How to configure your remote encrypted backup.

EncFS and Rsync

EncFS and Rsync - the "almost" perfect match.

Last modified: 14 March 2020

How does it work

Firstly Encfs is a FUSE-based cryptographic filesystem which will transparently encrypt files using an arbitrary directory as storage. This way you will have two directories, one with the encrypted files (the one to be synchronized remotely) and the other (virtual) will be mounted (with password) and will show the cleartext files.

Encfs is considered the simplest software if you want to try disk encryption on Linux.

Secondly, rsync will keep the encrypted folder synchronized so that only the already encrypted files will be stored on the remote cloud (Dropbox, Google Drive, OneDrive, etc. or your own).

How does it work

Let’s start.

NOTE: a probably better version in term of performance (not personally tested yet) is gocryptfs. (aspiring successor).

0. Installation

1. Initialize your local encrypted folder

$ encfs ~/encrypted ~/cleartext

Then it will ask for defailt or paranoia mode, with the latter you choose the security parameters you want. (AES 256)

This will create a .encfs6.xml file in the directory. That file must be kept secret. And you have to copy it over other devices you want to have cleartext synchronization too.

2. Use the cleartext folder

Now you can use the ~/cleartext folder and files will appear encrypted in the ~/encrypted folder.

3. rsync TO the cloud

Now you can rsync the ~/encrypted folder to your cloud of choice with rsync :

$ rsync -arvz --whole-file --progress -O ~/encrypted/ user@domain:/home/mycloud/

And it’s done! Now only the encrypted files will be on your remote storage.

Let’s see how to have multiple setups.

On another machine

1. Copy the .encfs6.xml

Copy the .encfs6.xml file from the previous ~/cleartext to this machine ~/encrypted folder. (recreate your two folders in this machine)

2. Initialize your local encrypted folder

$ encfs ~/encrypted ~/cleartext

Now we are going to syncronize the local ~/encrypted folder with the files from the cloud.

3. rsync FROM the cloud

$ rsync -arvz --whole-file --progress -O user@domain:/home/mycloud/ ~/encrypted/

4. add a file and sync

  1. Now try to create a new file in the ~/cleartext/
  2. Push to cloud
    $ rsync -arvz --whole-file --progress -O ~/encrypted/ user@domain:/home/mycloud/
  3. back from the first machine
    $ rsync -arvz --whole-file --progress -O user@domain:/home/mycloud/ ~/encrypted/


I personally have alias that helps me, like for example:

alias syncNotesDown='rsync -arvzz --whole-file --progress myvps:/home/my/mycloud/ --exclude .encfs6.xml ~/.MyNoteEncrypted '
alias syncNotesUp='rsync -arvzz --whole-file --progress ~/.MyNoteEncrypted/ myvps:/home/my/mycloud/ --exclude .encfs6.xml'
alias mountNotes='encfs ~/.MyNoteEncrypted ~/MyNotes/'

then at startup when I want to mount my decrypted notes folder I just do mountNotes.

All your files are synchronized between the two machines, leaving only the encrypted files over the server.

Please feel free to make any comment! If anything is unclear, just write in the comment and I will update the post!

Thanks for reading!

Carlo Alberto