Data encryption between untrusted devices.

I have Syncthing configured to sync files from my laptop to my nuc server, and nuc server syncing files with my synology and raspberry pi in different location (for backups). Nuc server labeled as untrusted from my laptop. I ckecked files on my nuc and it’s all encrypted as should be, however files on synology and raspberry pi is unencrypted even though they are untrusted with each other. Do you have any ideas how can I keep files encrypted on all untrusted nodes? Or maybe there are better sync options for that case?

More detailed sync scheme on the diargam.


If you have set it up as depicted, not entered a password in the synology and pi and nuc has encrypted files, then it’s impossible that the pi and synology have un-encrypted files (where would they get them from?). Please share screenshots of the web UI to see what you have set up.

Also just to be sure and because it can’t be repeated often enough:

I assume you are making backups of the synced data on those devices - syncing alone is not backup.


I suppose that once you’re in untrusted-land (NUC and to the right), those sharing relationships should be “normal” (no passwords or trustiness entered). Probably receive-only is appropriate for the Pi and Synology. I don’t remember if I’ve tried a scenario like this.

I think the synology and pi both need to be receive-encrypted as well. The NUC knows it has encrypted stuff - it will notice and complain if the remotes don’t behave appropriately (provide a token or announce themselves as having encrypted stuff).

1 Like

Syncthing won’t let me add a share without password if both devices is untrusted:

Even if I make NUC trusted for pi and synology, I’ll get the decrypting error.

NUC configs:

Yes, I probably wrong with the terminology here. This is sort of like a cluster. The idea is if master node (nuc) fails, I can switch to slave node (pi, synology, etc.) and then switch back to master node, when it get fixed. Maybe I’ll use load balancer in the future to automate this proccess.

Pi configs:

Synology configs:

The problem is that Pi and synology are configured as folder-type send-receive, while they should be receive-encrypted.


It worked, thank you. That was easier than I expected :roll_eyes:

1 Like