How to use Rclone to encrypt cloud storage files

clone Is a command line cloud storage synchronization program that allows access and synchronization of files between the file system and cloud storage services or between multiple cloud storage services. The latest version also provides a Web GUI, as well as a third-party GUI, such as Rclone Browser. The tool supports many cloud storage providers, such as Amazon S3, Box, Dropbox, Google Drive / Photos / Cloud Storage, Mega, Microsoft OneDrive (personal and business), pCloud, Yandex Disk, etc. It is available for Windows, macOS, Linux and *BSD. This article describes how to use Rclone to encrypt cloud storage files remotely (remote is a cloud storage provider configured in Rclone). Suppose you have already added some cloud storage providers to the Rclone configuration. if not, download And install Rclone, run rclone config, Select New remote And add any other cloud storage supported by Google Drive, OneDrive or Rclone.
For encryption, we will use crypt Rclone remote. It’s worth mentioning that only files copied/synchronized to the crypt remote will be encrypted, so you can continue to upload unencrypted files as before; this also means that all files previously uploaded to cloud storage are not encrypted. Unless you delete the file from the cloud storage and store it in the new crypt remote server, it will not be encrypted.
The Rclone crypt option can encrypt files, file names (standard file name encryption or simple file name confusion) and directory names. The file length and modification time are not encrypted.

Also check out Cryptomator, another cross-platform tool for encrypting files stored in the cloud (and more).

How does Rclone cloud storage encryption work

First, I will show you how it works, and then I will tell you how to use Rclone to encrypt cloud storage files.
Say I have a name backup.tar.gz On my computer, I want to encrypt it and upload it to a folder called Backups in OneDrive. To this end, I created a Rclone crypt remote (called encrypted:) The remote path that the encryption is set to onedrive:Backups.
So when i copy this backup.tar.gz Archive to encrypted:, It will be uploaded to my OneDrive backup folder encrypted:

rclone copy backup.tar.gz encrypted:

Now when i am onedrive:Backups Remote folder, this file is shown as encrypted:

rclone ls onedrive:Backups
    57480 aj7e9bv453dhpfdgskvieqmrtc

If i am encrypted: Remotely, I can see that this file has been decrypted:

rclone ls encrypted:
    57432 backup.tar.gz

If you need this file, you can download it from encrypted: Remotely, as shown below (the file will be copied decrypted on my computer, ~/ This is the main folder):

rclone copy encrypted:backup.tar.gz ~/

So whenever I want to access this file, I need to access encrypted: Remotely via Rclone. The OneDrive website encrypts this file, so the file can only be used after decryption with the Rclone crypt remote controller. Rclone Browser is Rclone’s cross-platform Qt GUI, which supports crypt remote controllers and encrypted Rclone configuration files, so you can Continue to use it with encrypted files.

Create a crypt Rclone remote to encrypt cloud storage files

1. Create a “crypt” Rclone remote server by opening a terminal and entering the following command:

rclone config

Now you will be asked what to do next:

e) Edit existing remote
n) New remote
d) Delete remote
r) Rename remote
c) Copy remote
s) Set configuration password
q) Quit config
e/n/d/r/c/s/q> n

Input n Create a new remote control.
2. Then, you will be asked to enter the name of the new remote control-I went encrypted name:

name> encrypted

3. Now, you need to select the type of storage you want to configure:

Type of storage to configure.
Enter a string value. Press Enter for the default ("").
Choose a number from below, or type in your own value
10 / Encrypt/Decrypt a remote
Storage> crypt

Types of crypt Create a new encrypted storage type.
4. Next, you need to enter the remote path for encryption/decryption. For example, if you create a remote for OneDrive with the name onedriveAnd you want to encrypt Backups You can use the folders in this OneDrive remote onedrive:Backups Here:

Remote to encrypt/decrypt.
Normally should contain a ':' and a path, eg "myremote:path/to/dir",
"myremote:bucket" or maybe "myremote:" (not recommended).
Enter a string value. Press Enter for the default ("").
remote> onedrive:Backups

All content contained in the path you enter here will be encrypted, and all external content will not be encrypted.
If you don’t know how to call a cloud storage remote server, you can open a terminal and type the following to list all remote servers configured in Rclone:

rclone listremotes

5. The next step is to choose how to encrypt the file name, you can choose standard simple file name obfuscation or not to encrypt the file name. Standard file name encryption will produce longer file names, and some cloud storage providers may have file name length restrictions, so please keep this in mind. Choose the option that best suits your needs (I chose the standard below):

How to encrypt the filenames.
Enter a string value. Press Enter for the default ("standard").
Choose a number from below, or type in your own value
 1 / Encrypt the filenames see the docs for the details.
 2 / Very simple filename obfuscation.
 3 / Don't encrypt the file names.  Adds a ".bin" extension only.
filename_encryption> standard

6. In the next step, you can also select the encrypted directory name (type true Either 1), or leave it intact (type false Either 2):

Option to either encrypt directory names or leave them intact.
Enter a boolean value (true or false). Press Enter for the default ("true").
Choose a number from below, or type in your own value
 1 / Encrypt directory names.
 2 / Don't encrypt directory names, leave them intact.
directory_name_encryption> true

7. Next, you will be asked to enter a password or generate a random password for the encrypted cloud storage file. Make sure you don’t forget this password! The password is stored in the Rclone configuration file (you can encrypt it later), so you don’t have to enter the password every time you want to access the encrypted file, but if you lose the Rclone configuration file, you will need this password to decrypt your Cloud storage files!
I choose to enter my password (y), in this case, I have to enter the password twice:

Password or pass phrase for encryption.
y) Yes type in my own password
g) Generate random password
y/g> y

Enter the password:
Confirm the password:

8. Now, the system will ask you to enter the password of the salt (or generate a random password), or leave this space blank. The second password is created by Rclone and encryption, Which makes it impractical to launch dictionary attacks on Rclone encrypted data. It is recommended that you set a password to provide full protection.
I enter here g, It tells Rclone to generate a random password:

Password or pass phrase for salt. Optional but recommended.
Should be different to the previous password.
y) Yes type in my own password
g) Generate random password
n) No leave this optional password blank (default)
y/g/n> g

9. Since Rclone will generate a password for you, it will ask you to enter the password strength (in bits) next. I recommend using 1024 to maximize password strength:

Password strength in bits.
64 is just about memorable
128 is secure
1024 is the maximum
Bits> 1024

10. Rclone will now display the generated password and ask if you want to use it (type y Or press Enter If possible, please enter a new password). Make sure again not to lose this password, so please store it in a safe place, such as a password manager (I recommend Bitwarden):

Your password is: A-very-long-password-generated-by-rclone
Use this password? Please note that an obscured version of this
password (and not the password itself) will be stored under your
configuration file, so keep this generated password in a safe place.
y) Yes (default)
n) No
y/n> y

Rclone will now print your configuration and ask you if it is normal-press Enter confirm:

Remote config
type = crypt
remote = onedrive:Backups
filename_encryption = standard
directory_name_encryption = true
password = *** ENCRYPTED ***
password2 = *** ENCRYPTED ***
y) Yes this is OK (default)
e) Edit this remote
d) Delete this remote

How to encrypt Rclone configuration files

The Rclone encryption password is stored in the configuration file and will only be slightly obscured. To protect it, it is recommended that you encrypt the Rclone configuration file.
This can be easily done through Rclone configuration. Types of:

rclone config

This will display the currently configured remote control, followed by some options:

e) Edit existing remote
n) New remote
d) Delete remote
r) Rename remote
c) Copy remote
s) Set configuration password
q) Quit config
e/n/d/r/c/s/q> s

Types of s then press Enter Set the key for the configuration password.
On the next screen, you will see:

Your configuration is not encrypted.
If you add a password, you will protect your login information to cloud services.
a) Add Password
q) Quit to main menu
a/q> a

Types of a, The system will prompt you to enter the Rclone configuration password:

Enter NEW configuration password:
Confirm NEW configuration password:
Password set
Your configuration is encrypted.
c) Change Password
u) Unencrypt configuration
q) Quit to main menu
c/u/q> q

After typing the new Rclone configuration password twice, type q drop out.