I am a Windows user. I have been searching for the answer to this question for a long time.

Different types of backup architecture are explained in http://www.techsupportalert.com/content/selecting-encryption-method-cloud-storage.htm. The type of direct encrypted backup to cloud you are talking about is called "Type 1". Tresorit and SpiderOak are given as examples. It is also mentioned that "There are not many free products using Type 1 encryption".

For offline backups I agree it is senseless to have to have a local copy before backing up to the cloud. However, most popular cloud storage solutions (e.g. OneDrive) are designed for synching files between different devices so this is why a local copy is stored.

For offline back ups that are encrypted before upload (i.e. 'client-side') I have found a number of solutions:

1. use an online storage solution that offers this (e.g. • Acronis True Image, Tresorit, SpiderOak)...the problem is you are tied in with a given provider (so no compatibility with OneDrive etc.)
2. use dedicated backup software to upload encrypted backups directly to an online storage solution (e.g. OneDrive) using a protocol like FTP or WebDav...the problem is some only work with limited online storage services; you will have to disable synching so the contents of your cloud are not re-downloaded again to your computer; and you will have to find the configuration settings for direct access to the cloud storage service)

For option 2 you could try the free and basic CryptSync tool http://stefanstools.sourceforge.net/CryptSync.html which is something like a cross between 7Zip (for compression and encryption) and SynchToy (for scheduled synch).

Although I like it, for me there are a few problems with this tool, as follows:

1. long paths and filenames cannot be encrypted due to them being too long for Windows to handle
2. the option for scheduling are limited i.e. the sync has to be set at x minutes after last sync (no set times or daily, weekly intervals or incremental backups etc.)
3. although there is a warning if a particular file fails to encrypted and sync, this is not a pop up warning (a user has to view the log and figure out what to do e.g. shorten the file name)

The beauty of CryptSync is that it saves files to any local copy of cloud storage folder. The user is not tied in with a particular Cloud storage service provider.

Other free tools that work like CryptSync (but which can connect directly to online storage services and not just save files locally) are Duplicati, Duplicity, and FileFort.

You may also want to review some of the paid software that has the ability to send encrypted backups to cloud storage, e.g.:

• Handy Backup (with HBDrive, Amazon S3, Box, iDrive, and others)
• Iperius (with Google Drive, OneDrive, Dropbox, Amazon S3, Microsoft Azure, Iperius Online Storage)
• Nova (Amazon only)
• NTI Backup
• Retrospect Pro (only with Amazon S3, Google Cloud Storage, Dropbox, DreamHost, Dunkel, Numergy, and Aruba.) Desirable Software after comparison
• Cloudberry (Back up to any cloud storage provider, or local storage)
• SynchBackPro

I have found the reviews at http://www.backupreview.com/ useful.

Sure, you could use PGP/GPG to encrypt the files, either using your own personal public key (then you only remember your personal key's passphrase) or using -c conventional encryption only with a passphrase for the file you have to remember.

Then copy the encrypted files to wherever for backups.

Or, you could use a tool like TrueCrypt (though it's no longer officially supported) or dm-crypt/LUKS to create a big encrypted container file, put your files inside it, and copy the whole container to wherever.

Or, you could use an encrypted filesystem like EncFS to encrypt a local folder into a shared OneDrive (or other service) folder. The local files can remain un-encrypted, while the online copy/folder would be encrypted.

Deleting the local files is an option (after verifying the online copies can be decrypted), but for a good backup strategy you should keep a local copy somewhere/somehow just in case the online copy has problems, or the passphrase is lost, etc...

• How-To Geek on How to Encrypt Cloud Storage on Linux and Windows with EncFS
• encfs4win - "experimental project of porting encfs to the Windows world"

• Super ArchWiki EncFS page - very good info on using EncFS. Linux-oriented, but if the EncFS port for windows works it should be useable too.

  Here's the best backup feature of EncFS (IMO) - it can do a "--reverse" mount, using a plain folder to create a "virtual" encrypted copy, without writing a single byte to your hard drive. Then the "virtual" encrypted files can be sent to the cloud (or any backup location) and you just need the encrypted options file (encfs6.xml, keeping it with the backup files would work) and passphrase to read them. Here's some pasted info:

  Backup plaintext directory

  The following example assumes you want to create an encrypted backup of an existing plaintext directory ~/mythesis which contains the file thesis.txt.

  First, we create the encrypted backup of the existing plaintext directory:

  $ encfs --reverse ~/mythesis /tmp/thesisbackup 
  

  Note the directory order is reversed to normal usage in this case. Using the --reverse option has two effects: Firstly, the configuration file is now stored in the plaintext directory and /tmp/thesisbackup only contains it in encrypted form. Secondly, the files in /tmp/thesisbackup are not persistent. They will vanish once it is unmounted (no, this is not due to usage of the /tmp mountpoint).

  For the second reason, now is the time to copy the encrypted files to the desired backup location, before unmounting the temporary encfs directory again:

  $ cp -R /tmp/thesisbackup/* /mnt/usbstick/
  $ fusermount -u /tmp/thesisbackup 
  

  and done.

  To restore (or view) the backup, we need access to the encryption options in plaintext, which has to be passed to encfs with the environment variable ENCFS6_CONFIG (we use a different directory in order not to mess up the existing ~/mythesis):

  $ ENCFS6_CONFIG=~/mythesis/.encfs6.xml ~/mnt/usbstick/thesisbackup ~/restoremythesis 
  

I'm not sure about a fully automated solution to backup scattered folders, encrypt and upload and delete the originals all at once, that wasn't part of the question when I originally answered. A web search would probably find some programs that have automated encrypted cloud backups, if you trust the companies / cloud storage, but the point of DIY encryption is usually so you will be the only person in the who has the key.

If I were to try it myself, I'd probably write a short BASH script to mount an EncFS folder online, copy backup files to it, and unmount when it was done syncing. To add incremental backups would need date checking and/or file hashes, comparing to find new/changed/deleted files, and only copying the appropriate files, but that tends to explode the complexity of the process.

While searching for .encfs6.xml I did find a program that might make the "automatic" part a little easier on Windows:

Boxcryptor, a cross-platform program (Win, Mac, iOS, Android, Google Chrome, but NO linux...) that works with about 25 different storage providers (including Microsoft OneDrive) that apparently uses EncFS (it uses a .encfs6.xml file) and RSA keys also. I haven't used it (no linux) and aren't very familiar with it, there's a free basic version, but here's a little info from the "What is Boxcryptor" page:

Boxcryptor supports all major cloud storage providers (such as Dropbox, Google Drive, Microsoft OneDrive, SugarSync) and supports all the clouds that use the WebDAV standard (such as Cubby, Strato HiDrive, and ownCloud).

Boxcryptor creates a virtual drive on your computer that allows you to encrypt your files locally before uploading them to your cloud or clouds of choice. It encrypts individual files - and does not create containers. Any file dropped into an encrypted folder within the Boxcryptor drive will get automatically encrypted before it is synced to the cloud.

It's "Technical Overview" pages have some details, here's something on "How Boxcryptor is zero-knowledge":

Boxcryptor is a zero-knowledge service provider because any private and sensitive information that we receive from the users will always be in the encrypted form protected by the user’s password - which is never transferred to us or anyone. Only public keys are in plain text.