diff --git a/.config/rclone/rclone.conf b/.config/rclone/rclone.conf
new file mode 100644
index 0000000000000000000000000000000000000000..ce52714c862e0e0d21f856b59b79dbdd5bfc2d34
--- /dev/null
+++ b/.config/rclone/rclone.conf
@@ -0,0 +1,5 @@
+[nextcloud]
+type = webdav
+url = https://nextcloud.shore.co.il/remote.php/webdav/
+vendor = nextcloud
+
diff --git a/Documents/bin/download-password-db b/Documents/bin/download-password-db
new file mode 100755
index 0000000000000000000000000000000000000000..e3fe6dc900ffa90e77ad21c66d413d6754ec367c
--- /dev/null
+++ b/Documents/bin/download-password-db
@@ -0,0 +1,41 @@
+#!/usr/bin/env python3
+# pylint: disable=invalid-name
+
+"""Runs rclone securely to download the Keepass password database from
+Nextcloud."""
+
+import getpass
+import os
+import os.path
+import subprocess  # nosec
+
+
+DB_PATH = "Documents/Database.kdbx"
+DEST = os.path.expanduser(f"~/{ os.path.dirname(DB_PATH) }")
+SOURCE = f"nextcloud:{DB_PATH}"
+
+
+if __name__ == "__main__":
+    username = input(f"Enter username (defaults to {getpass.getuser()}): ")
+    if not username:
+        username = getpass.getuser()
+    password = getpass.getpass("Enter password (will not echo): ")
+    obscured_password = subprocess.run(  # nosec
+        ["rclone", "obscure", "-"],
+        input=password,
+        capture_output=True,
+        check=True,
+        text=True,
+    ).stdout.strip()
+    os.execvp(  # nosec
+        "rclone",
+        [
+            "copy",
+            "--webdav-pass",
+            obscured_password,
+            "--webdav-user",
+            username,
+            SOURCE,
+            DEST,
+        ],
+    )