Create an automated security infrastructure that complies with the 3-2-1 strategy (3 copies, 2 media, 1 offsite location) respecting data sovereignty.
- Source: Windows 11 PC (Daily work).
- Local Server: Raspberry Pi 4 + SSD (Fast/immediate copy).
- Cloud: Google Drive (Encrypted nightly copy).
- PC with Windows 10/11.
- Raspberry Pi 4 (4GB/8GB RAM).
- External SSD disk (Samsung T5) mounted on the Raspberry Pi.
💻 For the Client (Windows):
- SyncTrayzor: Syncthing client with GUI for Windows.
- Git for Windows: Necessary to clone the repository.
🍓 For the Server (Raspberry Pi / Ubuntu):
- Docker Engine: Installed via terminal.
- Rclone: Cloud management tool.
⚠️ IMPORTANT NOTE ON USERNAMESWhen running these commands on your own system, you MUST replace
youruserwith your actual Linux username (e.g.,ubuntu,pi,john, etc.). To find out your current username, typewhoamiin the terminal.
We connect via SSH to our Raspberry Pi.
Commands executed in the SSH terminal to create the folder structure and assign permissions.
mkdir -p /home/youruser/docker/syncthing
mkdir -p /home/youruser/Backups
mkdir -p /home/youruser/scripts
sudo chown -R youruser:youruser /home/youruser/File docker-compose.yml created in /home/youruser/docker/syncthing/.
services:
syncthing:
image: lscr.io/linuxserver/syncthing:latest
container_name: syncthing
hostname: userver-sync
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Madrid
volumes:
- ./config:/config
- /home/youruser/Backups:/data1
ports:
- 8384:8384
- 22000:22000/tcp
- 22000:22000/udp
- 21027:21027/udp
restart: unless-stoppedCommand to raise the container:
cd /home/youruser/docker/syncthing
docker compose up -d- Action: Enter
http://<RPI -IP>from the browser. X = the IP number of your Rpi. - Result: Syncthing web interface loaded correctly.
Ok, now we are in the Raspberry pi via web in the browser
Do this right now on that Raspberry screen (<RPI -IP>):
- Go to top right: Actions button > Show ID.
- You will get a QR code and below a long code of letters and numbers.
- Copy that long code and paste it in a temporary notepad (or leave it copied).
- Open SyncTrayzor on your PC.
- Bottom right, click the "Add Remote Device" button.
- A window will open.
- Device ID: Paste the long code you copied before from the Raspberry Pi.
- Device Name: Write
Raspberry Pi Server.
- Go back to the browser where you have the Raspberry Pi (
<RPI -IP>). - Wait a few seconds. A yellow notice will appear at the top saying: "New Device XXXXX wants to connect".
The server receives the pairing request. It is necessary to manually approve it for security.
-
Click the green Add Device button.
-
In the window that appears:
- Device Name: Write
PC Windows. - Click Save.
- Device Name: Write
-
Now, on both computers, the status "Connected" or "Unused" should appear in green.
- Find the folder to share or create one with the desired name.
- Go back to SyncTrayzor on your PC.
- On the left, click "Add Folder".
- Fill this in:
- 1. Folder Label: name of the folder you created
- Folder Path: full path to your folder
⚠️ Warning: you must put the path without (“”) or you will have folder identification problems.
- Go to the top tab "Sharing".
- Check the box "Raspberry Pi Server".
- Click Save.
This is the most important technical step.
- Go back to the Raspberry Pi browser (
<RPI -IP>). - You will see another yellow notice at the top: "PC Windows wants to share folder 'xxxxxxxxx".
- Click Add.
- A configuration window opens. Look where it says "Folder Path".
- By default it will say something like
/home/useror/config/.... - DELETE THAT.
- Write exactly:
/data1/yourname - (Remember:
/data1is the magic door that connects to your SSD hard drive thanks to Docker).
- By default it will say something like
⚠️ IMPORTANT: We modify the destination path to/data1/to ensure data is written to the persistent Docker volume (the SSD) and not the SD card.
- Click Save.
To connect the Pi to Google, you need to generate a "permit" (token) from your Windows PC.
- Download Rclone for Windows: Direct ZIP link.
- Open the ZIP and enter the folder.
- In the address bar of that folder, write
cmdand hit Enter. (A black terminal will open in that folder). - Leave it open, we will use it in a minute.
Go back to your Raspberry Pi terminal (ssh youruser@...).
- Run:
rclone config - Write
n(New remote) > Enter. - Name:
gdrive> Enter. - Storage: Write
drive> Enter. - Client ID: Leave empty > Enter.
- Client Secret: Leave empty > Enter.
- Scope: Write
1(Full access) > Enter. - Service Account: Leave empty > Enter.
- Edit advanced config:
n> Enter. - Use web browser?:
⚠️ IMPORTANT: Writen(NO).
Now the Pi terminal will tell you something like:
"Execute the following on the machine with the web browser..."
and give you a command starting with rclone authorize "drive" "...".
- Copy all that command the Pi gives you.
- Go to the black terminal of your Windows PC (from Step 5.0).
- Paste the command and hit Enter.
- Your browser will open. Log in with your Google account and click Allow.
- Go back to the Windows black terminal. It will have spat out a giant code (token).
- Copy the giant code (starts and ends with brackets
{...}). - Go back to the Raspberry Pi and paste it where it says
config_token>. - Shared Drive:
n. - Keep this remote:
y.
Do not exit the rclone config menu. Now we are going to create the security layer.
- Write
n(New remote). - Name:
gcrypt - Storage: Write
crypt. - Remote:
gdrive:/Backupyourfolder(This will create that folder in your Drive). - Filename Encryption:
1(Standard). - Directory Name Encryption:
1(True). - Password:
y(Yes).- Invent a password (NOT the Gmail one, a new one to encrypt).
⚠️ WRITE IT DOWN. If you lose it, goodbye data.
- Salt: Leave empty > Enter.
- Keep this remote:
y. - Exit the menu with
q.
- Create a test file on the Pi:
touch secret_test.txt - Upload it:
rclone copy secret_test.txt gcrypt:/ - If no error, go to your Google Drive in the PC browser.
- Find the folder
Backupyourfolder.
Verification of 'Zero Knowledge': The uploaded file appears in Google Drive with the name and content encrypted.
We are going to write the small program that makes the decisions.
In your Raspberry Pi terminal (ssh):
6.1.1. Create/Open the file:
nano /home/youruser/scripts/upload_cloud.sh
6.1.2. Copy and paste this exact code (it is the improved version with activity log):
#!/bin/bash
# Sovereign Vault - Script de Backup Automático
# CONFIGURACIÓN
ORIGEN="/home/youruser/Backups"
DESTINO="gcrypt:/"
LOGFILE="/home/youruser/scripts/upload.log"
echo "------------------------------------------------" >> $LOGFILE
echo "INICIO BACKUP: $(date)" >> $LOGFILE
# COMANDO DE SINCRONIZACIÓN
# -v: Verbose (escribe detalles en el log)
# --transfers=4: Sube 4 archivos a la vez para ir más rápido
rclone sync $ORIGEN $DESTINO -v --transfers=4 >> $LOGFILE 2>&1
# COMPROBACIÓN DE ERRORES
if [ $? -eq 0 ]; then
echo "ESTADO: ÉXITO - $(date)" >> $LOGFILE
else
echo "ESTADO: ERROR - $(date)" >> $LOGFILE
fi
echo "------------------------------------------------" >> $LOGFILE6.1.3. Save (Ctrl + O, Enter) and exit (Ctrl + X).
Right now it is just a text file. We have to convert it into a program.
Execute:
chmod +x /home/youruser/scripts/upload_cloud.shWe are going to tell Linux: "Run this every day at 04:00 AM".
- Open the task editor:
crontab -e- Go to the very end of the file and paste this line:
0 4 * * * /home/youruser/scripts/upload_cloud.sh- Save and exit
To be calm that the script works (and not wait until 4 AM), we are going to launch it manually once.
- Execute the script:
/home/youruser/scripts/upload_cloud.sh- Read the log to see the result
cat /home/youruser/scripts/upload.logWhat should you see?
At the end of the text it should say: ESTADO: ÉXITO.
And of course, to wrap up for now while I imagine potential updates, let's explain how to recover your encrypted data from the Google Drive server.
Don't worry: even if you download the data copy, the service remains active and everything continues as if nothing happened... except that you now have your decrypted copy of your data in your possession. :)
I'll be happy to answer any suggestions or comments!
⚠️ IMPORTANT NOTE ON USERNAMESIn the following examples, you will see the username
youruser. This is the specific user for my home lab.When running these commands on your own system, you MUST replace
youruserwith your actual Linux username (e.g.,ubuntu,pi,john, etc.). To find out your current username, typewhoamiin the terminal.
This component is essential on minimal Linux distributions (like Ubuntu Server) to allow Rclone to create a virtual filesystem. This step prevents the "daemon exited with error code 1" error.
Bash
sudo apt update
sudo apt install fuse libfuse2 -y(Note: On newer Ubuntu versions, you might need fuse3 instead of libfuse2).
We create the folder and transfer ownership to the user so we can write to it without root privileges.
Bash
# 1. Create the folder (as root)
sudo mkdir -p /mnt/vault_mount
# 2. Give ownership to your user (CRITICAL STEP)
# Replace 'youruser' with YOUR username
sudo chown youruser:youruser /mnt/vault_mountConnect the cloud remote (gcrypt:) to the local folder. Decryption happens in real-time using the CPU.
rclone mount gcrypt: /mnt/vault_mount --daemon💡 Note: The --daemon flag ensures the process runs in the background, keeping your terminal free for other commands.
Check that you can see your files in clear text within the virtual folder.
Bash
# You should see your folders (Backup_diario, etc.)
ls -lh /mnt/vault_mount/The mounted folder is virtual. To actually "recover" the data permanently, copy the files to a standard directory in your user home.
Bash
# Create a destination folder in your home
mkdir -p $HOME/RESTORED_VAULT
# Copy the files recursively
# (Adjust 'Backup_diario' to match your folder name)
cp -r /mnt/vault_mount/Backup_diario $HOME/RESTORED_VAULT/It is mandatory to disconnect the virtual drive after the copy process to release system resources and maintain security.
Bash
fusermount -u /mnt/vault_mountFinal Result:
Your files are now restored, decrypted, and ready to use in the $HOME/RESTORED_VAULT/ folder. The automated backup service continues to run in the background undisturbed
This project adheres to the principle of Data Sovereignty.
- No Vendor Lock-in: The local copy is always accessible via standard file systems.
- Privacy by Design: Google Drive (or any cloud provider) never sees the actual files, only encrypted blobs.
- Resilience: Protection against Ransomware (via versioning) and hardware failure.
Future improvements planned for this infrastructure:
- Add Telegram/Discord notifications on backup failure.
- Implement a Grafana Dashboard to visualize disk usage and sync status.
- Add a second offsite location (S3 or MinIO) for redundancy.
This project relies on fantastic Open Source software. Special thanks to the creators:
- SyncTrayzor: Thanks to Antony Male (@canton7) for creating the best Syncthing wrapper for Windows.
- Syncthing: The continuous file synchronization program.
- Rclone: "Rsync for cloud storage", created by Nick Craig-Wood.
José Álvarez | Microcomputer Systems & Networks Technician | Network Automation