Rclone is a wonderful tool. It is a simple script that allows you to manage your files over a number of cloud storage providers seamlessly. It has an intuitive command line interface and a powerful set of features that, among other things, allow you to migrate data from one cloud remote to the other, combine multiple cloud remotes with one another and transparently encrypt and decrypt data. This article focuses on the last point.
Crypt is a function of rclone that encrypts your files while they’re being uploaded and also decrypts them when being downloaded. This means the actual files that are stored in the cloud are encrypted and scrambled. It allows you to utilize your cloud provider as a storage service without the need to trust that they are not looking at what you’re uploading.
Crypt is also simple and transparent to set up, therefore making it easily doable for someone without any technical expertise in cryptography to create their own encrypted remote.
How Does It Work?
A crypt remote works by using a different remote and wrapping itself over it. Crypt, therefore, behaves like a layer that filters and modifies the data that passes through it. Before any data reaches the cloud remote, it was already filtered and encrypted by the crypt function.
This layered approach also provides the most amount of flexibility when dealing with multiple remotes.
We can, for example, combine multiple remotes into one using rclone’s
union function, then add it to a crypt remote. Any data that is uploaded through the remote is then encrypted and distributed through the various cloud remotes you have.
Setting Up Rclone Crypt
If you find those features appealing, setting up a crypt remote is relatively straightforward. However, this guide assumes that you have already made your own unencrypted rclone remote. You can read our introductory guide to it here.
Once you have your own rclone remote, start by typing:
This will bring us to rclone’s configuration menu. We will create a new remote by pressing N.
Rclone will ask us for the name of the remote that we want to set up. For this exercise, I am going to name the remote “crypt.”
The next option will ask for the type of remote we want to set up. Type “crypt” to create the remote as a crypt.
After that, rclone will ask for the location of the remote you want crypt to wrap onto. Make sure that the path points to a particular directory in the remote rather than the whole remote itself.
In my case, I have already made a folder called “maketecheasier” in my gdrive remote. To use it, I wrote
gdrive:/maketecheasier in the configuration.
While it is possible to set the whole remote as a crypt, doing so might create some issues with the encryption and decryption process.
Cloud storage providers might not be able to handle having an encrypted root folder. Furthermore, anything uploaded outside rclone crypt will be unencrypted and might present some issues with how the crypt function deals with files.
The next step will ask for the type of filename encryption that we want for our remote.
- Standard allows for full filename encryption, which will hide the file type of the files that we have uploaded.
- Obfuscate simply “rotates” the file names. It is a simple but weak kind of encryption.
- Off will not obfuscate any file name.
From there, rclone will ask whether we want to encrypt the directory names. Choosing 1 will encrypt all the folder names in the remote. Choosing 2 will not.
For the following steps, rclone will ask whether we want to create our own password or let rclone generate it for us.
In my case, I will type my own password.
After that, rclone will ask us whether we want to add a second password to further randomize our encryption key.
In my case, I added a second password.
Keep in mind that these are our keys to our data. You should have a copy of these two passwords somewhere safe. Anyone who has a copy of these two passwords would be able to recreate your rclone configuration and decrypt the data from your crypt remote.
For the next step, rclone will ask if we want to enter the advanced configuration menu. For the most part, we do not need to change any of those settings.
However, if you are setting up different crypt remotes to interact with each other or if, for some reason, you do not want to encrypt the data itself, you can change those settings here.
Lastly, rclone will ask us to confirm our settings for the crypt remote. Press Y and Enter if you are satisfied with the current settings.
After that, rclone will now show your crypt remote. In my case, it is named crypt with the type Crypt.
Testing Your New Crypt Remote
Once done, you can use your new crypt remote to transfer files. Do this by typing this command:
In my case, I copied a small file from my machine to my crypt remote. I checked whether the file was copied properly by listing the remote’s contents:
If you looked at the remote anywhere other than rclone, the file will show up with a garbled name. For example, when I viewed my newly copied file on the Google Drive website, it showed the uploaded file name to be “nf1kktmpf95lg527ddci7s3m90.”
Congratulations! You have now made your own encrypted cloud backup. You can now use this by itself. Or, if the idea of layering got you thinking of creative storage solutions, read more about cheap cloud storage providers that you can use with rclone.
Frequently Asked Questions
1. Is Rclone Crypt securely encrypted?
Yes. Rclone uses the XSalsa20 cipher to encrypt the file content and file names. It is a relatively strong cipher that is light on system resources. The content of the encrypted files is also constantly verified using Poly1305, which is a very strong encryption algorithm.
2. How would I access my files if I lost my computer?
The good thing about this process is that as long as you took note of your two passwords, you can always access your data from anywhere. All you need to have is a machine you can connect to the Internet and rclone.
3. Is it possible to change my password once I’ve set it?
No. The encryption relies heavily on the password that you’ve set. Changing the password would mean that the encryption key for the crypt would change. Therefore, any previously encrypted files will be inaccessible to you.
The way to use a new password is to create a new crypt with the new password, then decrypt the files from the old crypt and move them over to the new crypt. Lastly, remove the old crypt.
Our latest tutorials delivered straight to your inbox