DocsIs it secure?
How secure is rclone for sensitive data?
Is rclone secure?
Yes, rclone provides enterprise-grade security features for protecting your data. Here's a comprehensive look at its security capabilities:
| Feature | Rclone | Cloud Provider Apps |
|---|---|---|
| Client-side encryption | ✅ Available | ❌ Rarely |
| Open source auditing | ✅ Yes | ❌ No |
| Zero knowledge | ✅ With crypt | ❌ Provider can access |
| No telemetry | ✅ Yes | ❌ Usually collects data |
Encryption features
Client-Side Encryption
Rclone offers military-grade encryption that happens on your device before data ever leaves:
- AES-256-CTR encryption: The same standard used by governments and banks
- Poly1305 authentication: Ensures data hasn't been tampered with
- scrypt key derivation: Makes password cracking virtually impossible
How Encryption Works
# Create an encrypted remote
rclone config
# Choose 'crypt' to wrap any remote with encryption
# Your cloud provider never sees unencrypted dataYour files are encrypted locally, then uploaded. Even if someone gains access to your cloud storage, they'll only see encrypted gibberish.
Authentication security
OAuth 2.0
- Most cloud providers use OAuth 2.0 through rclone
- You never give rclone your actual password
- Tokens can be revoked anytime from your cloud provider
Two-Factor Authentication
- Rclone respects 2FA on your cloud accounts
- Adds an extra layer of security to your transfers
Network security
HTTPS/TLS
- All transfers use encrypted connections
- Man-in-the-middle attacks are prevented
- Your data is encrypted in transit, even without crypt
No Phone-Home
- Rclone doesn't collect telemetry
- No usage statistics are sent
- Your activities remain private
Configuration security
Encrypted Configuration
Protect your rclone config file:
# Set a password for your config
rclone config
# Choose 's' to set configuration passwordEnvironment Variables
Store sensitive information in environment variables instead of the config:
RCLONE_CONFIG_PASSfor config password- Provider-specific tokens and keys
Common questions
"Is rclone more secure than official apps?"
With encryption enabled, yes. Rclone gives you control over your encryption keys, while most official apps don't offer client-side encryption.
"Can my cloud provider see my encrypted files?"
No. With crypt, your provider only sees encrypted blobs. They can't decrypt without your password.
"What about quantum computers?"
AES-256 is considered quantum-resistant for the foreseeable future. Your encrypted data is safe from current and near-future threats.
Vulnerabilities
Rclone takes security seriously:
- Security issues are fixed promptly
- Updates are released regularly
- Responsible disclosure is encouraged
- Check the GitHub security page for updates
How is this guide?