Written by Prof. Rom Feria
For most users, cloud storage is provided by either Google or Microsoft, or both. Google Drive and Microsoft OneDrive are familiar with educators and students due to their their institutions’ subscriptions. In addition, you get free storage from either companies, when you sign up for their free Gmail or Office 365 accounts. Whilst both companies secure your data, your data are not guaranteed to be private — yes, the data is encrypted at rest, but the encryption used are managed by them, not you. What does this mean? Well, they can always decrypt it, right? It is always a good idea to control and manage your encryption, and not providing these companies access to the keys/passwords.
I know of two (2) ways of keeping your data private using open source software, whilst hosting it on Google Drive or Microsoft OneDrive. One is cryptomator <”https://cryptomator.org”>. This, in my opinion, is the easiest route to encrypting data on your cloud storage. It supports Windows, macOS, Linux, Android and iOS. The desktop versions of the software are free (but if you want dark mode, you need to donate a minimum of US$15). The iOS and Android versions are not free, however, with the iOS version going for PhP249 and the Android at PhP289. To create your encrypted vault on Google Drive or Microsoft OneDrive, you will need to have their respective applications, at least on the desktop, installed and configured. Since I refuse to install any of these two applications, I did not continue with Cryptomator. I did not consider paying for the mobile version, too, so I did not test it.
Instead of Cryptomator, I opted for rclone. I wrote about rclone before, but this time, I will expound further on how I have it configured. I have installed rclone on my Raspberry Pi 4 at home (which also serves as my Pi-hole, file server, and WireGuard VPN server).
Using “rclone config”, I have created a connection between my Raspberry Pi (RPi) and my Google Drive, and named it gdrive. This specific connection is not encrypted. It simply allows me to access everything stored on my Google Drive. However, this is not what I want — I want an encrypted storage. So invoking “rclone config” again, I created an encrypted subdirectory off of gdrive (it will ask you for a password, and another optional password — I used both), and called it gdsecret. Now, every subdirectory created on gdsecret will be obfuscated, and any file stored in it will be encrypted.
Using gdsecret, storing and retrieving files, requires that you always use the rclone application. Whilst this should not be a big deal, I decided that to allow scripts and applications access, and to be able to access it from my iPhone and iPad Pro, I need to get my favorite SFTP iOS/iPadOS application, ShellFish (PhP449 in-app purchase), to support it (unfortunately, baking in rclone into the ShellFish application is not on the developer’s radar at this point). So to do this, I created a mount point “/mnt/gdsecret” on my RPi, and issued the “rclone mount” command on gdsecret to make the encrypted remote drive appear as a usual remote storage. Now, when I use the iOS/iPadOS Files app with ShellFish, gdsecret appears just like an ordinary drive, but with the added encryption support. Files retrieved are automatically decrypted, too. The same goes for scripts and applications that I run on the RPi. Nice, eh?
On the desktop, you can simply use Samba to mount “/mnt/gdsecret”, but this requires that you configure Samba on the server, e.g., RPi, which I decided not to do, since I’d rather use SFTP.
Whilst I can easily connect to the RPi from outside of my home network, thanks to WireGuard, I decided to create a US$5/mo instance on Linode to serve as an alternative WireGuard VPN server for me, and also as another rclone node, with the same configuration as my home RPi. So now I have two points of entry to my encrypted Google Drive storage.
Using rclone now allows me to take advantage of the free Google Drive space, whilst keeping everything encrypted and away from Google’s eyes. I can do the same for Microsoft OneDrive, too, but that at the moment, I don’t have any compelling reason to do it.