Journey with Rclone • secrary [dot] com

The Mistakes That Shaped My Backup Strategy

The first time I installed a Linux distro as a kid, I accidentally wiped our entire hard drive. Every photo, every video - gone.

Years later, the itch to explore Linux returned. I was older now, more confident, and I thought I understood how disks worked. Once again, I botched the formatting. Once again, our family memories vanished into the digital void.

Whenever I mentioned trying a new Linux distro on our shared PC, my brother would just say, “You’re going to delete all the photos again, aren’t you?”

A Fresh Start

By the time I reached university, I finally had my own laptop. I could experiment without risking anyone else’s data. Freedom at last. I copied all my important files/books, course notes, and the family media onto an external hard drive, while keeping a local copy too. For years, this dual-copy system worked. But as my personal and professional data grew, I started looking for a remote backup solution.

That’s when I discovered rclone, and my entire backup philosophy transformed.

Rclone is a free, open-source command-line tool that syncs files and directories to and from a wide array of cloud storage providers, including Google Drive, S3, SFTP servers, and dozens more. What truly set it apart for me was its built-in client-side encryption via the crypt remote wrapper. This means your local files stay plaintext and easily accessible for daily use, while everything transmitted to the cloud is encrypted on-the-fly—before it ever leaves your machine. Now all you need is an affordable and relatively fast storage provider, usually s3 buckets are pretty cheap.

Getting Started with Rclone

Setting up rclone boils down to two steps: configuring your base remote storage provider and layering encryption on top.

1. Basic Configuration

After installing rclone, run rclone config. It will guide you through authenticating with your chosen provider - say, Google Drive or Wasabi S3.

Once your base remote is set (e.g., named gdrive), run rclone config again to create an encrypted overlay. Choose the crypt type, point it to a subfolder on your base remote (like gdrive:encrypted_backup), and set strong passwords for encryption and salting.

Pro tip: Use rclone obscure to securely hash these passwords before storing them.

Your ~/.config/rclone/rclone.conf file might end up looking like this (with sensitive tokens redacted):

[gdrive]
type = drive
scope = drive
token = {"access_token":"ya29...","token_type":"Bearer","refresh_token":"...","expiry":"..."}
root_folder_id =

[encrypted]
type = crypt
remote = gdrive:encrypted_backup
filename_encryption = standard
directory_name_encryption = true
password = ***OBSCURED***
password2 = ***OBSCURED***

2. Testing Your Setup

Use the --dry-run flag to simulate a sync without touching any files. It previews exactly what would transfer, create, or delete:

rclone sync /local/path/to/data encrypted:backup --dry-run --progress --verbose

Review the output carefully. If it looks good, remove --dry-run for the real run.

3. Automation

To keep backups current without manual intervention, wrap your sync in a script and schedule it via cron.

#!/bin/bash
rclone sync /local/path/to/data encrypted:backup \
  --checksum \
  --fast-list \
  --metadata \
  --track-renames \
  --max-delete 100 \
  --log-level INFO \
  --log-file /var/log/rclone-sync.log \
  --progress

Add this to your crontab (crontab -e) for a daily run:

# 2 AM
0 2 * * * /path/to/your/script.sh >> /var/log/rclone-cron.log 2>&1

Rclone’s official docs dive deeper into tweaks like multi-threaded transfers (--transfers 4) or mounting remotes as local filesystems (rclone mount).

My Current Setup: The 3-2-1 Rule

Today, something like this runs on my home server. I’m trying to follow the 3-2-1 backup rule: three total copies of data, on two different local copies, with one off-site.

Component	Details	Purpose
Local Redundancy (2 copies)	ZFS mirrored pool with two NAS-grade HDDs.	Guards against single-drive failure or bit rot. ZFS’s checksumming detects corruption early.
Off-Site Backup (1 copy)	Encrypted rclone sync to affordable cloud storage	Protects against theft, fire, or disaster.

Everyday Access and Workflow

Media Management: I self-host Immich for a Google Photos-style library of photos and videos. Immich handles seamless syncing of photos and videos directly from my phone.
Mobile Sync: Before adopting Immich, I relied on Syncthing and FolderSync (on Android) to auto-upload photos, documents, app backups.
Access from PC: Mount the server via SSHFS for seamless local-like editing: sshfs user@server:/path /local/mountpoint.

Tailscale provides zero-config VPN access from anywhere.