Skip to main content

Encrypted backup to the cloud with rclone

Choose a dirt cheap cloud storage. Setup encryption with rclone. Boom - you have got a fast and flexible file backup system with strong, open-source grade end-to-end encryption. You can start backing up your precious files: family photos, private videos, secret documents, anything. Dirt cheap, end-to-end encrypted.

1. Install rclone. Lookup at https://rclone.org/ how you can obtain and install rclone for your operating system. It should not be hard. It's simply one command-line utility.

2. Run rclone config and add a cloud storage remote. For example 'Google Cloud Storage'. Most of the options can be chosen by "default" unless you know what you want to change. One thing that can look confusing with GCS is what credentials it's gonna use and when to add them. No worries, at some point the config tool will open a web page that will setup a token at Google for you. Just follow the flow.

3. Setup a virtual remote for the encryption. This step is much shorter. But in order to set it up you are going to need the name of the underlying remote that you just created in the previous step and the path in that remote that this virtual remote should be hooked up to (see hint below). Run the rclone config again and this time choose the "crypt" remote. Follow the instructions. Do not forget the password, there's no "reset password" option when encryption is end-to-end.

That's it. Now this virtual remote, whatever name you gave it, is where you can sync or copy files to, as well as restore them from. Everything works transparently, all the secrets are stored in .config/rclone/rclone.conf and used behind the scene. So, again, do not forget your encryption password. Or better save it in a password manager just in case if you lose your current system and will have to setup all this over again. Keep the config file secret because it contains all the secrets.

Hint: In case of Google Cloud Storage when you setup its remote it will be setup for your account or whatever account you choose in the browser for authorization. Which means that when you access this remote with rclone the root is going to be the whole GCS where the top level objects will be the buckets. So it might make sense to choose at least one bucket where you want to store everything encrypted, and hookup your virtual 'crypt' remote to that bucket. E.g. my-gcs-remote:crypt-bucket, not just entire remote. In some cases maybe even a bucket and a folder inside that bucket: my-gcs-remote:backups-bucket/encrypted-vault/. Or something according to whatever your backup strategy is.

How do I use it? My most used command is rclone copy. It can copy local files/directories to a remote, skipping identical files. Or it can copy (restore) remote files to local. Check out https://rclone.org/commands/ for all commands.