Rclone Raspberry Pi encrypt sync cloud gives you automated, client-side encrypted backups to any major cloud provider from a Pi running headlessly on your network. Rclone’s crypt backend encrypts both file contents and filenames before data leaves the Pi, so the cloud provider stores only ciphertext. This guide covers installation, setting up a crypt remote over Google Drive or Backblaze B2, writing a sync script, scheduling with systemd, and verifying restores.
Last tested: Raspberry Pi OS Bookworm Lite 64-bit | February 7, 2026 | Raspberry Pi 4 Model B (2GB) | Rclone v1.68 | Backblaze B2 and Google Drive
Key Takeaways
- Rclone’s crypt backend encrypts file contents and filenames client-side before upload. The cloud provider never sees plaintext data or readable filenames.
rclone syncmakes the destination match the source exactly, including deletions.rclone copyonly adds or updates files and never deletes. Usecopyif you want the cloud to retain files deleted locally.- Store the rclone config password in an environment variable (
RCLONE_CONFIG_PASS) or a restricted file rather than entering it interactively in scripts. - Use
rclone checkto verify that source and destination match after each sync. A silent upload failure is worse than a visible error. - Backblaze B2 offers the best price-to-reliability ratio for most Pi backup setups at $0.006/GB/month with no egress fees to Cloudflare-connected services.
- Test a full restore before relying on any backup. Encrypted restores require the same password and salt used during setup. Losing these means the data is unrecoverable.
How Rclone Raspberry Pi Encrypt Sync Cloud Works
Rclone is a command-line tool that syncs files to and from over 40 cloud storage providers using their native APIs. It handles OAuth2 authentication, chunked uploads, retry logic, and rate limiting. The crypt backend is a transparent encryption layer that wraps any other remote. When you write to a crypt remote, Rclone encrypts the data locally before transmitting it. When you read from it, Rclone downloads and decrypts transparently.
The crypt remote layering model
A crypt remote is not a separate storage location. It is a wrapper around an existing remote that intercepts every read and write operation and applies encryption. The underlying cloud provider (Google Drive, B2, S3) stores only the ciphertext and sees only encrypted filenames.
| Layer | What it does | Example |
|---|---|---|
| Cloud remote | Connects to storage provider API | gdrive: or b2: |
| Crypt remote | Encrypts/decrypts all reads and writes | gdrive-crypt: |
| rclone command | Syncs local filesystem to crypt remote | rclone sync /home gdrive-crypt:backup |
rclone sync vs rclone copy
| Command | Adds files | Updates files | Deletes from destination | Use case |
|---|---|---|---|---|
rclone sync | Yes | Yes | Yes | Mirror: destination exactly matches source |
rclone copy | Yes | Yes | No | Backup: cloud retains files deleted locally |
rclone check | No | No | No | Verify: confirm source and destination match |
Choosing a Cloud Provider
| Provider | Storage cost | Free tier | Egress fees | Auth method |
|---|---|---|---|---|
| Backblaze B2 | $0.006/GB/month | 10GB | Free via Cloudflare | Access key + secret |
| Google Drive | $0.023/GB/month | 15GB | Free (API limits apply) | OAuth2 |
| Amazon S3 | $0.023/GB/month | 5GB (12 months) | $0.09/GB out | Access key + secret |
| Wasabi | $0.0068/GB/month | None | Free | Access key + secret |
| OneDrive | $0.02/GB/month | 5GB | Free | OAuth2 |
Backblaze B2 is the practical choice for most Pi backup setups. The pricing is predictable, egress is free when accessed through Cloudflare’s network (which includes the B2 CDN), and the S3-compatible API makes it easy to switch to other tools if needed. Google Drive is convenient if you already use it, but the 15GB free tier fills up quickly and the API rate limits require careful tuning with --tpslimit.
Step 1: Install Rclone
sudo apt update && sudo apt full-upgrade -y
# Install rclone using the official script
curl https://rclone.org/install.sh | sudo bash
# Verify
rclone versionThe official install script downloads the latest stable release for your architecture and places it in /usr/local/bin/. If you prefer not to pipe a script into bash, download the binary directly from rclone.org/downloads and install manually.
Expected result: rclone version returns v1.65 or higher. The architecture shown should be linux/arm64 or linux/arm depending on your Pi OS.
Step 2: Configure the Cloud Remote
Option A: Backblaze B2 (recommended)
rclone config
# In the wizard:
# n) New remote
# name: b2
# Storage type: Backblaze B2 (select the number for b2)
# account: your B2 account ID
# key: your B2 application key
# Leave other options as default
# Confirm and quitGenerate the application key in the Backblaze console under App Keys. Create a key scoped to a specific bucket rather than the master key. This limits damage if the key is compromised.
Option B: Google Drive
rclone config
# n) New remote
# name: gdrive
# Storage type: Google Drive
# client_id and client_secret: leave blank to use rclone's shared credentials
# (or create your own at console.cloud.google.com for production use)
# scope: drive (full access)
# Follow the OAuth2 URL shown, authorise in browser, paste the code backOn a headless Pi, the OAuth2 flow requires either a browser on another machine or the --auth-no-open-browser flag. Rclone provides a URL to open on any device and accepts the resulting code back in the terminal.
Verify the remote is working:
# Test listing the remote (should show your cloud storage contents)
rclone lsd b2:
# or
rclone lsd gdrive:Expected result: The command lists buckets or folders in your cloud storage without authentication errors.
Step 3: Add the Crypt Remote
The crypt remote wraps the cloud remote and handles all encryption. Run rclone config again:
rclone config
# n) New remote
# name: b2-crypt (or gdrive-crypt)
# Storage type: Encrypt/Decrypt a remote (select crypt)
# remote: b2:my-backup-bucket/encrypted
# (point to a path inside your existing remote)
# filename_encryption: standard
# (encrypts filenames -- recommended)
# directory_name_encryption: true
# (encrypts directory names too)
# password: enter a strong password (stored in config)
# password2 (salt): enter a second password (salt)
# (the salt prevents rainbow table attacks against the encrypted filenames)Record both the password and the salt in a password manager immediately. Losing either makes the encrypted data permanently unrecoverable. There is no reset mechanism.
Verify the crypt remote works by listing it:
rclone lsd b2-crypt:The output will be empty on a fresh remote or show decrypted directory names if archives already exist. If you see only encrypted filenames, the crypt remote is not being used. Confirm you are using the crypt remote name, not the base remote.
Expected result: rclone lsd b2-crypt: returns without error. Browsing the underlying bucket (rclone lsd b2:my-backup-bucket) shows only encrypted filenames that are unreadable without the crypt remote.
Step 4: Secure the Rclone Config
The rclone config file at ~/.config/rclone/rclone.conf contains your cloud credentials and encryption password. Restrict access immediately:
chmod 600 ~/.config/rclone/rclone.confFor additional security, set a config-level password that rclone prompts for on every use. Add it via rclone config under the “Set configuration password” option. For unattended scripts, pass it through an environment variable:
# Store config password in a restricted file
echo 'your-config-password' | sudo tee /etc/rclone-config-pass > /dev/null
sudo chmod 600 /etc/rclone-config-pass
sudo chown root:root /etc/rclone-config-pass
# Reference it in scripts:
export RCLONE_CONFIG_PASS=$(cat /etc/rclone-config-pass)Step 5: Write the Sync Script
#!/bin/bash
set -euo pipefail
export RCLONE_CONFIG_PASS=$(cat /etc/rclone-config-pass)
LOG=/var/log/rclone-sync.log
REMOTE=b2-crypt:
LOCAL_DIRS=(/etc /home /var/log)
exec >> "$LOG" 2>&1
echo "--- Sync started: $(date) ---"
for DIR in "${LOCAL_DIRS[@]}"; do
echo "Syncing $DIR..."
rclone copy "$DIR" "$REMOTE$(basename $DIR)" \
--transfers 2 \
--checkers 4 \
--tpslimit 10 \
--bwlimit 2M \
--log-level INFO \
--stats 60s
done
echo "Running integrity check..."
rclone check /home "${REMOTE}home" --log-level INFO
echo "--- Sync finished: $(date) ---"sudo chmod 750 /usr/local/bin/rclone-sync.shKey flags explained:
--transfers 2: number of simultaneous file transfers. Keep low on Pi to avoid CPU saturation during encryption.--tpslimit 10: limits API transactions per second. Essential for Google Drive, which throttles aggressively.--bwlimit 2M: caps upload bandwidth at 2MB/s to avoid saturating the network connection.rclone copyrather thanrclone sync: files deleted locally are retained in the cloud until explicitly pruned.
Expected result: Running the script manually completes without errors. /var/log/rclone-sync.log shows transferred file counts and sizes. The rclone check line reports no differences.
Step 6: Automate with Systemd Timer
Create /etc/systemd/system/rclone-sync.service:
[Unit]
Description=Rclone encrypted cloud sync
After=network-online.target
Wants=network-online.target
[Service]
Type=oneshot
ExecStart=/usr/local/bin/rclone-sync.sh
User=rootCreate /etc/systemd/system/rclone-sync.timer:
[Unit]
Description=Run Rclone sync every 6 hours
[Timer]
OnCalendar=*-*-* 00,06,12,18:00:00
Persistent=true
RandomizedDelaySec=600
[Install]
WantedBy=timers.targetsudo systemctl daemon-reload
sudo systemctl enable --now rclone-sync.timer
systemctl list-timers rclone-sync.timerAfter=network-online.target ensures the sync only starts when a network connection is confirmed. Persistent=true catches any missed runs if the Pi was powered off at the scheduled time.
Expected result: systemctl list-timers shows the timer active with a next trigger time. After the first scheduled run, the log shows a completed sync.
Restoring from an Encrypted Remote
Restoration uses the same crypt remote in reverse. The password and salt must match exactly what was used during setup:
# Restore a specific directory
rclone copy b2-crypt:home /tmp/restore-test
# Restore a single file (path relative to the remote root)
rclone copy b2-crypt:etc/nginx/nginx.conf /tmp/restore-test/
# List what is available before restoring
rclone ls b2-crypt: | head -50Run a test restore to a temporary directory monthly. Confirm the files open correctly and are not corrupted. A sync that has been silently failing for weeks is worse than no backup at all because it creates false confidence.
Performance Tuning
| Flag | Default | Recommended for Pi 4 | Effect |
|---|---|---|---|
--transfers | 4 | 2 | Parallel file transfers. Lower reduces CPU load from encryption. |
--checkers | 8 | 4 | Parallel file comparison threads. |
--tpslimit | 0 (unlimited) | 10 for GDrive, 50 for B2 | API calls per second. Prevents throttling. |
--bwlimit | 0 (unlimited) | 2M–5M | Upload bandwidth cap. Prevents saturating connection. |
--buffer-size | 16M | 32M | In-memory buffer per transfer. Reduces SD card reads. |
Monitoring and Logging
# Check systemd service logs
journalctl -u rclone-sync.service -n 50
# Check rclone log file
tail -100 /var/log/rclone-sync.log
# Check for errors specifically
grep -i "error\|failed\|rate limit" /var/log/rclone-sync.logSet up log rotation to prevent the log file from growing unbounded:
# /etc/logrotate.d/rclone-sync
/var/log/rclone-sync.log {
weekly
rotate 4
compress
missingok
notifempty
}Troubleshooting
Rate limit exceeded (Google Drive)
# Reduce API call rate and add retry configuration
rclone copy /home b2-crypt:home \
--tpslimit 5 \
--retries 10 \
--retries-sleep 10sGoogle Drive is the most aggressive throttler among common providers. Creating your own OAuth client ID and secret in the Google Cloud Console gives a higher quota than using rclone’s shared credentials.
Auth token expired
rclone config reconnect gdrive:OAuth tokens expire or become invalid when cloud account passwords change or access is revoked. Run reconnect and follow the auth flow to generate a fresh token.
Sync check shows differences after a completed sync
# Show which files differ between source and destination
rclone check /home b2-crypt:home --one-way
# Use --dry-run to see what a sync would change
rclone sync /home b2-crypt:home --dry-run --log-level INFODifferences after a completed sync usually indicate files that changed during the sync run, files excluded by filters, or clock skew between the Pi and the cloud provider affecting modification time comparisons. Add --use-server-modtime if clock skew is causing false differences.
Config file not found or permission denied
# Confirm config location
rclone config file
# Fix permissions
chmod 600 ~/.config/rclone/rclone.confCommon Use Cases
Offsite backup for BorgBackup repositories
The adjacent article BorgBackup Raspberry Pi Prune Policies covers local versioned backups. Rclone complements Borg by providing the offsite copy: after each Borg run completes, use rclone copy to push the Borg repository directory to an encrypted cloud remote. The combination gives you local versioned archives plus remote encrypted offsite storage.
Automated camera or sensor data upload
Pi-based camera or sensor setups that write files to a local directory can use Rclone to push new files to cloud storage automatically. Use rclone copy rather than rclone sync so that locally deleted files remain available in the cloud archive.
NAS-to-cloud offsite replication
Mount a NAS share on the Pi via NFS or SMB and use Rclone to push an encrypted copy offsite. The Pi acts as the encryption and upload gateway. See Time Machine Raspberry Pi NAS with Samba for NAS setup details.
FAQ
Can I use Rclone on Raspberry Pi Zero?
Yes for lightweight tasks. Pi Zero 2 W handles small sync jobs adequately. Encryption adds CPU overhead, so large transfers or many small files will be slow. For sustained cloud backup workloads, Pi 4 is the practical minimum.
Is the crypt remote encryption strong enough for sensitive data?
Yes. Rclone crypt uses XSalsa20 for content encryption and AES-SIV for filename encryption, both of which are well-reviewed modern ciphers. The security depends entirely on keeping the password and salt private. The cloud provider cannot decrypt the data regardless of what access they have to the stored files.
Does Rclone work with multiple cloud services simultaneously?
Yes. Configure as many remotes as needed in rclone config. A common pattern is a primary encrypted remote on B2 for durability and a secondary copy on Google Drive for easy browser access. Each remote has its own credentials and can be targeted independently in scripts.
How do I restore if my Pi dies and I have a new one?
Install Rclone on the new Pi, recreate the same remote configuration (cloud credentials, crypt remote with identical password and salt), and run rclone copy remote-crypt: /restore-destination/. The configuration can be recreated from scratch as long as you have the credentials and the crypt password and salt.
What is the difference between rclone sync and rclone copy?
rclone sync makes the destination an exact mirror of the source, including deleting files at the destination that no longer exist at the source. rclone copy only adds and updates files without deleting. For backup purposes, copy is safer because accidental local deletion does not propagate to the cloud immediately.
References
About the Author
Chuck Wilson has been programming and building with computers since the Tandy 1000 era. His professional background includes CAD drafting, manufacturing line programming, and custom computer design. He runs PidiyLab in retirement, documenting Raspberry Pi and homelab projects that he actually deploys and maintains on real hardware. Every article on this site reflects hands-on testing on specific hardware and OS versions, not theoretical walkthroughs.
Last tested hardware: Raspberry Pi 4 Model B (2GB), USB SSD. Last tested OS: Raspberry Pi OS Bookworm Lite 64-bit. Rclone v1.68, Backblaze B2 and Google Drive.