Encryption at rest? (untrusted destination server)

How to enable encryption at rest on a

Local (D:\docs\) ---> Destination (SFTP)

(i.e. the data never gets decrypted on destination, so data is safe even if the destination server is untrusted, even if a hacker gets root access on the destination)

Also, does rclone handle file renames in the case of encryption at rest?
Example: d:\docs\aaa\10GB_file is moved to d:\docs\zzz\10GB_file_newname. Are 10GB of data re-transferred?

You first configure a remote for your underlying backend, in your case of type sftp. Let's give this remote the name "plain". Then you create a second remote of type crypt that wraps the remote "plain", lets call this "encrypted".
Now just use your remote named "encrypted" like any other, e.g. rclone copy D:\docs encrypted:\docs.
You may find documentation at https://rclone.org/crypt/ useful.

Regarding renames:

By default, rclone doesn't keep track of renamed files, so if you rename a file locally then sync it to a remote, rclone will delete the old file on the remote and upload a new copy.

There is an option --track-renames that can be used with rclone sync command, but it will not work "out of the box" with with encrypted remotes - due to requirement that source and destination have a compatible hash. You can make it work by configuring --track-renames-strategy:

Using --track-renames-strategy modtime or leaf can enable --track-renames support for encrypted destinations.

See also: Can not use --track-renames when syncing to and from Crypt remotes?

For track-renames to work, also the backend needs to support server side copy/move. Sftp does support server side move, according to this. You could test it out yourself, you should see "evidence" in the output when you are using the -v command line option.

Thanks for your answer @albertony. I'll hve a try. I didn't really understand why we need two remotes, one wrapped in another? Please could you explain a bit more about this?

I don't want to take too much of your time, but could you include all the command-line commands to do this?

rclone config # then do ...
rclone ...

Or better: a sample rclone.conf (better than the command line step by step interactive mode)

Thanks in advance.

Some remotes in rclone are basically wrappers of other remotes, yes. This makes it very flexible as you can add functionality on top of any of the other backends (and even in multiple layers). Crypt is such a remote, others are union, chunker, and I think there is a compression remote coming.

Have you configured and tested your sftp remote? If so, just start up the interactive rclone config and follow the steps. Just use defaults for any options, when in doubt. When done you should test it a bit, and then go back to documentation and read up to see if you want to tweak something (e.g. consider path lengths vs filename encryption issue). For a basic setup the steps are something like this:
n) New remote
Write a name of your choice, e.g. sftpcrypt,
10 / Encrypt/Decrypt a remote
Press enter, to accept default: Use default filename encryption
Press enter, to accept default: Directory name encryption
Enter a password (or let rclone generate one).
Press enter to use defaults for the rest.

The documentation at https://rclone.org/crypt/ shows an example with all steps, including the resulting configuration file.

Thanks, I'll try this!

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.