Rclone is a command line cloud storage synchronization program that allows accessing and synchronizing files between your filesystem and cloud storage services, or between multiple cloud storage services. Recent versions also come with a Web GUI, and there are third-party GUIs available as well, like Rclone Browser.
The tool supports many cloud storage providers like Amazon S3, Box, Dropbox, Google Drive / Photos / Cloud Storage, Mega, Microsoft OneDrive (personal and business), pCloud, Yandex Disk and more. It’s available for Windows, macOS, Linux and *BSD.
This article shows how to encrypt cloud storage files from a remote (a remote is a cloud storage provider that’s configured in Rclone) using Rclone. It assumes you’ve already added some cloud storage providers to your Rclone configuration; if not, download and install Rclone, run
rclone config, choose
New remote and add Google Drive, OneDrive or any other cloud storage supported by Rclone.
For encryption, we’ll use the
crypt Rclone remote. It’s worth noting from the start that only the files copied / synchronized to the crypt remote will be encrypted, so you can continue to upload unencrypted files if you wish, exactly as before; this also means that any files previously uploaded to the cloud storage are not encrypted, and this will not encrypt them unless you delete the files from the cloud storage and then store them in the new crypt remote.
The Rclone crypt option can encrypt the files, file names (standard file name encryption or simple file name obfuscation) and directory names. The file length and modification time are not encrypted.
How Rclone cloud storage encryption works
First I’ll show you how this works, and then I’ll tell you how you can encrypt your cloud storage files using Rclone.
Say I have a backup file called
backup.tar.gz on my computer, and I want to upload it encrypted to OneDrive, in a folder called Backups. To achieve this I create a Rclone crypt remote (called
encrypted:) which encrypts a remote path set to
So when I copy this
backup.tar.gz file to
encrypted:, it will be uploaded as encrypted in my OneDrive Backups folder:
rclone copy backup.tar.gz encrypted:
Now when I list the files in the
onedrive:Backups remote folder, this file shows as encrypted:
rclone ls onedrive:Backups 57480 aj7e9bv453dhpfdgskvieqmrtc
If I list the files in the
encrypted: remote, I can see this file as decrypted:
rclone ls encrypted: 57432 backup.tar.gz
In case I need this file, I can copy it to my computer from the
encrypted: remote as follows (the file will be copied as decrypted on my computer, in
~/ which is the home folder):
rclone copy encrypted:backup.tar.gz ~/
So whenever I want to access this file, I’ll need to access the
encrypted: remote via Rclone. The OneDrive website has this file encrypted so it can’t be used until it’s decrypted using the Rclone crypt remote.
Rclone Browser, a cross-platform Qt GUI for Rclone, supports crypt remotes, as well as an encrypted Rclone configuration file, so you can continue to use it with encrypted files.
Create a crypt Rclone remote to encrypt cloud storage files
1. Create a “crypt” Rclone remote by opening a terminal and typing:
You’ll now be asked what you want to do next:
e) Edit existing remote n) New remote d) Delete remote r) Rename remote c) Copy remote s) Set configuration password q) Quit config e/n/d/r/c/s/q> n
n to create a new remote.
2. You’ll then be asked to enter a name for the new remote – I went with
encrypted for the name:
3. Now you’ll need to choose the type of storage to configure:
Type of storage to configure. Enter a string value. Press Enter for the default (""). Choose a number from below, or type in your own value .............. 10 / Encrypt/Decrypt a remote "crypt" ........ Storage> crypt
crypt to create a new crypt storage type.
4. Next, you’ll need to enter the remote path to encrypt/decrypt. For example if you created a remote for OneDrive with the name
onedrive, and you want to encrypt the contents of the
Backups folder inside this OneDrive remote, you’d use
Remote to encrypt/decrypt. Normally should contain a ':' and a path, eg "myremote:path/to/dir", "myremote:bucket" or maybe "myremote:" (not recommended). Enter a string value. Press Enter for the default (""). remote> onedrive:Backups
Everything contained in the path you enter here will be encrypted, and anything outside will not be encrypted.
In case you don’t know how you’ve called your cloud storage remote(s), you can open a terminal and type this to list all the remotes configured in Rclone:
5. The next step is to choose how to encrypt the filenames, and you can go with either standard, simple filename obfuscation or not encrypting the filenames. The standard filename encryption will produce longer filenames, and some cloud storage providers may have a filename length limitation, so keep this in mind. Choose the option that best suits your needs (I chose standard below):
How to encrypt the filenames. Enter a string value. Press Enter for the default ("standard"). Choose a number from below, or type in your own value 1 / Encrypt the filenames see the docs for the details. "standard" 2 / Very simple filename obfuscation. "obfuscate" 3 / Don't encrypt the file names. Adds a ".bin" extension only. "off" filename_encryption> standard
6. In the next step, you can also choose to encrypt the directory names (type
1), or leave them intact (type
Option to either encrypt directory names or leave them intact. Enter a boolean value (true or false). Press Enter for the default ("true"). Choose a number from below, or type in your own value 1 / Encrypt directory names. "true" 2 / Don't encrypt directory names, leave them intact. "false" directory_name_encryption> true
7. Next you’ll be asked to enter a password or generate a random one for your encrypted cloud storage files. Make sure you don’t lose this password! The password is stored in the Rclone configuration file (which can be encrypted as you’ll see a bit later) so you don’t have to type it every time you want to access your encrypted files, but in case you lose the Rclone configuration file you’ll need this password to decrypt your cloud storage files!
I choose to enter my own password (
y), and in this case I had to enter the password twice:
Password or pass phrase for encryption. y) Yes type in my own password g) Generate random password y/g> y Enter the password: password: Confirm the password: password:
8. Now you’ll be asked to enter a password for salt (or generate a random password), or leave this blank. This second password is used by Rclone in conjunction with scrypt, which makes it impractical to mount a dictionary attack on the Rclone encrypted data, and it’s recommended you set a password for full protection.
Here I entered
g, which tells Rclone to generate a random password:
Password or pass phrase for salt. Optional but recommended. Should be different to the previous password. y) Yes type in my own password g) Generate random password n) No leave this optional password blank (default) y/g/n> g
9. Since Rclone will generate the password for you, it next asks you to enter the password strength in bits. I recommend going with 1024 for maximum password strength:
Password strength in bits. 64 is just about memorable 128 is secure 1024 is the maximum Bits> 1024
10. Rclone will now reveal the generated password and ask you if you want to use it (type
y or just press the
Enter key if you are ok with the new password). Once again, make sure you don’t lose this password, so store it somewhere safe, like a password manager (I recommend Bitwarden):
Your password is: A-very-long-password-generated-by-rclone Use this password? Please note that an obscured version of this password (and not the password itself) will be stored under your configuration file, so keep this generated password in a safe place. y) Yes (default) n) No y/n> y
Rclone will now print your configuration, and ask you if it’s ok – press
Enter to confirm it:
Remote config -------------------- [encrypted] type = crypt remote = onedrive:Backups filename_encryption = standard directory_name_encryption = true password = *** ENCRYPTED *** password2 = *** ENCRYPTED *** -------------------- y) Yes this is OK (default) e) Edit this remote d) Delete this remote y/e/d>
How to encrypt the Rclone configuration file
The Rclone encryption password is stored in the configuration file, and is only lightly obscured. To secure it, it’s recommended you encrypt the Rclone configuration file.
This can be done very easily from the Rclone configuration. Type:
This presents the currently configured remotes, followed by some options:
e) Edit existing remote n) New remote d) Delete remote r) Rename remote c) Copy remote s) Set configuration password q) Quit config e/n/d/r/c/s/q> s
s and press the
Enter key to set a configuration password.
In the next screen you’ll see:
Your configuration is not encrypted. If you add a password, you will protect your login information to cloud services. a) Add Password q) Quit to main menu a/q> a
a, and you’ll be prompted to enter the Rclone config password:
Enter NEW configuration password: password: Confirm NEW configuration password: password: Password set Your configuration is encrypted. c) Change Password u) Unencrypt configuration q) Quit to main menu c/u/q> q
Once you type your new Rclone configuration password twice, type
q to quit.