How To Protect Your Files In The Cloud

Encrypt, compress and remove metadata from files before storing it in the cloud

June 1st, 2021

How To Protect Your Files In The Cloud

Most people rely on using public cloud servers to store their data. Unless you self-host a cloud storage service then there's no other option but to trust whoever runs the server with your sensitive files. Even if you trust these companies to be responsible with your files there have been numerous hacks and data leaks in the past such as the notorious iCloud hack. Besides using good security practices such as two-factor authentication and a password manager, the best way to make sure that you data is safe is to make sure that only you can access it. In this article I'm going to show you how you can remove metadata from a file, compress it so it takes up less space and encrypt it. First I'll show you the manual steps to take it but then I'll show you a tool I created to do this automatically. If you're having difficulty then you can just follow the steps in the video above.


First thing you'll need to do is set up a GPG key. GPG is an encryption tool that is pre-installed on nearly every Linux distribution. You might need to install it if you're on Windows or MacOS. Simply run the below command to set up your keys. Again if you need any help you can watch the video above for the steps.

gpg --full-generate-key

So first thing we're gonna do is remove the metadata from the file. Metadata includes all the geographical, time and device data associated with a file. By removing this we can ensure that no online services can gain deeper user insight to us. Mat2 is a great tool that works on many different file types and recursively goes through all files in a folder.

mat2 --unknown-members omit --inplace <YOUR DIRECTORY NAME>

Next we want to compress the file or folder using Zip. You could alternatively use Tar but Zip works better on non-linux systems.


Now that the file is prepared it can be encrypted with the GPG key. Simply run the below command replacing the email and file.

gpg --encrypt --sign --armor -r <YOUR RECIPIENT EMAIL> <YOUR ZIPPED FILE>

Now you have a cleaned and compressed file that can only be accessed by the key associated with that email. It's good knowing the steps to take but all these commands can take a while especially when you have a lot of files. So I created a simple shell script that will perform all these steps for you.


The shell tool I created is called Cosaint (Irish for defence) and can be found at the git repo here. It contains a script that can be used as a CLI, another script that monitors your folder to detect if new files were added, and a SystemD service that can run all this in the background automatically. You'll need to set up your GPG keys the same as before and you'll need to install Mat2 for the metadata removal and inotify-tools if you want to monitor your files.

sudo apt-get install mat2 inotify-tools

You can then clone the git repo, add the shell script to your local bin directory then run it on your files/folder.

git clone
cp /usr/local/bin/ -a encrypt -f <File you want encrypted> -e <Email of recipient gpg key> -d <Directory to sync to>

The file or folder will then be prepared and moved to the directory you want. If you want you can also set up the SystemD service to run in the background so you won't have to even run the script.

Stay happy and stay private.