Encrypted back up to SMB and Proton Drive with rclone

Backing up data is important. Anyone who has ever lost data would agree. There is also a golden rule: “There are two kinds of people in this world—those who back up their data and those who will.”

Be smart and start doing this before you lose your data. I currently use Fedora (since Arch users can brag what they use, so why not me?). I back up my laptop (btw, with encrypted disk using LUKS) to my Synology NAS (which has RAID 1 - mirror, encrypted) via SMB, but also to the cloud using the 3-2-1 rule.

3 copies of data (the original + 2 backups). 2 different media (e.g. a local disk + the cloud, or disk + tape). 1 off-site copy (e.g. in the cloud or at another location).

So in my case:

• Copy 1: the original data on my laptop
• Copy 2: a backup on my NAS (SMB)
• Copy 3: a backup on Proton Drive

This gives me 3 copies on 2 different media (NAS disk + cloud) with 1 off-site copy (Proton Drive).

I have already written about server backup and backing up in general. This time, however, I will go into a little more technical detail.

I asked ChatGPT to create illustrations for this article about a hacker configuring rclone. As always, it turned out weird. I don’t know why hackers are always portrayed as villains. Even in the AI’s opinion. Oh well, never mind.

Rclone backup

First, install rclone. I use the dnf package manager in Fedora. Debian users probably use the apt package manager, and Windows users can use the installer.

1	sudo dnf install rclone

You can read more about rclone on its official website. Below, I will show you my configurations for SMB and Proton Drive. Based on my setup, you can set any destination that supports rclone with confidence. There are many options.

SMB (on NAS)

For more information about the SMB configuration, please refer to the documentation.

Start by launching the tool and creating the first remote location. Rclone has user-friendly wizards that will guide you through the entire process.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92

rclone config No remotes found, make a new one? n) New remote s) Set configuration password q) Quit config n/s/q> n Enter name for new remote. name> nas Option Storage. Type of storage to configure. Choose a number from below, or type in your own value. ... 49 / SMB / CIFS \ (smb) ... Storage> 49 Option host. SMB server hostname to connect to. E.g. "example.com". Enter a value. host> NAS_IP Option user. SMB username. Enter a value of type string. Press Enter for the default (hoek). user> USERNAME Option port. SMB port number. Enter a signed integer. Press Enter for the default (445). port> 445 Option pass. SMB password. Choose an alternative below. Press Enter for the default (n). y) Yes, type in my own password g) Generate random password n) No, leave this optional password blank (default) y/g/n> y Enter the password: password: PASSWORD Confirm the password: password: PASSWORD Option domain. Domain name for NTLM authentication. Enter a value of type string. Press Enter for the default (WORKGROUP). domain> WORKGROUP Option spn. Service principal name. Rclone presents this name to the server. Some servers use this as further authentication, and it often needs to be set for clusters. For example: cifs/remotehost:1020 Leave blank if not sure. Enter a value. Press Enter to leave empty. spn> Option use_kerberos. Use Kerberos authentication. If set, rclone will use Kerberos authentication instead of NTLM. This requires a valid Kerberos configuration and credentials cache to be available, either in the default locations or as specified by the KRB5_CONFIG and KRB5CCNAME environment variables. Enter a boolean value (true or false). Press Enter for the default (false). use_kerberos> Edit advanced config? y) Yes n) No (default) y/n> n Configuration complete. Options: - type: smb - host: NAS_IP - pass: *** ENCRYPTED *** Keep this "nas" remote? y) Yes this is OK (default) e) Edit this remote d) Delete this remote y/e/d> y Current remotes: Name Type ==== ==== nas smb

I test whether it works:

1	rclone lsd nas:/path/to/the/folder

I am configuring encryption for files, their names, and directory names.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109

rclone config Current remotes: Name Type ==== ==== nas smb e) Edit existing remote n) New remote d) Delete remote r) Rename remote c) Copy remote s) Set configuration password q) Quit config e/n/d/r/c/s/q> n Enter name for new remote. name> nas-crypt Option Storage. Type of storage to configure. Choose a number from below, or type in your own value. ... 15 / Encrypt/Decrypt a remote ... Storage> 15 Option remote. Remote to encrypt/decrypt. Normally should contain a ':' and a path, e.g. "myremote:path/to/dir", "myremote:bucket" or maybe "myremote:" (not recommended). Enter a value. remote> nas:path/to/the/folder Option filename_encryption. How to encrypt the filenames. Choose a number from below, or type in your own value of type string. Press Enter for the default (standard). / Encrypt the filenames. 1 | See the docs for the details. \ (standard) 2 / Very simple filename obfuscation. \ (obfuscate) / Don't encrypt the file names. 3 | Adds a ".bin", or "suffix" extension only. \ (off) filename_encryption> 1 Option directory_name_encryption. Option to either encrypt directory names or leave them intact. NB If filename_encryption is "off" then this option will do nothing. Choose a number from below, or type in your own boolean value (true or false). Press Enter for the default (true). 1 / Encrypt directory names. \ (true) 2 / Don't encrypt directory names, leave them intact. \ (false) directory_name_encryption> 1 Option password. Password or pass phrase for encryption. Choose an alternative below. y) Yes, type in my own password g) Generate random password y/g> y Enter the password: password: PASSWORD Confirm the password: password: PASSWORD Option password2. Password or pass phrase for salt. Optional but recommended. Should be different to the previous password. Choose an alternative below. Press Enter for the default (n). y) Yes, type in my own password g) Generate random password n) No, leave this optional password blank (default) y/g/n> y Enter the password: password: PASSWORD Confirm the password: password: PASSWORD Edit advanced config? y) Yes n) No (default) y/n> n Configuration complete. Options: - type: crypt - remote: nas:path/to/the/folder - password: *** ENCRYPTED *** - password2: *** ENCRYPTED *** Keep this "nas-crypt" remote? y) Yes this is OK (default) e) Edit this remote d) Delete this remote y/e/d> y Current remotes: Name Type ==== ==== nas smb nas-crypt crypt

Proton Drive

I am now creating a second remote location on Proton Drive, similar to the first, so that I have one copy at home and one in the cloud.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78

rclone config Current remotes: Name Type ==== ==== nas smb nas-crypt crypt e) Edit existing remote n) New remote d) Delete remote r) Rename remote c) Copy remote s) Set configuration password q) Quit config e/n/d/r/c/s/q> n Enter name for new remote. name> proton Option Storage. Type of storage to configure. Choose a number from below, or type in your own value. ... 45 / Proton Drive ... Storage> 45 Option username. The username of your proton account Enter a value. username> PROTON_EMAIL Option password. The password of your proton account. Choose an alternative below. y) Yes, type in my own password g) Generate random password y/g> y Enter the password: password: PROTON_PASSWORD Confirm the password: password: PROTON_PASSWORD Option 2fa. The 2FA code The value can also be provided with --protondrive-2fa=000000 The 2FA code of your proton drive account if the account is set up with two-factor authentication Enter a value. Press Enter to leave empty. 2fa> CODE Edit advanced config? y) Yes n) No (default) y/n> n Configuration complete. Options: - type: protondrive - username: PROTON_EMAIL - password: *** ENCRYPTED *** - 2fa: CODE Keep this "proton" remote? y) Yes this is OK (default) e) Edit this remote d) Delete this remote y/e/d> y Current remotes: Name Type ==== ==== nas smb nas-crypt crypt proton protondrive

Checking the connection:

1	rclone lsd proton:

I am configuring encryption for files, their names, and directory names:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114

rclone config Current remotes: Name Type ==== ==== nas smb nas-crypt crypt proton protondrive e) Edit existing remote n) New remote d) Delete remote r) Rename remote c) Copy remote s) Set configuration password q) Quit config e/n/d/r/c/s/q> n Enter name for new remote. name> proton-crypt Option Storage. Type of storage to configure. Choose a number from below, or type in your own value. ... 15 / Encrypt/Decrypt a remote \ (crypt) ... Storage> 15 Option remote. Remote to encrypt/decrypt. Normally should contain a ':' and a path, e.g. "myremote:path/to/dir", "myremote:bucket" or maybe "myremote:" (not recommended). Enter a value. remote> proton:path/to/dir Option filename_encryption. How to encrypt the filenames. Choose a number from below, or type in your own value of type string. Press Enter for the default (standard). / Encrypt the filenames. 1 | See the docs for the details. \ (standard) 2 / Very simple filename obfuscation. \ (obfuscate) / Don't encrypt the file names. 3 | Adds a ".bin", or "suffix" extension only. \ (off) filename_encryption> 1 Option directory_name_encryption. Option to either encrypt directory names or leave them intact. NB If filename_encryption is "off" then this option will do nothing. Choose a number from below, or type in your own boolean value (true or false). Press Enter for the default (true). 1 / Encrypt directory names. \ (true) 2 / Don't encrypt directory names, leave them intact. \ (false) directory_name_encryption> 1 Option password. Password or pass phrase for encryption. Choose an alternative below. y) Yes, type in my own password g) Generate random password y/g> y Enter the password: password: PASSWORD Confirm the password: password: PASSWORD Option password2. Password or pass phrase for salt. Optional but recommended. Should be different to the previous password. Choose an alternative below. Press Enter for the default (n). y) Yes, type in my own password g) Generate random password n) No, leave this optional password blank (default) y/g/n> y Enter the password: password: PASSWORD Confirm the password: password: PASSWORD Edit advanced config? y) Yes n) No (default) y/n> n Configuration complete. Options: - type: crypt - remote: proton:path/to/dir - password: *** ENCRYPTED *** - password2: *** ENCRYPTED *** Keep this "proton-crypt" remote? y) Yes this is OK (default) e) Edit this remote d) Delete this remote y/e/d> y Current remotes: Name Type ==== ==== nas smb nas-crypt crypt proton protondrive proton-crypt crypt

Backup script

After configuring rclone, I create a script that backs up my local folders to a NAS and Proton Drive.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49

#!/usr/bin/env bash set -euo pipefail SRC1="/home/user/Desktop" SRC2="/home/user/Documents" for DEST in nas-crypt proton-crypt; do if [[ "$DEST" == "nas-crypt" ]]; then FLAGS=( --progress --create-empty-src-dirs --links --stats-one-line --contimeout 30s --timeout 5m --low-level-retries 3 --retries 3 --retries-sleep 10s --checkers 8 --transfers 4 ) else FLAGS=( --progress --create-empty-src-dirs --links --stats-one-line --fast-list --tpslimit 60 --tpslimit-burst 120 --low-level-retries 10 --timeout 1m --contimeout 30s --retries 5 --retries-sleep 20s --checkers 5 --transfers 3 --protondrive-replace-existing-draft=true ) fi echo ">>> Sync $SRC1 → $DEST:Desktop" rclone sync "$SRC1" "$DEST:Desktop" "${FLAGS[@]}" echo ">>> Sync $SRC2 → $DEST:Documents" rclone sync "$SRC2" "$DEST:Documents" "${FLAGS[@]}" done

Below is a description of the flags used for rclone:

General

• --progress - Show a live progress bar during sync (same as -P).
• --create-empty-src-dirs - Recreate source directories on the destination even if they end up empty after filtering.
• --links - Preserve symbolic links as symlinks.

Flags for SMB (nas-crypt)

• --stats-one-line - Output a single summary line at the end instead of periodic multi-line stats.
• --contimeout 30s - Maximum time to establish a connection to the SMB server (30 seconds).
• --timeout 5m - Maximum time for I/O operations before giving up (5 minutes).
• --low-level-retries 3 - Retry failed low-level operations (e.g. temporary network glitches) up to 3 times.
• --retries 3 - Retry higher-level operations (e.g. sync tasks) up to 3 times.
• --retries-sleep 10s - Wait 10 seconds between each high-level retry.
• --checkers 8 - Use up to 8 parallel “checker” threads to list and compare files.
• --transfers 4 - Use up to 4 parallel file copy threads.

Flags for Proton Drive (proton-crypt)

• --stats-one-line - As above, one summary line at the end.
• --fast-list - Retrieve the entire directory tree in a single API call (minimizes number of requests).
• --tpslimit 60 - Limit metadata operations to an average of 60 HTTP requests per second.
• --tpslimit-burst 120 - Allow short bursts up to 120 requests in a row before throttling back to 60 req/s.
• --low-level-retries 10 - Retry transient network or API errors up to 10 times.
• --timeout 1m- Maximum time for I/O operations before giving up (1 minute).
• --contimeout 30s - Maximum time to establish an HTTP connection (30 seconds).
• --retries 5 - Retry higher-level sync tasks up to 5 times.
• --retries-sleep 20s - Wait 20 seconds between each high-level retry.
• --checkers 5 - Use up to 5 parallel “checker” threads for metadata operations.
• --transfers 3 - Use up to 3 parallel file upload threads.
• --protondrive-replace-existing-draft=true - On filename conflicts, overwrite any existing draft revision rather than failing.

In my example, I only back up two folders, but you can back up as many as you want.

1 2 3

SRC1="/home/user/Desktop" SRC2="/home/user/Documents" SRC3="..."

Add another rclone execution after adding a new location.

1 2 3 4 5 6 7

... echo ">>> Sync $SRC3 → $DEST:Desktop" rclone sync "$SRC3" "$DEST:Desktop" "${FLAGS[@]}" echo ">>> Sync $SRC3 → $DEST:Documents" rclone sync "$SRC3" "$DEST:Documents" "${FLAGS[@]}" ...

You can always add file or directory exclusions to the script.

1 2 3 4 5 6

--exclude ".config/**" \ --exclude ".cache/**" \ --exclude "Download/**" \ --exclude "Public/**" --exclude "virtualmachine.ova" \ --exclude "test.txt"

If the list is long, create a file called excludes.txt.

1 2 3 4 5 6

.config/** .cache/** Download/** Public/** **/virtualmachine.ova **/test.txt

and add --exclude-from excludes.txt to the script.

You can also exclude files that are larger than a certain size:

1	--max-size 200M \

If you run the script now, a backup will be performed and the files in the target locations will be encrypted.

Periodic execution

Of course, you can run this script manually from time to time, especially after making major changes to the files on the disk. However, it is also worth running it periodically.

To do this, create a file called backup.service in your home directory.

1 2	mkdir -p ~/.config/systemd/user nano ~/.config/systemd/user/backup.service

fill it in:

1 2 3 4 5 6

[Unit] Description=Rclone backup every 5 days [Service] Type=oneshot ExecStart=/home/user/backup.sh

Create a timer:

1	nano ~/.config/systemd/user/backup.timer

with contents:

1 2 3 4 5 6 7 8 9 10

[Unit] Description=Timer: backup every 5 days at 18:00 (with catch-up) [Timer] OnCalendar=*-*-1/5 18:00:00 Persistent=true [Install] WantedBy=timers.target

Solution description:

• OnCalendar=*-*-1/5 18:00:00 - Defines the calendar schedule.
  • The *-*-1/5 means “every 5 days of the month”, i.e. days 1, 6, 11, 16, 21, 26.
  • 18:00:00 is the time of day to fire the timer.
• Persistent=true - If the scheduled time was missed (e.g. the machine was off), systemd will run the job immediately after the next boot/login to “catch up” on missed events.
• WantedBy=timers.target - Hooks this timer into the normal timer startup sequence. When you enable the timer (systemctl --user enable backup.timer), it creates a symlink so that timers.target will start it automatically at login.

Turn it on and activate the timer:

1 2	systemctl --user daemon-reload systemctl --user enable --now backup.timer

Use the command below to check the status:

1	systemctl --user list-timers backup.timer

If you want it to run exactly every five days and not every few days of the month, use this:

1 2 3

[Timer] OnUnitActiveSec=5d Persistent=true

Then, start it manually the first time.

1	systemctl --user start backup.timer

The next ones will be exactly five days apart from the end of the last one.

To check the logs for the last backup, run:

1	journalctl --user -u backup.service

The statistics will be the same as when you run the script manually. You can narrow them down to a specific time.

1	journalctl --user --since "2025-07-13 00:00" -u backup.service

Rclone recovery

Below are the steps to restore a backup from configured locations.

On the new system, you can configure rclone according to the above instructions, providing passwords for encryption. Alternatively, you can back up the ~/.config/rclone/rclone.conf file. When the time comes to reinstall the system, simply install rclone and move the rclone.conf file to its location. Then, verify that all remote locations are configured with the rclone listremotes command. In my case:

1 2 3 4

nas: nas-crypt: proton: proton-crypt:

To restore the data from the NAS drive, run the following command:

1 2	rclone sync nas-crypt:Desktop ~/Desktop --links rclone sync nas-crypt:Dokumenty ~/Documents --links

or from Proton Drive:

1 2	rclone sync proton-crypt:Desktop ~/Desktop --links rclone sync proton-crypt:Documents ~/Documents --links

I also encrypt the rclone configuration file using my PGP key.

1 2 3 4 5 6

gpg --list-keys gpg --encrypt \ --recipient "John Doe <[email protected]>" \ --output rclone.conf.gpg \ rclone.conf

A file secured in this way can be stored anywhere. Use the following command to decrypt it:

1 2 3

gpg --decrypt \ --output rclone.conf \ rclone.conf.gpg

If you don’t have a PGP key, you can use password-based symmetric encryption.

1 2 3 4

gpg --symmetric \ --cipher-algo AES256 \ --output rclone.conf.gpg \ rclone.conf

Then, you will need to enter and save the password, for example, inKeePassXC.

Deja Dup

Before implementing this solution, I used Deja Dup, which allows you to easily back up and encrypt files to a mapped path or cloud drive. It is one of the better backup programs and has a GUI, making it more user-friendly for beginners. Deja Dup uses Restic as its engine.

That’s about it. Although it requires a lot of clicking, you only have to do it once. If anything ever happens to your data, you know where it is and how to recover it. You also won’t have to worry about some cloud provider having access to your files.

Periodically check the destination location to ensure that files are being created. From time to time, test the restore process by restoring your backup to a temporary folder to ensure that the entire system is functioning properly. After all, what good is a backup that doesn’t work?

May your data be safe!