Encrypted file sync with rclone

Posted on Jun 2, 2022

I do not use cloud services to store any personal data (unencrypted), but if you do have a service and want to backup anything personal, or otherwise sensitive data, encryption is a must. Normally I use syncthing for syncing between devices, but since I have a couple of cloud services “laying around”, might as well use them for something, such as a 3rd or 4th backup. :D Now, you can always encrypt the files before you sync, using something like gpg, but I find this method a bit cumbersome.

Personally I use rclone for this, which supports encryption. It works much like rsync, and has support for a lot of services (46 in my version). On Archlinux, it’s in the repos so it’s a quick install (pacman -S rclone). Here’s just quick intro to rclone, it’s pretty featured.

Depending on the service it’s likely you will have to get an access key or token from your service’s API. Rclone sometimes provides an URL (in the interactive configurator), else you need to go to the dev console, or such, and create one for rclone.

Once installed, it has an interactive configuration option.

$ rclone config

No remotes found, make a new one?
n) New remote
s) Set configuration password
q) Quit config
n/s/q> n
name> dropbox

<..long list of options>

Storage> 12
Option client_id.
OAuth Client Id.
Leave blank normally.
Enter a value. Press Enter to leave empty.
client_id>

..and so forth..

I won’t cover all the nitty gritty details here (as I’m lazy), or you can check more at the rclone site here.

Anyways, most likely you’ll end up with a config file, normally residing in in your home config folder:

$HOME/.config/rclone/rclone.conf

It may look something like this (depending on what you named the resources)


[dropbox]
type = dropbox
token = { <some json with token info...> }

[dbcrypt]
type = crypt
remote = dropbox:Secret
password = <somehash>

So, in the above example, to sync unencrypted, use the dropbox resource, dbcrypt for encrypted. To initiate a sync, you can do something like this:

$ rclone sync Documents dbcrypt:Documents

A note on sync (from rclone help)

Destination is updated to match source, including deleting files
if necessary (except duplicate objects, see below).                                                                                                                                                                                                     

**Important**: Since this can cause data loss, test first with the
`--dry-run` or the `--interactive`/`-i` flag. 

Iow, this is similar to rsync with the --delete option. If you’re doing this interactivily, you can add -P to see progress (or -n to do a dry run), again much like rsync.

If you want to check the size of your synced files:

$ rclone size dbcrypt:

Total objects: 2.028k (2028)
Total size: 1.806 GiB (1939314709 Byte)

There’s a bunch of options to rclone (which I won’t even begin to cover here), but rclone help is a good start. A good mention is to have clone obfuscate the file names, if listed unencrypted making it even less obvious, what’s on the drive.

 rclone lsd dropbox:Secret
          -1 2022-06-06 19:59:07        -1 7jmcfalru49p21rqfq14ea65hk
          -1 2022-06-06 19:59:07        -1 ejfodrh0isc80hr17cbpocecpg

So, not to forget backing up your files, setup a cron entry, such as:

@daily   rclone sync /data/sync/Documents/  dbcrypt:Documents/

A last note, make sure you keep that config safe, for obvious reasons.

Happy rcloning!

=Jinxd=