In the last few years, I've made an effort to collect all university works, photos and videos, and documents spread across my old PCs. In the end, I ended up with roughly 300 GB of data, and now, of course, the question was - where do I back it all up? I had spare drives, but drives break - so to do this right, I wanted an offsite copy. So why not just dump it all into my Google Drive?
Well, some of this stuff's sensitive - credentials, legal documents, things I wouldn't want floating around the Internet if a data breach would happen. An encrypted backup was the way to go, and recently, I got to work a bit with a neat little tool called rclone - the "Swiss Army knife" of cloud storage, which does everything I need. It syncs, it mounts, it encrypts - and most importantly, it seems to support every protocol and cloud provider under the sun.
Installing rclone
In my case, working on a Windows machine, I only had to run:
winget install Rclone.Rclone
rclone is a single binary with variants for every mainstream OS that - you can download it from the download page and install it manually, or follow instructions on the installation page if you prefer to use a package manager, though some of them ship old versions which lack support for certain features like FUSE mounts.
After installing, open the interactive configuration menu:
One thing you should do right away is to set a configuration password - this makes sure that the credentials used for connecting to remotes are encrypted when stored on disk.
You'll need to supply this password for every rclone command you execute.
Configure the remote
Now, again via rclone config, add a remote storage location which rclone can download and upload files to.
The list of supported protocols and platforms is impressive - chances are, it covers your choice of storage, whether that is Google Drive, Azure Files, S3, or an SFTP server or SMB fileshare you host yourself.
When you choose to add a remote, rclone will ask you to give it a name, and supply information such as URLs, access credentials, etc.
For most options it also provides a sane default - just use that if you're not sure.
After you're done configuring, you can test the remote:
Client-side encryption
One really neat feature of rclone is that it allows you to add middleware layers to remotes - including client-side encryption.
When creating a remote, you can choose the option to Encrypt/Decrypt a remote - this means that your new remote is actually an encryption layer on top of an existing one.
rclone will ask you for an encryption passphrase (actually two passphrases, but the second one is an optional salt which you can leave empty), and a remote path to encrypt.
All the encryption happens on your PC - which is ideal if you need the extra layer of security, or you don't fully trust the storage provider.
You can encrypt the entire remote by specifying a path like plaintext_remote_name:/, or only a subdirectory of it by specifying e.g. plaintext_remote_name:/encrypted_data.
That way, you can store both plaintext and encrypted data in the same remote:
/ # <-- plaintext_remote_name
├─ encrypted_data/ # <-- encrypted_remote_name
│ ├─ acac14783a... # <-- decrypted only in encrypted_remote_name
│ └─ 265d341525...
├─ unencrypted_folder/
│ ├─ file1.txt # <-- not part of encrypted_remote_name
│ └─ file2.png
└─ file3.pdf # <-- not part of encrypted_remote_name
Perform a backup!
Now, to actually make the backup:
That's it. Client-side encrypted backups, using an open-source utility that works everywhere. Pretty cool right?
...And to do it automatically?
You'll want a cronjob on Linux/Mac/BSD or scheduled tasks on Windows. However, keep in mind that:
- Background jobs may run under a different user, and
rclonestores its config file in a user-specific directory. You can specify a different config file using the --config parameter. - A background job can't ask you for the configuration password, so your configuration file will have to be stored unencrypted. Make sure to set the file permissions such that only you and the background job can read it.