Crypt Remotes and Encrypted Layouts
Rclone crypt encrypts both file content and file names before objects reach cloud storage.
Learning Focus
Use crypt remotes to make cloud backups safe by default, then prove you can restore using only documented keys and config.
Why Use Crypt
| Benefit | Operational impact |
|---|---|
| Encrypted content | Reduced exposure if cloud bucket is leaked |
| Encrypted filenames | Hides metadata and naming conventions |
| Transparent CLI usage | Same transfer commands after setup |
Mapping
What Crypt Does (and Does Not) Protect
| Protected | Notes |
|---|---|
| File contents | Encrypted before upload |
| Filenames and directory names | Encrypted to hide structure |
| Not fully hidden | Notes |
|---|---|
| Object sizes | Providers still see sizes |
| Access patterns | Providers can observe timing and frequency |
| Total object count | Still measurable |
Setup Pattern
- Configure base remote (example:
s3-prod). - Create crypt remote pointing at a subpath.
- Use crypt remote for all backup jobs.
Create a Crypt Remote
rclone config
Typical wizard actions:
- New remote name:
crypt-prod - Type:
crypt - Remote to encrypt:
s3-prod:org-backups/encrypted - Choose filename encryption and directory name encryption options
- Set strong passphrase (store it securely)
crypt-usage.sh
rclone sync /srv/finance crypt-prod:daily/finance --progress
rclone ls crypt-prod:daily/finance
warning
If you lose the crypt passphrase/salt, encrypted backups are effectively unrecoverable.
danger
Do not store crypt secrets only in one person's password manager. Document recovery in a team-accessible, secure location.
Layout Recommendation
| Layer | Example |
|---|---|
| Base remote | s3-prod:org-backups/ |
| Crypt remote root | crypt-prod:daily/ |
| Dataset path | crypt-prod:daily/mysql/ |
Restore Drill (Minimum)
- Pick a backup prefix.
- Restore into an isolated directory.
- Validate with
check.
crypt-restore-drill.sh
SNAPSHOT="daily/finance"
mkdir -p /restore/crypt-drill
rclone sync crypt-prod:${SNAPSHOT} /restore/crypt-drill --progress
rclone check crypt-prod:${SNAPSHOT} /restore/crypt-drill --one-way
Validation
# encrypted listing on raw remote
rclone ls s3-prod:org-backups/daily/mysql
# decrypted listing through crypt remote
rclone ls crypt-prod:daily/mysql
Common Pitfalls
| Pitfall | Consequence | Prevention |
|---|---|---|
| Mixing crypt and non-crypt paths | Data confusion | Reserve clear remote naming |
| Inconsistent key storage | Restore failures | Document secure key recovery process |
| One crypt remote for everything | Hard access segmentation | Use domain-specific encrypted paths |