Encrypt your Dropbox files with GPG

I don’t trust that my personal files will remain safe in the hands of third party cloud services. Their underlying technology is not open source (so no-one can audit it), employees might have a way to access my files, or a govermental institution might request to see my data without my knowledge.

There are privacy-focused alternatives to Dropbox such as SpiderOak, but then I still have to trust their marketing, since I have no way to check how safe my files are in there. Therefore I decided to implement the security layer myself, and stop having to trust these services altogether.

Meet Duplicity

I went looking for a solution, and I found an open source command line tool called duplicity. This program lets you backup a directory from your local filesystem to a wide variety of “backends” (including Dropbox), while encrypting all your files with GPG before sending them to the destination.

Duplicity does a great job at ensuring that even your directory structure and file names are protected. This is what I see if I login to my Dropbox.com account:

Dropbox Contents

If unauthorized parties try to access my Dropbox files, they will only see encrypted garbage.

The Duplicity Workflow

Duplicity uses the Dropbox API. Therefore I got rid of the Dropbox client I installed on my computer. I then moved my $HOME/Dropbox directory into $HOME/Cloud, but you can call it whatever you want.

Duplicity allows the user to perform full or incremental backups. The idea is that you initially do a full backup, and then you can trigger incremental backups every time you change something.

Getting a Dropbox token

Duplicity requires a Dropbox access token. In order to get one, you need to go to https://www.dropbox.com/developers/apps, and create a Dropbox application that uses the “Dropbox API”, and has full Dropbox access:

Creating a Dropbox application

You can then find the access token specific to the application.

Setting up Duplicity

Set your Dropbox access token in an environment variable called DPBX_ACCESS_TOKEN:

export DPBX_ACCESS_TOKEN="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-xxxxxxx-xxxxxxxxxxxxxxxxxx" 

You also need to take note of your GPG public key ID, which you can find by running gpg --list-keys:

pub   rsa4096/0x91B08B2CBA5EAB1A 2016-11-24 [SC]
      Key fingerprint = EEA8 98DE 0D47 725C A987  55A4 91B0 8B2C BA5E AB1A
uid                   [ultimate] Juan Cruz Viotti <jv@jviotti.com>

In this case it’d be 91B08B2CBA5EAB1A. I recommend going through this tutorial if you don’t have a GPG key yet.

Finally, you need to go to the Dropbox website and create the directory where you want Duplicity to store your encrypted files. I’ll call it “Cloud.”

Full Backups

We’re now ready to do our first full backup. This is the command I’ll use:

duplicity --progress --use-agent --encrypt-sign-key "91B08B2CBA5EAB1A" full $HOME/Cloud dpbx:///Cloud

The --use-agent makes Duplicity connect to the local GPG agent running in my computer before prompting me for a password, in case its already cached.

The --encrypt-sign-key option tells Duplicity which GPG key we want to use for both encryption and signing.

The last two arguments tell Duplicity that we want to do a full backup of the “Cloud” directory from my local filesystem to a Dropbox directory called “Cloud.”

This is how a full backup of a small directory looks like:

Local and Remote metadata are synchronized, no sync needed.
Last full backup date: Mon Nov  6 20:54:31 2017
0.0KB 00:00:03 [0.0KB/s] [>                                        ] 0% ETA 3sec
0.0KB 00:00:06 [0.0KB/s] [>                                        ] 0% ETA 6sec
1.1MB 00:00:09 [109.7KB/s] [=================================>       ] 83% ETA 1sec
1.2MB 00:00:12 [89.1KB/s] [====================================>    ] 92% ETA 0sec
1.2MB 00:00:15 [89.1KB/s] [========================================>] 100% ETA 0sec
--------------[ Backup Statistics ]--------------
StartTime 1521861935.51 (Fri Mar 23 23:25:35 2018)
EndTime 1521861936.21 (Fri Mar 23 23:25:36 2018)
ElapsedTime 0.71 (0.71 seconds)
SourceFiles 2024
SourceFileSize 1355807 (1.29 MB)
NewFiles 2024
NewFileSize 1355807 (1.29 MB)
DeletedFiles 0
ChangedFiles 0
ChangedFileSize 0 (0 bytes)
ChangedDeltaSize 0 (0 bytes)
DeltaEntries 2024
RawDeltaSize 1271743 (1.21 MB)
TotalDestinationSizeChange 1125701 (1.07 MB)
Errors 0

Incremental Backups

Once you have at least once full backup, you can run the same command, changing full to incremental:

duplicity --progress --use-agent --encrypt-sign-key "91B08B2CBA5EAB1A" incremental $HOME/Cloud dpbx:///Cloud

So that Duplicity only uploads the things that changed.

Restoring Backups

Finally, you can “clone” your data to another computer by using the restore command. For example:

duplicity --progress --use-agent restore dpbx:///Cloud $HOME/Cloud

Duplicity will complain if $HOME/Cloud exists, so you might want to set --force to make it override it.

If you have various backups, you can go back in history by passing the --time option along with a RFC 3339 timestamp.


A security increase almost always comes with usability drawbacks.

Duplicity will not automatically upload changes you made on your directory. If you want to sync your changes like the Dropbox desktop client does, you can setup a cron job that will call duplicity every hour or something like that.

You will not be able to access your Dropbox files on a mobile device, or a computer that doesn’t have both Duplicity and your GPG keys on it. I exclusively use my laptop for 99% of my computing needs, so I’m with this.

If you have more than one computer syncing your Duplicity directory, you need to make sure you have the latest changes before sending an incremental update, since there is no automatic conflict resolution system.

Finally, Duplicity has to encrypt all your files with GPG, which means that performing a full backup is much slower and intense compared to plain Dropbox.