How to Encrypt Your Files in the Cloud Using Rclone

Rclone Crypt 0 Feat Image

Rclone is a wonderful tool. It is a simple script that allows you to manage your files over a number of cloud storage providers seamlessly. It has an intuitive command line interface and a powerful set of features that, among other things, allow you to migrate data from one cloud remote to the other, combine multiple cloud remotes with one another and transparently encrypt and decrypt data. This article focuses on the last point.

Crypt is a function of rclone that encrypts your files while they’re being uploaded and also decrypts them when being downloaded. This means the actual files that are stored in the cloud are encrypted and scrambled. It allows you to utilize your cloud provider as a storage service without the need to trust that they are not looking at what you’re uploading.

Crypt is also simple and transparent to set up, therefore making it easily doable for someone without any technical expertise in cryptography to create their own encrypted remote.

How Does It Work?

A crypt remote works by using a different remote and wrapping itself over it. Crypt, therefore, behaves like a layer that filters and modifies the data that passes through it. Before any data reaches the cloud remote, it was already filtered and encrypted by the crypt function.

Rclone Crypt 1 Diagram

This layered approach also provides the most amount of flexibility when dealing with multiple remotes.

We can, for example, combine multiple remotes into one using rclone’s union function, then add it to a crypt remote. Any data that is uploaded through the remote is then encrypted and distributed through the various cloud remotes you have.

Setting Up Rclone Crypt

If you find those features appealing, setting up a crypt remote is relatively straightforward. However, this guide assumes that you have already made your own unencrypted rclone remote. You can read our introductory guide to it here.

Once you have your own rclone remote, start by typing:

rclone config

This will bring us to rclone’s configuration menu. We will create a new remote by pressing N.

Rclone Crypt 2 Config

Rclone will ask us for the name of the remote that we want to set up. For this exercise, I am going to name the remote “crypt.”

Rclone Crypt 3 Name

The next option will ask for the type of remote we want to set up. Type “crypt” to create the remote as a crypt.

Rclone Crypt 4 Type

After that, rclone will ask for the location of the remote you want crypt to wrap onto. Make sure that the path points to a particular directory in the remote rather than the whole remote itself.

In my case, I have already made a folder called “maketecheasier” in my gdrive remote. To use it, I wrote gdrive:/maketecheasier in the configuration.

Rclone Crypt 5 Remote

While it is possible to set the whole remote as a crypt, doing so might create some issues with the encryption and decryption process.

Cloud storage providers might not be able to handle having an encrypted root folder. Furthermore, anything uploaded outside rclone crypt will be unencrypted and might present some issues with how the crypt function deals with files.

Encryption Setup

The next step will ask for the type of filename encryption that we want for our remote.

  • Standard allows for full filename encryption, which will hide the file type of the files that we have uploaded.
  • Obfuscate simply “rotates” the file names. It is a simple but weak kind of encryption.
  • Off will not obfuscate any file name.
Rclone Crypt 6 Filename Encryption

From there, rclone will ask whether we want to encrypt the directory names. Choosing 1 will encrypt all the folder names in the remote. Choosing 2 will not.

Rclone Crypt 7 Directory Encryption

For the following steps, rclone will ask whether we want to create our own password or let rclone generate it for us.

Rclone Crypt 8 Create Password

In my case, I will type my own password.

Rclone Crypt 9 Type Password

After that, rclone will ask us whether we want to add a second password to further randomize our encryption key.

Rclone Crypt 10 Salt Password

In my case, I added a second password.

Rclone Crypt 11 Type Password2

Keep in mind that these are our keys to our data. You should have a copy of these two passwords somewhere safe. Anyone who has a copy of these two passwords would be able to recreate your rclone configuration and decrypt the data from your crypt remote.

Additional Configurations

For the next step, rclone will ask if we want to enter the advanced configuration menu. For the most part, we do not need to change any of those settings.

Rclone Crypt 12 Advanced Config

However, if you are setting up different crypt remotes to interact with each other or if, for some reason, you do not want to encrypt the data itself, you can change those settings here.

Lastly, rclone will ask us to confirm our settings for the crypt remote. Press Y and Enter if you are satisfied with the current settings.

Rclone Crypt 13 Confirm

After that, rclone will now show your crypt remote. In my case, it is named crypt with the type Crypt.

Rclone Crypt 14 New List

Testing Your New Crypt Remote

Once done, you can use your new crypt remote to transfer files. Do this by typing this command:

rclone -v copy /your/local/file/here/ remotename:/the/remote/location/

In my case, I copied a small file from my machine to my crypt remote. I checked whether the file was copied properly by listing the remote’s contents:

rclone lsf remotename:/
Rclone Crypt 16 Lsf

If you looked at the remote anywhere other than rclone, the file will show up with a garbled name. For example, when I viewed my newly copied file on the Google Drive website, it showed the uploaded file name to be “nf1kktmpf95lg527ddci7s3m90.”

Rclone Crypt 17 Encrypted

Congratulations! You have now made your own encrypted cloud backup. You can now use this by itself. Or, if the idea of layering got you thinking of creative storage solutions, read more about cheap cloud storage providers that you can use with rclone.

Frequently Asked Questions

1. Is Rclone Crypt securely encrypted?

Yes. Rclone uses the XSalsa20 cipher to encrypt the file content and file names. It is a relatively strong cipher that is light on system resources. The content of the encrypted files is also constantly verified using Poly1305, which is a very strong encryption algorithm.

2. How would I access my files if I lost my computer?

The good thing about this process is that as long as you took note of your two passwords, you can always access your data from anywhere. All you need to have is a machine you can connect to the Internet and rclone.

3. Is it possible to change my password once I’ve set it?

No. The encryption relies heavily on the password that you’ve set. Changing the password would mean that the encryption key for the crypt would change. Therefore, any previously encrypted files will be inaccessible to you.

The way to use a new password is to create a new crypt with the new password, then decrypt the files from the old crypt and move them over to the new crypt. Lastly, remove the old crypt.

Ramces Red
Ramces Red

Ramces is a technology writer that lived with computers all his life. A prolific reader and a student of Anthropology, he is an eccentric character that writes articles about Linux and anything *nix.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox