ecryptfs with syncthing


I am planning to have an encrypted directory within a directory I sync with syncthing and was wondering if there could be issues of syncthing ‘syncing’ the directory while its mounted and readable.

with ecryptfs it works like this. directory unmounted. data not accessible. I mount the directory and change some files. data is readable and could the data be synced at this time? I unmount the directory, data is encrypted and i want it to be synced.


When your encrypted directory is mounted versus unmounted is there a single mount point or is there a separate mount point for when it is locked versus unlocked?

I use an app called Cryptomator, and the location of the encrypted files is different than the mount point where are you access the unencrypted files.

Either way, Syncthing is going to monitor the folder for changes and synchronize anything it sees that does change, regardless of whether it’s encrypted or not.

You might need to do some experimentation to see what the right configuration is for it to work properly. If the encrypted folder is its own folder in syncthing then you can pause synchronization while the folder is mounted and visible and then turn synchronization back on when you lock the folder.

Another option that might work better for you is to use an encryption program that does the encryption file by file, rather than an entire folder all at once. I have had success using Rclone to encrypt files that get synced via Syncthing. Not sure about anything else.

Also works great with gocryptfs:

Other than Syncthing not being able to more efficiently sync each file (there’s unlikely to be duplicate data blocks found due to the encryption), there aren’t any issues with per file-based encryption systems like eCryptfs.

Changes saved to the (unencrypted) mount point directory then saved to the (encrypted) source directory look just like regular files in both directories.

Not 100% sure I understand the question, but if you’re concerned about inadvertently leaking data by syncing with Syncthing while an encrypted directory is mounted/open for writing…

Let’s suppose that you have the following directory structure:

├── eCryptfs-unencrypted
└── syncthing
    └── eCryptfs

In the above setup, Syncthing is configured to sync the contents of the syncthing directory to another device while ./syncthing/eCryptfs contains encrypted files.

As long as eCryptfs-unencrypted isn’t in a Syncthing folder, it’s secure. Or in other words, don’t set it up like this:

└── syncthing
    ├── eCryptfs
    └── eCryptfs-unencrypted

(On a related note, while the eCryptfs module is still being maintained in the Linux kernel, the required user-space tools haven’t been updated since April 2013. It’s also Linux-specific if there’s a need for portability. So if you’re just getting started with eCryptfs, it’s something worth considering before diving in.)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.