Encrypted Cloud Backup

Objective

Set up encrypted, incremental cloud backups for privacy-sensitive local data using rclone crypt. All encryption happens client-side before data leaves the machine.

Context

Several local data sources have no off-host backup. A single disk failure would lose everything. The content is privacy-sensitive (e.g., roleplay character cards, chat logs), so cloud storage requires encryption at rest and in transit.

Current state:

• SillyTavern data: ~/projects/SillyTavern/docker/data (913 character card PNGs, chat logs, settings)
• Character card captures: ~/Downloads/character-cards (688 PNGs from browser extension)
• No encryption at rest on any of these
• Obsidian vault is already in iCloud but not encrypted

Approach

Tool: rclone with crypt overlay for client-side encryption.

Destinations: iCloud Drive or Google Drive (evaluate both; iCloud is already set up on macOS).

Design considerations:

• Incremental sync (only changed files upload), important for ~1000 binary PNGs
• File name and content encryption (rclone crypt supports both)
• Scriptable for automation (cron or launchd)
• Restore procedure must be documented and tested
• Consider multiple backup sources beyond ST (identify other candidates)

Architecture:

local dirs → rclone crypt (encrypt) → rclone remote (iCloud/GDrive)

Next Actions

• Install rclone (brew install rclone)
• Evaluate iCloud vs Google Drive as remote target
• Configure rclone remote for chosen cloud provider
• Configure rclone crypt overlay on top of remote
• Identify all local directories that need encrypted backup
• Write backup script with include/exclude rules
• Test backup and restore cycle
• Set up scheduled runs (launchd plist or cron)
• Document restore procedure

Resources

• rclone crypt docs
• rclone with iCloud: community discussion on iCloud as a target
• rclone with Google Drive
• Cryptomator: alternative approach (GUI-based encrypted vaults)

Notes

• rclone crypt encrypts file names and content. The cloud provider sees only opaque blobs.
• For iCloud, rclone can target ~/Library/Mobile Documents/com~apple~CloudDocs/ directly.
• Google Drive has a native rclone backend with better API support.
• SillyTavern cards are binary PNGs with embedded JSON metadata. rclone handles binary files fine.
• Consider whether the Obsidian vault (currently unencrypted in iCloud) should also go through rclone crypt.

Related Projects

• DIY NAS (potential local backup target in addition to cloud)