diff --git a/fs/config/config.go b/fs/config/config.go
index 40b632d3a..90629d7bf 100644
--- a/fs/config/config.go
+++ b/fs/config/config.go
@@ -80,7 +80,7 @@ var (
 	// output of prompt for password
 	PasswordPromptOutput = os.Stderr
 
-	// Whether to set the environment variable `_RCLONE_CONFIG_KEY` to the configKey (base64 encoded) when
+	// Whether to set the environment variable `_RCLONE_CONFIG_KEY` to the obsecured configKey when
 	// it is calculated from the password. If `_RCLONE_CONFIG_KEY` is present, password prompt is skipped and `RCLONE_CONFIG_PASS` ignored.
 	// For security reasons, the `_RCLONE_CONFIG_KEY` is unset once the configKey is successfully loaded.
 	// This can be used to pass the configKey to a child process.
@@ -256,11 +256,12 @@ func loadConfigFile() (*goconfig.ConfigFile, error) {
 	var out []byte
 	for {
 		if envkey := os.Getenv("_RCLONE_CONFIG_KEY"); len(envkey) > 0 {
-			configKey, err = base64.StdEncoding.DecodeString(envkey)
+			configKeyStr, err := obscure.Reveal(envkey)
 			if err != nil {
 				log.Fatalf("unable to decode configKey from environment variable _RCLONE_CONFIG_KEY: %v", err)
 			}
 			fs.Debugf(nil, "decoded configKey from environment variable _RCLONE_CONFIG_KEY")
+			configKey = []byte(configKeyStr)
 			os.Unsetenv("_RCLONE_CONFIG_KEY")
 		} else {
 			if len(configKey) == 0 && envpw != "" {
@@ -379,7 +380,7 @@ func setConfigPassword(password string) error {
 	configKey = sha.Sum(nil)
 	if SaveKeyToEnv {
 		fs.Debugf(nil, "saving configKey to environment variable _RCLONE_CONFIG_KEY")
-		os.Setenv("_RCLONE_CONFIG_KEY", base64.StdEncoding.EncodeToString(configKey))
+		os.Setenv("_RCLONE_CONFIG_KEY", obscure.MustObscure(string(configKey)))
 	}
 	return nil
 }