Avoid race condition using syncthing and unison together

I have two desktop-computers, say X and Y, as well as several mobile devices. Both stationary desktop-computers hosts a folder A (clear text) and a folder B (identical to A, but encrypted - with encfs). The purpose of the encrypted folders B is to be synchronized (using syncthing) to the mobile devices. Both desktop-computer X and Y with there folders A and B are externally syncronized using syncthing. Within Computer X, Folders A and B are held consistent using unison.

  • What should be done to avoid to mess up syncthing or unison (for example, which files should be ignored)?
  • It would be nice to use unison also on desktop Y to syncronize A and B (better availability for the mobile devices). I am afraid of a kind of race condition using syncthing and unison on both desktops, since there would be at path XA->unison->XB-syncthing->YB->unison->YA as well as a direct path XA->syncthing->YA and other similar combinations. How to avoid this kind of sync-conflicts and conflicts on unison?

Is there any reason not to use Syncthing to synchronise the data between all devices? Using multiple pieces of synchronisation software on the same data concurrently isn’t usually a great idea…

AIUI, unison is used locally between the original folder A and its encrypted mirror B, to keep them in sync. That’s something Syncthing itself cannot do. The question is basically how to handle this mirroring sensibly when used on both sides, which could be pictured as a rectangle of folder links.

My experience is that one should better decide where the unison sync happens mainly and avoid doing it on the other end. If you must switch to the other side synchronizing, best run unison on X, wait for Syncthing to finish, then rescan with unison on Y before anything else has changed, in order to update Y’s unison database without conflicts.

Keeping unison and Syncthing active with continuous sync on all links is definitely asking for trouble, I only do such combinations with manual unison runs and look through the changes there before applying them.

The charme of syncthing is (also) not to depend on a (single) server, that allways has to be reached and allways has to be on duty. Using unsion on only one device assigns to that device in the described setting a kind of unique server role.

What are you trying to achieve by syncing the encrypted as well as the plaintext copy on each machine?

Maybe it would be better to run unison locally on each device and stop synchronizing the encrypted copy via Syncthing?

Good point not to sync the encrypted copy between the stationary desktops X and Y. But, when the mobile devices sync there encrypted Folder with either desktop X or Y, its the same problem again, isn’t it?

Yes, that’s basically the same situation, just with a little detour. Why sync the encrypted copy at all to the mobile devices? They have the unencrypted data, typically limited storage, and probably have no use for the encrypted copy. What’s your need to have both versions available?

Thanks for your help, André. In fact, data are very confidential (personal patient data). Data on mobile devices (Laptops and Tablets) are exclusively encrypted, since device can be stolen… Maybe I have to use encrypted data also on stationary devices and hold unecrypted data only on backups (one-way syncronisation like rsync).

Do you know about Syncthing’s “untrusted device” feature? You can set up folders to be stored on a device encrypted, while it can still propagate them to other devices which can see the unencrypted data if they have the right password. Maybe that is a better fit for your use-case, without needing unison or encfs at all? Do you actually ever decrypt on the laptop or tablet, or are they just for redundancy of the encrypted data?

Hi André, thanks for the hint to “untrusted devices”. If I understood well, what I need is just the other way round: I need to decrypt and access the data on the mobile devices. So I manually mount the encrypted folders with encfs, to be able to use the data “on the road”.

Then maybe only sync the encfs folder and mirror it to a decrypted copy on your stationary devices using unison. But don’t sync the decrypted copy in addition?