Encryption password from file

aitvann · June 11, 2023, 12:17pm

I want to publish my Syncthing config (config.xml, not keys) on GitHub along with other configs from my system, and I was honestly surprised that encryption passwords for untrusted folders could not be loaded from files. I was even more surprised when I couldn’t find a single discussion on this topic. So I have a few questions:

is it possible to use encryption password from a file, and I just overlooked it ?
are there plans to add this feature ?

acolomb · June 11, 2023, 8:55pm

No and no.

The config file is monolithic, but you can of course grep out lines with information you don’t want to share. I can’t imagine though why you would want to publish it. Care to explain?

aitvann · June 11, 2023, 9:44pm

No and no

too bad

but you can of course grep out lines with information you don’t want to share

I would rather use something like git-crypt

I can’t imagine though why you would want to publish it. Care to explain?

so as not to loose it in case my hard drive explodes. also I am too lazy to go with self hosted solutions such as GitLab or GitTea

gadget · June 12, 2023, 3:31am

Perhaps I’m misunderstanding the setup…

If Syncthing’s config is published to GitHub after being encrypted by git-crypt’s filter, unless the security of git-crypt and/or GitHub is in question, storing a Syncthing folder password separately from config.xml trades extra complexity for a minor increase in security.

It increases the odds that during a disaster, recovery will be difficult or near impossible because it depends on the safe keeping of those password files (which could have vaporized in a hard drive explosion ).

If your hard drive explodes, it’s going to take your SSH key and GnuPG keyring with it, which is required for accessing your repo on GitHub and decrypting config.xml. But if your SSH key(s) and GnuPG keyring are already safely and routinely backed up elsewhere, including Syncthing’s config.xml sounds like a better solution compared to publishing on GitHub.

Backing up the folder password and ID in a password manager such as BitWarden (self-host or use the free personal plan) would be less cumbersome and more secure. Alternatively, Syncthing’s config.xml could be attached or pasted into a note field (BitWarden has a CLI tool which can be used with automated scheduled tasks).

system · July 12, 2023, 3:32am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.