First, register a new blackblaze b2 account if you don’t have one already. Make sure you select the right region during sign-up - it cannot be changed later. Create a new bucket, name it after your hostname. Create a b2 rclone remote (see doc). Create a crypt overlay over the b2 remote (see doc). Generate long passwords.
The resulting config is something like this:
$ cat ~/.config/rclone/rclone.conf [b2] type = b2 account = *redacted* key = *redacted* [b2_HOSTNAME_crypt] type = crypt remote = b2:HOSTNAME filename_encryption = standard directory_name_encryption = true password = *redacted* password2 = *redacted*
rclone mount to see if it works.
Use the b2 online browser to verify that the uploaded data is encrypted.
If you want to backup your home directory, chances are, you don’t want to backup it all (e.g: ignore .cache). Create an rclone filter file that selects the files to sync:
$ cat ~/.config/rclone/filter.txt - .cache/** + **
rclone ncdu --filter-from .config/rclone/filter.txt . to verify that the right files are selected.
Automate with systemd
To sync the directory, use
rclone sync. To avoid overwriting previous backups, use
The following systemd service can be used:
$ cat ~/.config/systemd/user/rclone.service [Unit] Description="Sync selected parts of home directory to b2 encrypted remote storage" [Service] Type=oneshot ExecStart=%s -c 'rclone sync --filter-from %E/rclone/filter.txt %h b2_%H_crypt:home --b2-hard-delete --fast-list --transfers 32 --backup-dir b2_%H_crypt:home-$$(date +%%u)'
This will keep 1 week worth of data without overwriting. A simple systemd timer can make it run daily:
$ cat ~/.config/systemd/user/rclone.timer [Unit] Description="Sync daily" [Timer] OnCalendar=*-*-* 12:15:00 FixedRandomDelay=true Persistent=true [Install] WantedBy=timers.target
Enable and start the timer:
$ systemctl --user enable rclone.timer $ systemctl --user start rclone.timer
Backup the config
If the rclone encryption passwords are stored in the directory that is being backed up, in case of a local failure, the remote content cannot be restored. Therefore, the rclone config must be stored separately. The Paperkey page offers a couple of ideas. For example, to get a printable version of an encrypted config, do:
$ qrencode --8bit -t svg -lH -o config.svg < encypted_config
$ zbarcam -1 --raw -q -Sbinary
The encryption can happen with e.g:
gpg, that requires a similar treatment of the private key.
Note about browsers
Browsers tend to write their persistent storage frequently, making it more difficult to create a consistent snapshot of them. To reduce the chance that a browser write conflicts with the sync action, use Profile Sync Daemon It will move the browser storage to memory, and sync it back periodically.