Encrypted Cloud Mountpoint with rclone

bijavix <[email protected]>

Create an encrypted Google Drive mount using rclone, allowing fast and secure system storage at the cloud. Perfect if your organization has unlimited storage. OAuth client authentication and encrypted remote with suitable VFS cache modes for secure and efficient cloud-storage access.

Table of Contents

1. Preparation (optional)
- 1.1. Create an OAuth client ID
2. Install rclone
3. Configure the Google Drive remote
- 3.1. Test access
4. Configure the encrypted remote
5. Mount the encrypted storage
- 5.1. VFS cache modes (--vfs-cache-mode)

1. Preparation (optional)

You can speed up interactions with Google Drive by supplying your own client ID or by using a service account.

1.1. Create an OAuth client ID

Follow these steps in the Google Cloud console:

Go to Google Cloud console.
APIs and services → Create new project → name it Drive.
Enable APIs and services → enable Google Drive API.
Credentials → Configure consent screen (only once per Google account).
- User type: External (choose Internal if all users are in the same Google Workspace domain to skip verification).
- App name: rclone
- User support email: your email
- Developer contact email: your email
- Click Save.
- Scopes: https://www.googleapis.com/auth/docs, https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/drive.metadata.readonly (You can also select them manually.)
- Click Save and continue.
- Test users: add your email address.
Back in Credentials → Create credentials → OAuth client ID.
- Application type: Desktop app
- Name: rsync-desktop
- Click Create and download or copy the Client ID and Client secret.
In OAuth consent screen click Publish app.

Configuration will be stored at ~/.config/rclone/ unless RCLONE_CONFIG_DIR is set.

2. Install rclone

apt install rclone

3. Configure the Google Drive remote

rclone config

Interactive prompts:

n                         # New remote
name> myCloud             # Remote name
Storage> drive            # Select Google Drive
client_id> 1234....apps.googleusercontent.com
client_secret> 1234...
scope> 1                  # Full access
service_account_file>     # Press Enter to skip
auto config> y            # Opens your browser for OAuth

3.1. Test access

rclone ls myCloud:

If a file listing appears, authentication is working.

4. Configure the encrypted remote

rclone config

Interactive options:

n                              # New remote
name> myCloudCrypt             # Encrypted remote name
Storage> crypt                 # Select crypt
remote> myCloud:/crypt         # Remote created previosly
filename_encryption> 1         # Encrypt file names
directory_name_encryption> 1   # Encrypt directory names

5. Mount the encrypted storage

mkdir -p ~/myCloud
rclone mount myCloudCrypt: ~/myCloud --vfs-cache-mode minimal --buffer-size 64M --transfers 6

5.1. VFS cache modes (--vfs-cache-mode)

off - Files are streamed directly to the remote.
minimal - Metadata and directory entries are cached locally.
writes - Write operations are cached locally before upload, enabling partial and random-access writes.
full - Entire files are cached locally for both reads and writes before upload.