Rclone is a command line cloud storage synchronization program that allows accessing and synchronizing files between your filesystem and cloud storage services, or between multiple cloud storage services. Recent versions also come with a Web GUI, and there are third-party GUIs available as well, like Rclone Browser.
The tool supports many cloud storage providers like Amazon S3, Box, Dropbox, Google Drive / Photos / Cloud Storage, Mega, Microsoft OneDrive (personal and business), pCloud, Yandex Disk and more. It’s available for Windows, macOS, Linux and *BSD.
This article shows how to encrypt cloud storage files from a remote (a remote is a cloud storage provider that’s configured in Rclone) using Rclone. It assumes you’ve already added some cloud storage providers to your Rclone configuration; if not, download and install Rclone, run rclone config, choose New remote and add Google Drive, OneDrive or any other cloud storage supported by Rclone.
For encryption, we’ll use the crypt Rclone remote. It’s worth noting from the start that only the files copied / synchronized to the crypt remote will be encrypted, so you can continue to upload unencrypted files if you wish, exactly as before; this also means that any files previously uploaded to the cloud storage are not encrypted, and this will not encrypt them unless you delete the files from the cloud storage and then store them in the new crypt remote.
The Rclone crypt option can encrypt the files, file names (standard file name encryption or simple file name obfuscation) and directory names. The file length and modification time are not encrypted.
Also check out Cryptomator, another cross-platformtool to encrypt cloud storage (and more) files.
How Rclone cloud storage encryption works
First I’ll show you how this works, and then I’ll tell you how you can encrypt your cloud storage files using Rclone.
Say I have a backup file called backup.tar.gz on my computer, and I want to upload it encrypted to OneDrive, in a folder called Backups. To achieve this I create a Rclone crypt remote (called encrypted:) which encrypts a remote path set to onedrive:Backups.
So when I copy this backup.tar.gz file to encrypted:, it will be uploaded as encrypted in my OneDrive Backups folder:
rclone copy backup.tar.gz encrypted:
Now when I list the files in the onedrive:Backups remote folder, this file shows as encrypted:
rclone ls onedrive:Backups
57480 aj7e9bv453dhpfdgskvieqmrtc
If I list the files in the encrypted: remote, I can see this file as decrypted:
rclone ls encrypted:
57432 backup.tar.gz
In case I need this file, I can copy it to my computer from the encrypted: remote as follows (the file will be copied as decrypted on my computer, in ~/ which is the home folder):
rclone copy encrypted:backup.tar.gz ~/
So whenever I want to access this file, I’ll need to access the encrypted: remote via Rclone. The OneDrive website has this file encrypted so it can’t be used until it’s decrypted using the Rclone crypt remote.
Rclone Browser, a cross-platform Qt GUI for Rclone, supports crypt remotes, as well as an encrypted Rclone configuration file, so you can continue to use it with encrypted files.
Create a crypt Rclone remote to encrypt cloud storage files
1. Create a “crypt” Rclone remote by opening a terminal and typing:
rclone configYou’ll now be asked what you want to do next:
e) Edit existing remote
n) New remote
d) Delete remote
r) Rename remote
c) Copy remote
s) Set configuration password
q) Quit config
e/n/d/r/c/s/q> n
Enter n to create a new remote.
2. You’ll then be asked to enter a name for the new remote – I went with encrypted for the name:
name> encrypted3. Now you’ll need to choose the type of storage to configure:
Type of storage to configure.
Enter a string value. Press Enter for the default ("").
Choose a number from below, or type in your own value
..............
10 / Encrypt/Decrypt a remote
"crypt"
........
Storage> crypt
Type crypt to create a new crypt storage type.
4. Next, you’ll need to enter the remote path to encrypt/decrypt. For example if you created a remote for OneDrive with the name onedrive, and you want to encrypt the contents of the Backups folder inside this OneDrive remote, you’d use onedrive:Backups here:
Remote to encrypt/decrypt.
Normally should contain a ':' and a path, eg "myremote:path/to/dir",
"myremote:bucket" or maybe "myremote:" (not recommended).
Enter a string value. Press Enter for the default ("").
remote> onedrive:BackupsEverything contained in the path you enter here will be encrypted, and anything outside will not be encrypted.
In case you don’t know how you’ve called your cloud storage remote(s), you can open a terminal and type this to list all the remotes configured in Rclone:
rclone listremotes5. The next step is to choose how to encrypt the filenames, and you can go with either standard, simple filename obfuscation or not encrypting the filenames. The standard filename encryption will produce longer filenames, and some cloud storage providers may have a filename length limitation, so keep this in mind. Choose the option that best suits your needs (I chose standard below):
How to encrypt the filenames.
Enter a string value. Press Enter for the default ("standard").
Choose a number from below, or type in your own value
1 / Encrypt the filenames see the docs for the details.
"standard"
2 / Very simple filename obfuscation.
"obfuscate"
3 / Don't encrypt the file names. Adds a ".bin" extension only.
"off"
filename_encryption> standard
6. In the next step, you can also choose to encrypt the directory names (type true or 1), or leave them intact (type false or 2):
Option to either encrypt directory names or leave them intact.
Enter a boolean value (true or false). Press Enter for the default ("true").
Choose a number from below, or type in your own value
1 / Encrypt directory names.
"true"
2 / Don't encrypt directory names, leave them intact.
"false"
directory_name_encryption> true7. Next you’ll be asked to enter a password or generate a random one for your encrypted cloud storage files. Make sure you don’t lose this password! The password is stored in the Rclone configuration file (which can be encrypted as you’ll see a bit later) so you don’t have to type it every time you want to access your encrypted files, but in case you lose the Rclone configuration file you’ll need this password to decrypt your cloud storage files!
I choose to enter my own password (y), and in this case I had to enter the password twice:
Password or pass phrase for encryption.
y) Yes type in my own password
g) Generate random password
y/g> y
Enter the password:
password:
Confirm the password:
password:8. Now you’ll be asked to enter a password for salt (or generate a random password), or leave this blank. This second password is used by Rclone in conjunction with scrypt, which makes it impractical to mount a dictionary attack on the Rclone encrypted data, and it’s recommended you set a password for full protection.
Here I entered g, which tells Rclone to generate a random password:
Password or pass phrase for salt. Optional but recommended.
Should be different to the previous password.
y) Yes type in my own password
g) Generate random password
n) No leave this optional password blank (default)
y/g/n> g9. Since Rclone will generate the password for you, it next asks you to enter the password strength in bits. I recommend going with 1024 for maximum password strength:
Password strength in bits.
64 is just about memorable
128 is secure
1024 is the maximum
Bits> 1024
10. Rclone will now reveal the generated password and ask you if you want to use it (type y or just press the Enter key if you are ok with the new password). Once again, make sure you don’t lose this password, so store it somewhere safe, like a password manager (I recommend Bitwarden):
Your password is: A-very-long-password-generated-by-rclone
Use this password? Please note that an obscured version of this
password (and not the password itself) will be stored under your
configuration file, so keep this generated password in a safe place.
y) Yes (default)
n) No
y/n> y
Rclone will now print your configuration, and ask you if it’s ok – press Enter to confirm it:
Remote config
--------------------
[encrypted]
type = crypt
remote = onedrive:Backups
filename_encryption = standard
directory_name_encryption = true
password = *** ENCRYPTED ***
password2 = *** ENCRYPTED ***
--------------------
y) Yes this is OK (default)
e) Edit this remote
d) Delete this remote
y/e/d>How to encrypt the Rclone configuration file
The Rclone encryption password is stored in the configuration file, and is only lightly obscured. To secure it, it’s recommended you encrypt the Rclone configuration file.
This can be done very easily from the Rclone configuration. Type:
rclone configThis presents the currently configured remotes, followed by some options:
e) Edit existing remote
n) New remote
d) Delete remote
r) Rename remote
c) Copy remote
s) Set configuration password
q) Quit config
e/n/d/r/c/s/q> s
Type s and press the Enter key to set a configuration password.
In the next screen you’ll see:
Your configuration is not encrypted.
If you add a password, you will protect your login information to cloud services.
a) Add Password
q) Quit to main menu
a/q> a
Type a, and you’ll be prompted to enter the Rclone config password:
Enter NEW configuration password:
password:
Confirm NEW configuration password:
password:
Password set
Your configuration is encrypted.
c) Change Password
u) Unencrypt configuration
q) Quit to main menu
c/u/q> q
Once you type your new Rclone configuration password twice, type q to quit.
