I was reading the page for the crypt module but it doesn’t go into what it does? I know it can encrypt the file name, but what about the file contents?
And is it possible to sync and encrypt on the fly so I don’t have to upload and then encrypt?
Yes this exactly how crypt works. File names (if you want) and all contents are encrypted on the fly during the copy/sync operations.
So just by using rclone sync source destination the files are encrypted or do I have to pass a special option?
You actually have to set up the encryption part before you copy/sync. Then rclone will manage it on-the-fly. It’s pretty easy and if you’ve set up the “remote” already it’s just as easy.
See how to set it up here: http://rclone.org/crypt/
I did but I didn’t draw the conclusion that crypt just sets the encryption up that sync will use. The way I read it I thought crypt will encrypt all the files that are already there.
Thank you!
Now to figure out how to get my AWS S3 working and I’ll be golden. 
Follow up question. My understanding is that if I use my own passwords then I can from another machine “download” the un-encrypted data from my AWS S3 IA bucket, right?
Also, how do I “download” data? I see how to upload to remote but not how to get from remote? Or do I just need to use the remote as the source with sync?
Yes. The config file is at ~/.rclone.config. You can drop that file on any system with Rclone installed and it will work.
Yep. You can use the remote as a source and something unecrypted as the destination and rclone crypt will decrypt it on the fly for you.
Thank you @chrisanthropic! I got it all set up and did a test. I have to say I am impressed. It works very nicely.
I’m gonna do some tests with and without encryption to see how much longer it takes to do encryption.
I was wondering though, is it possible to encrypt and/or decrypt files in-place AFTER they have been uploaded?
In place - not exactly.
You can ‘migrate’ from the encrypted remote to the decrypted one: rclone copy/move/synce $UNENCRYPTED-REMOTE: $ENCRYPTED-REMOTE: which will copy/move/sync from the unencrypted remote to the encyrpted one, ON-THE-FLY without ever keeping the data on your disk. This is great for small VPS like Linode with small SDDs adn encypted to unencrypted works the same way of course.
So if both remotes are in the same S3 bucket, would that just be a local servers side move?
Not quite. My understanding is that rclone actually encrypts/decrypts literally on the fly - it essentially streams it from one source to the other, encrypting/decrypting on the fly, but it isn’t a straight cp/mv-like command.