How to backup and restore syncthing

In case your computer is defect, stolen or you want to migrate to a new computer, you need to install syncthing again.

Of course you should not lose your data and should have the same identity. So I did decide to describe and test a procedure to backup and recover syncthing itself to be prepared on that kind of situations.

A security warning in advance. Syncthing does store the keys it use to crypt and decrypt as well as the passwords you have assigned to remote untrusted devices on your local disk. If someone gets access to that data that data can be used to steal all your data from e.g. an untrusted devices. So be warned!! Allways encrypt your drive especially in case of a laptop. Also note that uninstalling syncthing does NOT wipe and remove the sensitive syncthing folder. So remove it your self. See later in

Below the procedure I used (microsoft windows)

BackUp Syncthing

  • To save the syncthing config you need admin rights
  • Stop “Syncthing Service”
  • Close the GUI
  • The Syncthing Keys and database are in C:\ProgramData\Syncthing (microsoft windows)
  • Copy Or Zip “C:\ProgramData\Syncthing” store that “ZIP” or at least:
  • cert.pem & key.pem from that folder
  • Your own device ID (from the gui or form the config.xml)
  • the device id’s from the devices you use to share data (especially those of involved untrusted storage devices)
  • the FolderID’s from folders which should never be lost
  • On a secure location (NOT on the PC, which could be lost!)
  • Note that the folder passwords are in plain tekst in the config.xml
  • “C:\ProgramData\Syncthing” should never fall into wrong hands!
  • Store the data on a save location, not on the same computer, preferable not on the same location
  • Depending on the needed security encrypt your windows disk (bit locker). IMHO a laptop disk should always be encrypted.

Restore Syncthing

  • Download latest version
  • Install as Administrator
  • Start automatically at boot
  • Yes for a fixed computer
  • Probably no for a laptop to prevent “on the road” permanent data usage
  • Accept the certificate (it is your own computer )
  • Settings General: Minimum free space, probably higher than 1%
  • Settings GUI: Set a user and (strong) password, set https On
  • Settings Connections: Disable connection types you do not need!
  • Settings Advanced: Option to change “Path” to your default storage path; (consider windows encryption option for that folder; “:<yourpath>\”)
  • Close GUI and stop the Syncthing service (as administrator via Computer Management)
  • Go to “C:\ProgramData\Syncthing”. You need to be admin to access that folder
  • Replace the keys with the original keys “cert.pem” and “key.pem”
  • Start the Syncthing service
  • Remove ^this computer^ as the Remote device
  • Add the devices you want to share with
  • Ignore request from those devices to share folders !! (it wont work)
  • Create the old folders using the previous folder-id
  • Share those folders with the related devices
  • They will resync / populate the folders

Final remark

delete the C:\ProgramData\Syncthing before you sell of throw away your computer !! <<

Just a note on this. The keys are needed to be able to encrypt data towards an untrusted device. If an attacker can access one of your trusted devices then they already have an unencrypted copy of your data as well.

1 Like

Its simpler than stopping Syncthing etc. Just copy the config.xml, cert.pem and key.pem. I actually have a Syncthing folder setup on remote devices to sync that back to a trusted local machine (folders are setup send-only, receive-only).

If you save the config.xml the remote Device IDs and folder IDs (as well as local paths) are already saved.

If you save the cert.pem and key.pem you have saved your own device ID. It is impossible to recreate the Device ID without these, so saving the local device fingerprint (“Device ID”) is unnecessary.

No need to make note of all those folder IDs and remote device IDs unless you want to reconstruct the config because the config.xml was not saved.

As long as the local folder paths are the same:

  1. For safety, set all the remote folders to “Send Only”.
  2. Install Syncthing on the replacement device (wait for an automatic upgrade if needed).
  3. Stop Syncthing.
  4. Copy over the config.xml, cert.pem and key.pem that you saved from the old device.
  5. Start Syncthing.
  6. It will see that the folders don’t exist and should create them and copy files back.
  7. Once they are in sync, set the remote folders back to “Send & Receive”.

EDIT: Note that any .stignore files you had on the old device will be lost because they are not synced, and do not get stored in the config.xml.

One workaround is to use an #include file in the .stignore and maintain the Ignore patterns there. But it makes maintenance more onerous because to edit the ignore patterns you have to open that file with another app.

Where its possible, you can use identical ignore patterns on both sides; it is redundant, but it preserves the patterns. This is not always possible.

A final alternative is to run a periodic script to copy every .stignore to device-parent-folder.stignore (where device- is hard-coded in your script). This file would be synced.

I think I’m going to apply this last solution on my systems right now.

1 Like