How to easily keep your cloud files private with Rclone
When cloud storage services first came on the scene, personal data security wasn’t a common feature. Even now, as concern over data privacy has grown, many cloud storage services don’t encrypt the user’s data by default. It’s largely up to the user to take the initiative and enable settings that ensure files are encrypted and private, which can be tedious. Believe it or not, a little command-line program called Rclone simplifies things. It’s available for Linux and other open-source OSes, as well as Windows and OS X.
There are several ways to encrypt your data before you send it to the cloud, but if you simply want to back up or sync your data while keeping it private, Rclone has you covered. Rclone is a bit like the command-line tool rsync, a staple for developers and other advanced users. However, Rclone is designed to work with established cloud services, no need to set up rsync services on remote machines. Rclone can work with Google Drive, Amazon S3, Dropbox, Google Cloud Storage, Amazon Drive, Microsoft One Drive, Hubic, and Backblaze B2, just to name a few.
Setup
To start using Rclone, you have to set up remotes, meaning profiles for cloud destinations. Once you have Rclone installed using your Linux distribution’s package manager, you can start setting up Rclone. Type the command rclone config to access a simple guided setup process that’s quite easy to follow.
The first step is setting up an unencrypted remote. As you can see in my example above, I connected Rclone to my Google Drive account, then named the remote “gdrive.” The configuration automatically opened a browser window in order for me to grant access to my Google account. From there, the configuration application will prompt the user for the path that the user wants to sync. If you’re using a bucket service (like Amazon S3 or Backblaze B2), be sure to enter the name of the bucket you want to use.
Once the initial setup is done, it’s time to set up the encrypted remote, again with rclone config. Encrypted remotes piggyback on remotes that have already been set up. When choosing the type of remote to set up in the configuration program, choose the encrypted remote option (5) Encrypt/Decrypt a remote “crypt.” You’ll be prompted for the name of the remote to piggyback on (in my case gdrive), as well as a name you want to give the encrypted remote.
You’ll also be prompted for passwords and a salt to use to encrypt your files. If you don’t want to bother with creating a super-secret-secure passphrase, you can allow the program to generate a random passphrase and salt for you. You an even ask Rclone to encrypt the names of files and folders so you don’t leak metadata from you filenames.
Once you have the two remotes set up, you’re off to the races.
Sync those files
There are a few ways you can use Rclone to push and pull data to and from the cloud. Unlike its cousin rsync, Rclone won’t do a bidirectional sync (yet). That means choosing a sync method that works best for you.
The first (and probably easiest) way to use Rclone is with the sync command. The sync command synchronizes files from the source to the destination. To sync files from the cloud to a folder (pull), simply use:
rclone sync remote:path /path/to/folder
To sync the other way (push), use:
rclone sync /path/to/folder remote:path
These commands are great if you want to be able to sync manually. There are ways to automatically sync files with Rclone, but they require writing a script or two and a cron job.
The second main method for using Rclone is experimental, but in my opinion, offers a more seamless experience. Rclone can mount a remote using FUSE, which makes the remote appear in file managers as if you connected to a Samba (Windows) share or attached a USB drive. To do this, use the following command:
rclone mount remote:path /path/to/mount &
Just like mounting another filesystem, the folder you mount your remote to must exist on the filesystem (and should be empty). Additionally, the path of the remote is a bit finicky, and the mount process will fail if it doesn’t conform exactly to a valid path.
For an encrypted remote or a non-bucket remote where you want to mount the root folder, leave the path after remote: blank. However, if you’re connecting to an unencrypted bucket remote, the bucket name is required.
There’s another thing about Rclone’s mount command: It doesn’t play nice with normal mount and unmount commands. When trying to click the eject button in my file manager, I received error popups telling me that FUSE couldn’t unmount the remote. As far as I can tell, Rclone mounts must be manually unmounted with the following command:
fusermount -u /path/to/mount
Conclusion
Cloud storage for personal files is wildly popular, especially with the advent of ultrabooks that often feature mid-sized SSDs instead of 500GB or larger HDDs that are common in full-sized laptops. Reduced storage space and the need to keep files backed up offsite means that cloud services have a big market to tap. However, privacy is rarely a feature that’s front-and-center.
Rclone is just one of many tools you can use to leverage the redundancy and stability of cloud storage without sacrificing data privacy.