Encryption for remote syncthing device

(Urza) #22

I am using EncFs over syncthing and it works great… works on all major operaring systems, encryption is on file level (unlike truecrypt)… on untrusted server there is no key it only synchronizes encrypted files an on trusted computers i decrypt files into virtual folder…

(Stefan Tatschner) #23

I love encfs and I use it myself. But for the sake of completeness one should be aware of this:


1 Like
(Lars K.W. Gohlke) #24

Just checked the issues in the repo. Seems a lot has been done since that report almost two years ago.



(Bablat) #26

I am using Syncthing across a few computers and have setup an offsite node in another physical location (my parent’s house…), it’s a raspberry pi with an encrypted LUKS volume (external USB drive) that hosts my data. The machine boots up from SD, dials home to my network using OpenVPN (client-side certificate, which I can revoke if compromised), then emails me asking me to unlock the encrypted volume (which is done using a simple node.js app), mounts the data volume, and reloads syncthing which will begin syncing from that point on.

If this device gets stolen it’ll be disconnected from power and my data remains safe. I still run a risk of a local network exploit while the machine is online, but that risk is low and I’ve got no open ports (except over the VPN interface) and I run automatic updates daily.

I’d obviously much prefer a syncthing node which doesn’t ever see data in the clear, that would enable proper cloud hosted safe storage, but just wanted to propose this approach to people who are seeking a temporary solution.

(Avamander) #27

What do you guys/gals think about CryFS? I’m planning to use it but do you have any experience with it?


I like the idea in theory (same size blocks everywhere so we dont give away metadata). But how well does it work in practice ESPECIALLY on Windows? Most of these dime-a-dozen encryption schemes work flawlessly on Linux (or some FUSE FS), and fall flat on their face in Windows. Maybe they’re trying to many things in background?

EncFSMP and EncFS4win are 2 of the recent things I’ve tried that just create tons of “weeping and gnashing of teeth” for me on Windows. Oh sure they START out working just fine… until that day comes when they suddenly lose half your files due to some wierd bug. Fortunately I keep offsite backups… but it’s hardly a ringing endorsement for trust in them. Or they are just extremely inconvenient to use for some reason. Also it makes me leery of ANY of these encryption schemes for Windows that ISN’T Bitlocker (or something made by Microsoft directly).

(Hr46ph) #29

If I may ask, with over 30 backers and over a 1,000 dollar bounty, isn’t that enough to put some more effort into this (mind you, I didn’t say “implement it”)?

If I see correctly, the latest changes are about 2 years old. Are there so many other features or are you running into trouble that this can’t be finished?

I am kindly asking, and genuinly interested to know the reasons behind this not getting more attention.


(Jakob Borg) #30

I think it’s at the back of many people’s minds. There was a pull request the other day that didn’t really cut it but refreshed some ideas. I have a branch with some work in it. Doing it right is not trivial.

(Hr46ph) #31

Thanks for the reply.

Fair enough.

Well hopefully by keeping this thread alive you guys gain a little motivation :grin:.

This is really the only thing I miss. Keep up the good work!

(Chris B) #32

Hi I came across Syncthing and would give it a shot - however, the missing “encrypt files on untrusted server” feature is a blocker for me. I don’t want to expose my private files to admins of my web hoster…

Any update on when this feature will be available?

Cheers, Chris

(Audrius Butkevicius) #33


(Anatol Pomozov) #35

I agree that ‘storing files at non-trusted servers’ is a great feature for Syncthing.

But if ST has no interest in implementing it, what are the other options? Is there an efficient solution for this use-case?

1 Like

Check out https://cryptomator.org/

1 Like
(totoba) #37

This could be possible as well with git hooks?


Cryptomator is not Free for Android neither OpenSource :frowning:

1 Like

Thumbs down for cryptomator from me as well. I had looked at it for a long time, it looked nice, but when I downloaded it to my Linux box and tried it it turned out to be a humongous bloated Java application with its own ideas about how it should be installed, which incidentally makes it useless with just a window manager - it needs one of the ‘desktop’ systems. Huge, heavy stuff. I could almost hear the sigh of relief from my server when I purged the junk from my system. Fortunately there are alternative options out there.

1 Like

Has there been any progress in the last year or did someone find an alternative?


While it is not a real solution, I built a Docker image that should make it more difficult to access your SyncThing filesystem on an untrusted source here: https://github.com/PhracturedBlue/syncthing-docker-encrypt

The idea is to encrypt the filesystem with gocryptfs and then make it difficult to either (a) get access to the running image (by using distroless base-image and multi-stage build) or (b) get access to the gocryptfs key/password

It is likely that (with some effort) both of these can be subverted by someone with root access to your host while the image is running, so don’t consider this real security, but it does raise the bar on how easy it is to do so.

I still hope for a proper client-side solution to encryption someday so that hacks like this aren’t needed

(Saviodsouza) #42

Rclone has crypt remotes feature. Rclone is also written in Go Can that help implement crypt repositories for syncthing