Syncthing Encryption

[Alayna Rother]

1Syncthing always encrypts the transport to the folder, so no one can read anything in between.

2. On the device everyone can read who has access to the filesystem.

3. The only purpose and meaningful usage of folder encryption is to prevent 2. so that no one can read the data on that device even if it is compromised as it stays encrypted for all.

4. That leads to that folder encryption + send and receive is not really meaningful. The data will be encrypted two times and decrypted two times leading to more CPU usage and not really increasing privacy.

In other words, in my mind the main purpose of using untrused devices with Syncthing, is in order to achieve additional data redundancy (protection against data corruption) without increasing the administrative maintenance of ensuring the security of all those devices. (Also to increase the chance that at least one node will be online with the current version of the files you wish to receive onto a device with the decryption passphrase.)

On a trusted device you can set a password for a device and folder in the sharetab of folder and device edit dialogs. To share a folder to a trusted device,you simply leave the password field empty. For an untrusted device, enter apassword. You can click on the eye to toggle the password visibility.

For a single device, it is possible to share different folders both in theusual way and encrypted. This may be useful, if you have one folder withsensitive data, that you do not want another device to read, and another folderwith data that is unproblematic. If you never want to sync any unencrypted datato a particular device, you can mark it as untrusted in the advanced tab of thedevice edit dialog. This will prevent a connection to that device if you forgetto set a password on any folder shared with it.

This is the configuration on a trusted device. Here the folder defaultis shared with three devices. The device 373HSRP is a traditionaltrusted peer. The other two devices CJBIJBJ and I6KAH76 are bothuntrusted and will get encrypted folder data, using different passwords.

The untrusted device must not be able to compare encrypted data betweendifferent files and detect if data is equal. This means that blocks cannot asusual be reused between files. When a file is changed, blocks from the old filecan still be reused. As an example, if you rename a file foo to Foosyncthing will usually do an efficient rename or at least copy all the databefore deleting the old one. On an untrusted device, it will delete the old fileand receive the data for the new file over the network. However if you have a big file,e.g. video.mp4, and you modify just a part of it (e.g. video metadata), onlythe changed block is transferred as usual.

The following warning appears in the GUI. I redacted the original computer name and folder ID.Failure checking encryption consistency with device DEVICE_2 for folder "MasterSync" (UNIQUE_ID): remote expects to exchange encrypted data, but is configured for plain data

Any tips or info on that Android absolute path issue? That has always perplexed me as well. I'm not sure if you can sync anything that is on an external SD card on Android, but I'd be interested to hear your experience.

PC side:

I use an app called SyncTrayzor that works well on the pc. I just add the folders I want to sync. Back up ALL the files you want to sync because you can definitely lose your data. You should start on the PC, or android, where the source file currently reside. In SyncTrayzor you will be using the Folder ID to sync ;the data to your other devices. Once you sign into syncthing you should see the folders available to share on the other devices. You will need to designate the local folder where you want the synced files to reside. You can sync multiple folders between different devices.

Plan the locations out ahead of time. If you start deleting and reinstalling Syncthing you probably will lose your data at some point. I would make sure you have a few backups in case you find something missing at some point.

Thanks @SteveHolle. I was wondering though if you are using Syncthing to sync the Joplin database files directly, or if you setup sync to file system WITHIN Joplin first, and then used Syncthing to sync the Joplin sync folder. Sorry, too many uses of the word "sync".

I haven't tried using Syncthing with KeePass yet, but thanks for the info about using Quick Unlock. I'll have to test that. I'm still using LastPass, but I let me subscription expire, so I will be converting over to KeePass and using Syncthing to keep that synced among devices as well.

Syncthing is pretty awesome, but I've been struggling to figure out the best folder structure to setup across devices to make the setup as simple as possible. For most things, a common "Sync" folder should work, but I have a lot of stuff I don't want on all devices, so I've been selectively sharing different folders only with the devices I want them synced to.

I am using multiple directories and only syncing the pertinent folders on each device. Example: JoplinFileFolder and KeePassFolder. I sync both with my home and phone but only JoplinFileFolder with work. They will show up as separate folders under SyncThing.

Everybody uses multiple devices so that a guide on how to do this with Joplin would be useful.

There are multiple options to consider and one size will not fit all.

I have seen Wikipedia articles that sometimes make excellent tabular comparison of features between options (particularly on tech issues) have proved useful for choosing the best option for me.

It seems a little indirect to have to trawl through multiple threads to piece together the possibilities.

In other words, working out how to use Joplin on multiple devices is, in part, an issue with documentation.

Synching seems to have its problems, but Gdrive and OneDrive have issues too.

I like the idea of Nextcloud but have not done a lot of research on it and have very little experience.

Anything that is FOSS has a lot going for it in the long term, if not for security reasons.

So how to start with NextCloud?

Here are two guides to consider.

Nextcloud has many ways it can be deployed. These are discussed here.

How to create your own secure cloud storage: Nextcloud

ProPrivacy

Category: Guides

Last Updated: 1 July 2019

Comments: 0

Written by Douglas Crawford

-setup-nextcloud-hosted

The files are encrypted in transport (similar to https) with pretty good cryptographic primitives and much better than usual https authentication. What is not implemented yet is end-to-end encryption so that some computers only get AEAD (authenticated+encrypted) files, so that they can act as untrustworthy relays/servers.

Overall the security is rather tight, but as always it depends entirely on your usecase. From the way you are asking this question I assume that you are neither protecting nation state secrets like nuclear codes nor are you in charge of IT security at a billion dollar company which needs to protect itself against nation state level espionage.

Use file based encryption like ecryptfs (preferred, but works only on linux and maybe macs) or EncFS (not so great but afaik the only thing that reliably works cross-platform) on all your devices. This means even if someone were able to break the transport encryption or the authentication your files are still protected by a second layer of encryption. The strength of this is directly dependent on the strength of your password (I recommend at least 5 word long diceware passwords, 7/8 is much better and 10 is great).

Disable the anonymous usage reporting, relaying and global discovery. But then you have to make sure the routers of all involved devices are configured to let syncthing traffic trough AND you have to have fixed IPs or dynDNS addresses at which the devices can be reached on a regular basis. You also have to configure the addresses of all devices you want to connect to on each device (you might instead want to use one device as a server to setup your own relay and discovery server and use the introducer feature). The problem of not having fixed IPs can be avoided if you use VPN tunnels between your devices, which also adds another layer of transport encryption. Such VPNs however require either fixed IPs, dynDNS addresses or centralized infrastructure themselves. And the VPN will slow your connections down.

Ideally, users shouldn't have to trust additional parties on top of Dropbox to sync notes reliably. See a similar sentiment here: Allan_Quartermain comments on What's a good free solution to syncing between Windows, Android, and Linux?

Dropsync requires payment to sync more than one folder. Autosync requires payment after a 14-day free trial. Would established FOSS alternatives like Syncthing or others work for this purpose instead?

With Joplin encryption turned off, it's a pleasant experience: frequent encryption/decryption is not required, which reduces synchronization time. (Does it clean up disconnected resource files even with encryption? Sometimes I feel like I'm running into trouble. I'm not sure.)

Compared to the Linux application Dropbox, Syncthing is lighter and seems to be better optimized. While the Dropbox installation files are not Foss, Syncthing can be installed directly from the Debian repositories. Syncthing is Berry Good.

But I think Android Dropsync is not bad solution. When someone needs Dropbox, Dropsync provides a seamless synchronization solution with Joplin. I also suspect that the dropbox stopping syncing issue might be related to encryption, but I don't know at this point.

At the time I was experiencing this, there were a lot of resource file errors that failed to decrypt when syncing from the mobile Joplin app. Could it be disconnected resource files? I don't know. If I manually removed the one resource file with the error, the decryption error in the mobile app went away by one line. In

I was at the time... I didn't want to see the error message, so I kept trying again and again. I would encrypt, then unencrypt, then set another encryption. Could this be the cause of a bigger problem?

3a8082e126