../simple-encrypted-backups

simple encrypted backups

The following nix configuration creates a new rclone remote called data: that can be used to store files and encrypt them transparently. The storage backend can be anything that rclone supports; a good option is an S3 bucket, like the ones Cloudflare provides with R2.

In your home-manager conig:

{
  # Enable rclone
  programs.rclone.enable = true;

  # Add some kind of storage config, for example an S3 bucket
  # In my case this is a Cloudflare bucket:
  programs.rclone.remotes.r2.config = {
    type = "s3";
    provider = "Cloudflare";
    region = "auto";
    acl = "private";
    endpoint = "https://<account-id>.r2.cloudflarestorage.com";
  };
  programs.rclone.remotes.r2.secrets = {
    access_key_id     = osConfig.age.secrets.r2-access-key-id.path;
    secret_access_key = osConfig.age.secrets.r2-secret-access-key.path;
  };

  # Add a crypt config that stores the data in the real bucket:
  programs.rclone.remotes.data.config = {
    type = "crypt";
    remote = "r2:encrypted-backups";
    filename_encryption = "off";
    directory_name_encryption = false;
  };
  programs.rclone.remotes.data.secrets = {
    password = osConfig.age.secrets.rclone-crypt.path;
    password2 = osConfig.age.secrets.rclone-crypt2.path;
  };
}

The secrets can be managed with agenix:

{
  age = {
    secrets = {
      r2-secret-access-key = {
        file = ./r2-access-key-id.age;
        mode = "644";
      };
      r2-secret-access-key = {
        file = ./r2-secret-access-key.age;
        mode = "644";
      };
      rclone-crypt = {
        file = ./rclone-crypt.age;
        mode = "644";
      };
      rclone-crypt2 = {
        file = ./rclone-crypt2.age;
        mode = "644";
      };
    };
  };
}

Then you can use the following command to update all new files to the encrypted backups:

rclone copy --interactive ~/data/ data:

You can also use sync which will also delete any files that you no longer have locally. This should always use --interactive or --dry-run first to ensure no accidental data loss.

Downloading files can then be done with:

rclone copy --interactive data: ~/data/

You can even get files on-demand with:

rclone cat data:hello.txt