Credential Hardening and Config Secrets
The best transfer command is still unsafe if secrets are handled poorly.
Hardening Checklist
- Restrict config permissions (
chmod 600). - Keep config outside user home for service jobs (
/etc/rclone/rclone.conf). - Avoid plaintext secrets in scripts and shell history.
- Rotate credentials and test refresh path.
File Permission Pattern
sudo install -d -m 700 /etc/rclone
sudo cp /root/.config/rclone/rclone.conf /etc/rclone/rclone.conf
sudo chmod 600 /etc/rclone/rclone.conf
Secret Management Options
| Option | Strength | Weakness |
|---|---|---|
| Encrypted config + strict file perms | Simple and local | Host compromise still risky |
| Environment variables | Good for CI | Can leak via process tooling |
| Secret manager injection | Strongest for scale | More setup complexity |
Mapping
tip
Use dedicated credentials per environment (dev, staging, prod) to isolate incidents.
Common Pitfalls
| Pitfall | Risk | Mitigation |
|---|---|---|
| Shared admin credentials across jobs | Broad compromise impact | Per-job scoped credentials |
| Committing config to git | Secret leakage | Add explicit ignore policy |
| Manual edits under pressure | Broken config syntax | Keep versioned template + runbook |