Clarification of the usage of folder encryption

First I wanted to file a bug / error regarding encryption and syncing: pull: generic error then finally I found some similar threads here explaining my misunderstanding…

So my setup is a simple folder shared with 2xLinux, 1xQnap and 1xMacBook. I set it up that it is encrypted everywhere and Qnap receive only encrypted.

All works fine only with the MacBook the generic error comes up. I also was confused why every time I shared a folder with the other device it was set up as receive only encrypted

This configuration seems to have been totally wrong except for Qnap.

1.Syncthing always encrypts the transport to the folder, so no one can read anything in between.
2. On the device everyone can read who has access to the filesystem.
3. The only purpose and meaningful usage of folder encryption is to prevent 2. so that no one can read the data on that device even if it is compromised as it stays encrypted for all.
4. That leads to that folder encryption + send and receive is not really meaningful. The data will be encrypted two times and decrypted two times leading to more CPU usage and not really increasing privacy.

Are those statements correct?
Thanks in advance!

1 Like

I’d say yes, and the generic error is probably related to https://github.com/syncthing/syncthing/issues/8277.

1 Like

I suppose so, but I’m not really following your reasoning as to the use-case — are you not wanting to have any devices which serve as redundant backups though unable to see the contents they are maintaining, themselves?

In other words, in my mind the main purpose of using untrused devices with Syncthing, is in order to achieve additional data redundancy (protection against data corruption) without increasing the administrative maintenance of ensuring the security of all those devices. (Also to increase the chance that at least one node will be online with the current version of the files you wish to receive onto a device with the decryption passphrase.)

Thanks to you both :slight_smile: :+1:

@tomasz86 yes that is exactly the same. Also not bad too see there might be some real case to have a password and send & receive.

@OCRenkist yes of course I already did so with my NAS. But I was a bit confused… As I know from E2E the password or encryption keys are used to encrypt the content and get the maximum security so I was thinking it is here the same. But what I was missing is that with the other apps and for Example https://element.io/ there is always a server in between. Thats different to syncthing as a “server” in between is optional and not the default. So transport encryption SSL between two devices e.g. your mobile phone and your laptop is also E2E encrypted. Only if there is a untrusted device in between like a server a password is needed to keep your data E2E encrypted.

In general my suggestion would be to describe that better in the docs so that other not that wise people like me understand it faster. But maybe this thread already helps them ^^.

1 Like

I think we would do well to develop some flowchart pictures to illustrate the behavior of Syncthing encryption layers in different use cases. :slightly_smiling_face: