In this article you'll learn how to backup a Linux or BSD (Unix) based server using the tool rclone - an open source file transfer software which has support for backing up to business/enterprise file storage services such as Backblaze B2, Amazon S3, Google Cloud Storage, as well as consumer cloud file storage such as Dropbox, Google Drive, and more
We'll be using Backblaze B2 for this article's examples, however it's very easy to use a different service such as Amazon S3, GCP, Dropbox, etc.
It's also possible to use rclone for transferring files between folders on your own drive(s), as well as other servers that you operate using the SFTP, FTP, or WebDAV remotes. This article assumes you're using B2, but the commands are basically the same whether you're using a third-party like B2/S3/Dropbox or your own server via SFTP/WebDAV.
NOTE: We are NOT SPONSORED by Backblaze, Amazon, Google, or any of the other file storage services listed in this article. We use B2 as an example as they are one of the cheapest file storage services, and we personally trust their service
This article includes setting up an encrypted (crypt) remote which we layer over our B2 remote to handle encrypting and decrypting your files on-the-fly using a password you set during the configuration. This ensures your remote file storage provider cannot access your data.
We have virtual servers starting from just US$0.99/mo, and dedicated servers starting from as low as US$50/mo
Unlike other hosts, we don't ask for any personal details - only a name (can be an alias / username), and an e-mail address so we can send you your server details and renewal invoices.
We also accept several different cryptocurrencies with our own in-house payment processor - no third parties involved in processing your payments.
At the time of writing, we currently accept: Bitcoin (BTC), Litecoin (LTC), Monero (XMR), Dogecoin (DOGE), HIVE, and HBD
First you'll need to sign up for a supported rclone "remote", such as Backblaze B2 or Amazon S3
Assuming you've signed up for Backblaze B2, you'll want to create a "bucket" to store your data, a bucket is effectively a folder which you can restrict access to, so you could create a separate bucket and API key for each server you have to ensure if one gets compromised, an attacker can't access all of your buckets
Once you've created a bucket (in this example we'll call our bucket srvbackups), you'll then need to go to Application Keys / API Keys and generate an API key - click on "Add a new application key", give it a name, and select whether it has access to all buckets or just the bucket you created (it's safest to limit it to just one bucket). You don't need to set the file name prefix or duration.
You'll now see the key ID, key name, and application key - save these somewhere safe and secure such as a password manager, as you'll need them for rclone
Rclone is available in most package managers under the name rclone, it can also be downloaded from the Rclone official website
For Ubuntu, Debian, Linux Mint, and other Debian derivatives, you can install it using apt:
apt update
apt install rclone
For Red Hat Enterprise Linux (RHEL), CentOS, SUSE, Fedora, Rocky Linux, Oracle Linux, and other RHEL-based systems, you should use dnf or yum:
dnf install rclone
# if dnf isn't available, try using yum
yum install rclone
For FreeBSD and certain other BSDs:
pkg update -f
pkg install rclone
For macOS:
brew update
brew install rclone
Now you'll want to configure rclone, which you can do using it's interactive configuration text based UI (TUI)
rclone config
You should see something like this:
Current remotes:
Name Type
==== ====
e) Edit existing remote
n) New remote
d) Delete remote
r) Rename remote
c) Copy remote
s) Set configuration password
q) Quit config
e/n/d/r/c/s/q>
Press the letter n to create a new remote and hit enter
It will ask you to name the remote, you may name it anything you'd like, for this example we're going to use b2base which describes that it's the base remote which connects directly to B2
It'll then ask you which type of remote you'd like to create, look through the list and find the storage service that you'd like to use, we're using B2 in this example, so we enter b2 (or you can enter it's position number, which in our version of rclone is 6) and hit enter
Now it asks for the "Account ID" - for B2 you should enter the value of keyID that was generated for your API key
Then it'll ask for your "Application Key" - enter the value of applicationKey you generated earlier
Next it asks about "hard delete" - whether you want rclone to fully delete files when you ask it to delete a file on this remote, you should enter true so that rclone is able to properly delete files to free up space
Then it'll ask if you'd like to edit the advanced config, you should hit n for this as you don't really need to edit the advanced config
Finally it will show you your configuration so far, and ask if it looks okay. Check to make sure the information looks correct, and then hit y to confirm it's correct and save the remote.
This is optional, however it's strongly recommended to ensure that your file storage provider cannot read your files, it will also help protect you if your file storage account is ever compromised, as the hacker will not be able to read your B2 data without the encryption keys.
BE AWARE - if you use encryption, then you must use rclone to restore your backed up files, as only rclone will be able to decrypt them - rclone will automatically handle encrypting files when you upload them, and decrypting them when you download them, as if they were normal files.
Some rclone remotes work as layers, such as the crypt (file encryption) remote, chunker (split files into smaller chunks for services that have max file sizes), and certain other remotes. We'll be making a new remote using crypt which we'll layer on top of the existing b2base remote we created earlier, so that we can encrypt our files while uploading them to B2, as well as decrypt them while downloading them
From the rclone config menu, hit n to create a new remote, you may then name the remote whatever you like, but we're going to call it b2 for convenience.
When it asks for the remote type, enter crypt and hit enter to create an encryption layer remote
It'll now ask you for the "remote to encrypt/decrypt", you should enter the path to the remote you created earlier, and for convenience you should append the bucket name to the path (even if your API key is restricted to one bucket, rclone still needs to ask for that bucket in the path)
Assuming you named the base b2 remote b2base and your bucket is called srvbackups, you would enter the following path:
b2base:srvbackups
Then hit enter.
Next it will ask if you want to encrypt the filenames (the names of your files such as Some Document.pdf), this is up to you - if you believe that your filenames may be incriminating, you should choose standard or obfuscate - otherwise you may choose off to disable filename encryption
It will now ask if you want to encrypt directory (folder) names too - note this will only work if you have filename encryption enabled. If you think your folder names may be incriminating/sensitive, then you should turn this on by entering true, otherwise enter false
Now it will ask you if you'd like to enter your own custom password, or have rclone generate a random password for you. This is up to you, if you don't already have an encryption password that you'd like to use, then you may choose g to have rclone generate a password, otherwise hit y to enter a custom password.
If you select g (generate password), it will ask how many bits you want your password to be, with smaller numbers meaning shorter less secure passwords, and bigger numbers meaning longer more secure passwords. 64 bits would result in a password around 11 chars, while 512 bits results in a password around 86 chars
Option password.
Password or pass phrase for encryption.
Choose an alternative below.
y) Yes, type in my own password
g) Generate random password
y/g> g
Password strength in bits.
64 is just about memorable
128 is secure
1024 is the maximum
Bits> 512
Your password is: UkTgSXC_6NBadZycyLpxcjQoRcFPF2sM2VFV9rxsnfSN21rK8MoDzwXfgtv8cW0KngI86VPv5e5RrGo-AmffZQ
Use this password? Please note that an obscured version of this
password (and not the password itself) will be stored under your
configuration file, so keep this generated password in a safe place.
y) Yes (default)
n) No
y/n>
If you're happy with the generated password, go ahead and hit y - PLEASE SAVE YOUR PASSWORD SECURELY, SUCH AS IN A PASSWORD MANAGER. If you lose your password, you will lose your data and cannot recover the password.
Next it will ask you if you'd like to have a salt (a second password), which will help to improve the security of your encryption, so it's strongly recommended to use a salt. You may enter y to enter a custom salt, or enter g to have it generate the salt just like for the main password. If your main password is long and secure, then you may use a short password for the salt if you prefer - for best security you want both password + salt to be long and secure.
PLEASE SAVE THE SALT SECURELY - If you choose to have a salt password, then you will need both passwords to decrypt your data, so DO NOT lose your salt!
Now it should ask you if you'd like to edit the advanced config, you may simply hit n as we don't need to edit the advanced config.
Finally it will show you your configuration so far and ask you to confirm it looks okay - if it looks good, go ahead and hit y
Now that you've setup an encryption remote we can go ahead and start using rclone with B2 :)
To back up a folder or file, you may use rclone copy to copy a file/folder to one of your remotes, such as B2
For example, to backup our /etc folder to the encrypted B2 remote we setup previously:
rclone copy -P /etc/ b2:etc/
It's important to put a slash at the end of folders, which tells rclone to copy the contents of the folder, rather than the folder directly. Without a slash at the end, rclone may have put /etc into /etc/etc
The -P flag means show progress, so that rclone shows the percentage transferred, which file is currently being transferred, upload speed, etc.
To backup an individual file, we can do the same command just with a file instead of a folder:
# Backup somefile.txt into the folder "backups/" on B2
rclone copy -P /home/ubuntu/somefile.txt b2:backups/
In some cases you don't want to have to output an archive to your disk before backing it up to a remote, especially if you have limited disk space. We can use rclone rcat to upload the output of a command directly onto a remote like B2 without the need to output it to disk first.
For example, here we use tar to archive our /home folder and output the .tar file directly onto B2:
tar cf - /home | rclone rcat -P b2:backups/home.tar
To restore a backed up file/folder, we can use the same command we used to originally backup a file (rclone copy), just in reverse.
For example we'll restore somefile.txt from B2 into our home folder:
rclone -P b2:backups/somefile.txt /home/ubuntu/
Much like we can output a tar archive directly onto a remote using rclone rcat - you can also use rclone cat for the reverse, which is reading a file from a remote and outputting it to stdout instead of a file.
We can use this to unpack an archive without having to download it first:
rclone cat b2:backups/home.tar | tar xvf -
With regular backups, over time you accumulate old backups which are no longer needed and take up a lot of space, thankfully rclone includes some flags which allow us to delete files older than a certain amount of time, such as a week or 2 months.
The following command will do a "dry run" of purging files in the backups folder of our B2 bucket which are older than 2 weeks - dry run means it will not actually delete anything, it will just "pretend" to show you what it will delete if you run the real command:
rclone delete -P --dry-run --min-age 2w b2:backups/
After running it with --dry-run, check to make sure it's not deleting anything that it shouldn't be. Once you're sure it's only going to delete the files you expect it to, you can remove --dry-run so that it deletes the files for real.
We have virtual servers starting from just US$0.99/mo, and dedicated servers starting from as low as US$50/mo
Unlike other hosts, we don't ask for any personal details - only a name (can be an alias / username), and an e-mail address so we can send you your server details and renewal invoices.
We also accept several different cryptocurrencies with our own in-house payment processor - no third parties involved in processing your payments.
At the time of writing, we currently accept: Bitcoin (BTC), Litecoin (LTC), Monero (XMR), Dogecoin (DOGE), HIVE, and HBD