Systems status: [ OK ]
  • [ OK ]proxy
  • [ OK ]mailserver
  • [ OK ]sunrise
  • [ OK ]
1 min read

Migrating backups with crypt

Migrating encrypted backups between different cloud providers can be a tricky task, as it involves transferring sensitive data while maintaining its security.

Migrating backups with crypt

At some point, you’ll outgrow your current cloud provider — maybe storage costs spike, maybe reliability dips. Moving plain data is straightforward. Moving encrypted backups is another story: how do you preserve security while shifting terabytes of data between providers

The golden rule: never decrypt during migration. The encryption key should remain in your control, and the cloud should only ever see ciphertext. That way, even if transfer logs or intermediate storage are compromised, your data stays unreadable.

Option 1: gpg (manual, file by file)

If your backups are individual archive files, GnuPG works fine. You encrypt locally before upload:

gpg --symmetric --cipher-algo AES256 backup.tar.gz
Later, to decrypt on a new machine:

gpg --output backup.tar.gz --decrypt backup.tar.gz.gpg

This approach is simple, but if you’re moving 100s of GB across providers, decrypting and re-encrypting everything is wasteful.

rclone supports transparent encryption and multi-cloud sync. You create an encrypted “remote” on top of your provider, and rclone handles everything:


# Configure an encrypted remote
rclone config
> n) New remote
> name: gdrive-crypt
> storage: crypt
> remote: gdrive:/backups
> filename_encryption: standard
> directory_name_encryption: true
> password: ********

# Migrate from Google Drive to Backblaze
rclone sync gdrive-crypt: b2-crypt: --progress --transfers=8

This copies ciphertext directly from provider A to provider B, no local decryption required.

Lessons learned

  • most providers cap sustained throughput; rclone’s --transfers and --checkers flags help balance speed.
  • encrypted files don’t look the same across remotes; rely on rclone’s built-in verification, not file size.
  • egress fees from the source cloud can be higher than you expect. Budget accordingly before starting a multi-TB move.
  • permissions and timestamps don’t always map cleanly; backups should be validated after migration.

Takeaway

If you encrypt on the client, migrating between clouds is just moving ciphertext. Tools like rclone’s crypt backend make the process safer and faster, avoiding the need to ever decrypt your backups mid-flight.