Hi, I’ve been using Syncthing for a while and I’m really loving it. One thing which makes me a bit uneasy about my setup however is the fact that I have everything synced to my server unencrypted. I’d really like to have the server set up as an encrypted device and all my other machines pull from there and unencrypt. However I’ve also been thinking about adding incremental backups to the server, so that if I delete something by accident and it’s synced across all my machines I will have some way of getting it back.
So my question is, how do you have your servers set up? Incremental backup on encrypted data doesn’t sound like it would work very well. If Syncthing stores the files individually encrypted I guess it’s possible, but if everything is just stored in massive blob files to hide the folder structure as well then it really won’t work all that well.
The files are stored individually but if it’s your own server, why not just use full disk encryption instead and store Syncthing files in their normal form? The main purpose for using Receive Encrypted folders is to store them on devices that you haven’t got full control of, e.g. a remote server that could possibly be compromised, a friend’s computer, etc.
That is a good point. To avoid re-installing and setting everything up again I guess I could partition of a chunk to fully encrypt, then point Syncthing at that folder after it was decrypted and mounted.
The main reason I wanted to enable encryption on the server though is to avoid a scenario where a vulnerability in e.g. the webserver part gave someone access to the system. Using this access they would be able to see all my files. And since I never use the files on the server for anything but synchronising them to my other devices I thought it prudent to just encrypt them and not have to worry about it.
There is another encryption option available that you might want to check out. It’s a crypto app called cryptomator. Open Source software that creates an encrypted “Vault” of folders/files. The vault sits inside a folder that can be synchronized with syncthing. No one without the Crypotomator software running on their client (And the password) can read the files. Nothing to stop a file system from being mounted or synched.
I use it to keep personal files personal from cloud services. Syncthing will see and sync the files. It’s sort of like synching a password protected zip folder.
This way there are no system wide changes to make to your server volumes.