How sensitive is config.xml?


I’m wondering if it is safe to share the config.xml file of a device in public (e.g. Github, etc) or could this be exploited somehow?

Your Web GUI password in a hashed form is there, and also all device names, folder paths, etc. It depends how sensitive they are for you. I wouldn’t share mine for sure.

1 Like

So if I understand you correctly, it does not compromise syncthing’s security, but might expose personal information. Thank you!

Isn’t the API key also stored in the config? You definitely shouldn’t expose that, since it grants full access to syncthing (if someone is able to connect to the GUI port)


Wait, what? We store the API key as plaintext?


I know the security implications of leaking a user created password and an autogenerated API key are a bit different, but why don’t we store them both as a hash? Solely relying on file permissions to guard this secret seems risky to me.

The chance of a user accidentally publishing his config file is not zero. Case in point: this thread

One complication is that all of the usual password hashing algorithms are designed to be one-directional.

For example, the web GUI password requires users to enter their password so that Syncthing can rehash it for comparison against the hash stored in config.xml – i.e. Syncthing doesn’t “know” what the password is, it only knows what the hash is.

The API key is technically a “shared secret”. If the API key were hashed for storage in config.xml, the user would need to supply the non-hashed API key so that Syncthing’s web GUI could then submit it to the REST API backend (who only has the hashed version) for verification. User’s using the REST API interface directly already store the API key externally, but it could be inconvenient for the web GUI users unless they’re using a password manager.

One workaround would be to store the API key in a separate XML file to reduce the chances of a user exposing it while posting their config.xml online.

1 Like

no it is not safe to share config.xml file publicly on synching device. It contains sensitive information like device IDs, encryption keys that can be exposed.