder. It is readable and gives access to your data. The file remains after the app is closed. I noticed that this also happens in one of the Application's folders inside AppData\Local folder but after i deleted the Application's folder tree it didnt happen again

1

Hi @Mich, Thanks for your comment. I get your point, but this weakness is related to Windows security model where despite: AppData being application-specific data, it still allows other apps to potentially access data of other apps if they run within same user context. Yes, we could delete rclone folder after app quits but it has couple caveats. a) Such delete wouldn't be guaranteed, as app or your OS may crash before delete / graceful quite happens. In such case if we assume that data gets deleted, but for some reason it wasn't, it's a fail from a security perspective and perhaps it's better to not rely on it at all? b) The location of AppData\Roaming\rclone is default location of https://rclone.org/ We can't really make a decision to delete it, as we don't know if it existed before and whether user added their own configurations outside of S3Drive scope. Deleting Rclone file risks deleting user credentials from their machine. Potential solution We plan to implement Rclone encrypted config: https://s3drive.canny.io/feature-requests/p/rclone-encrypted-config In such case, user will be able to set an encryption password so this file stays encrypted on-rest. (edited)

Rclone

Rclone syncs your files to cloud storage: Google Drive, S3, Swift, Dropbox, Google Cloud Storage, Azure, Box and many more.

Rclone encrypted config | Feature Requests | S3Drive

Add support for encrypted Rclone config: https://rclone.org/docs/#configuration-encryption On some OSs there isn't enough isolation between apps, meaning that

Tom changed the channel name: Rclone.conf security on Windows 9/6/2025 8:03 AM

Hello and thank you for the reply. You can specify the path of the config file. The encrypted conf + secure and temporary storage of it is a must. Someone who needs local encryption means that the security is important, beyond a zero knowledge cloud storage. On a shared computer or a computer on a network this issue is a big security hole. Also malware is another threat. Gaining access to the cloud storage: a. You may never know your data has been stolen b. The attacker doesnt need your pc to be on anymore (edited)

Mich

Hello and thank you for the reply. You can specify the path of the config file. The encrypted conf + secure and temporary storage of it is a must. Someone who needs local encryption means that the security is important, beyond a zero knowledge cloud storage. On a shared computer or a computer on a network this issue is a big security hole. Also malware is another threat. Gaining access to the cloud storage: a. You may never know your data has been stolen b. The attacker doesnt need your pc to be on anymore (edited)

The encrypted conf + secure and temporary storage of it is a must.

Encrypted Rclone config support will be available in the future. Custom storage location is something we will also consider. Unfortunately as it is currently, Rclone doesn't support in-memory config: https://forum.rclone.org/t/store-config-in-memory/50130

On a shared computer or a computer

This is only my opinion, but expecting high security on a shared computer is a false premise. Unless only you're an admin and there is proper OS level isolation between users and their directories.

Also malware is another threat.

This is even worse. If malware is present on your machine, then it has partial/full access to your machine including your Firefox cookies storage. Having said that, I agree that issue is there, and somewhat agree with your points. We will certainly be working in these areas to improve overall security... and as always we're open for feedback, suggestion and criticism. (edited)

Shared computer is just a an example. Can be a network or a stolen laptop and other cases. And yes malware will always be able to do something worse, but lets just guard our issue

A password use on rclone.conf is a very simple and quick fix until the update with the complete solution to that weakness. I'm glad you already know this issue and ill be more happy to see this fixed. In my personal opinion this is a must for a software with a paid option. Your software is very good to skip it for this issue. (edited)

1