How to backup and restore syncthing

In case your computer is defect, stolen or you want to migrate to a new computer, you need to install syncthing again.

Of course you should not lose your data and should have the same identity. So I did decide to describe and test a procedure to backup and recover syncthing itself to be prepared on that kind of situations.

A security warning in advance. Syncthing does store the keys it use to crypt and decrypt as well as the passwords you have assigned to remote untrusted devices on your local disk. If someone gets access to that data that data can be used to steal all your data from e.g. an untrusted devices. So be warned!! Allways encrypt your drive especially in case of a laptop. Also note that uninstalling syncthing does NOT wipe and remove the sensitive syncthing folder. So remove it your self. See later in

Below the procedure I used (microsoft windows)

BackUp Syncthing

• To save the syncthing config you need admin rights
• Stop “Syncthing Service”
• Close the GUI
• The Syncthing Keys and database are in C:\ProgramData\Syncthing(microsoft windows)
• Copy Or Zip “C:\ProgramData\Syncthing” store that “ZIP” or at least:
• cert.pem & key.pem from that folder
• Your own device ID (from the gui or form the config.xml)
• the device id’s from the devices you use to share data(especially those of involved untrusted storage devices)
• the FolderID’s from folders which should never be lost
• On a secure location (NOT on the PC, which could be lost!)
• Note that the folder passwords are in plain tekst in the config.xml
• “C:\ProgramData\Syncthing” should never fall into wrong hands!
• Store the data on a save location, not on the same computer, preferable not on the same location
• Depending on the needed security encrypt your windows disk (bit locker). IMHO a laptop disk should always be encrypted.

Restore Syncthing

• Download latest version
• Install as Administrator
• Start automatically at boot
• Yes for a fixed computer
• Probably no for a laptop to prevent “on the road”permanent data usage
• Accept the certificate (it is your own computer )
• Settings General: Minimum free space, probably higher than 1%
• Settings GUI: Set a user and (strong) password, set https On
• Settings Connections: Disable connection types you do not need!
• Settings Advanced: Option to change “Path” to your default storage path; (consider windows encryption option for that folder; “:<yourpath>\”)
• Close GUI and stop the Syncthing service (as administrator via Computer Management)
• Go to “C:\ProgramData\Syncthing”. You need to be admin to access that folder
• Replace the keys with the original keys “cert.pem” and “key.pem”
• Start the Syncthing service
• Remove ^this computer^ as the Remote device
• Add the devices you want to share with
• Ignore request from those devices to share folders !! (it wont work)
• Create the old folders using the previous folder-id
• Share those folders with the related devices
• They will resync / populate the folders

Final remark

delete the C:\ProgramData\Syncthing before you sell of throw away your computer !! <<

Just a note on this. The keys are needed to be able to encrypt data towards an untrusted device. If an attacker can access one of your trusted devices then they already have an unencrypted copy of your data as well.

Its simpler than stopping Syncthing etc. Just copy the config.xml, cert.pem and key.pem. I actually have a Syncthing folder setup on remote devices to sync that back to a trusted local machine (folders are setup send-only, receive-only).

If you save the config.xml the remote Device IDs and folder IDs (as well as local paths) are already saved.

If you save the cert.pem and key.pem you have saved your own device ID. It is impossible to recreate the Device ID without these, so saving the local device fingerprint (“Device ID”) is unnecessary.

No need to make note of all those folder IDs and remote device IDs unless you want to reconstruct the config because the config.xml was not saved.

As long as the local folder paths are the same:

1. For safety, set all the remote folders to “Send Only”.
2. Install Syncthing on the replacement device (wait for an automatic upgrade if needed).
3. Stop Syncthing.
4. Copy over the config.xml, cert.pem and key.pem that you saved from the old device.
5. Start Syncthing.
6. It will see that the folders don’t exist and should create them and copy files back.
7. Once they are in sync, set the remote folders back to “Send & Receive”.

EDIT: Note that any .stignore files you had on the old device will be lost because they are not synced, and do not get stored in the config.xml.

One workaround is to use an #include file in the .stignore and maintain the Ignore patterns there. But it makes maintenance more onerous because to edit the ignore patterns you have to open that file with another app.

Where its possible, you can use identical ignore patterns on both sides; it is redundant, but it preserves the patterns. This is not always possible.

A final alternative is to run a periodic script to copy every .stignore to device-parent-folder.stignore (where device- is hard-coded in your script). This file would be synced.

I think I’m going to apply this last solution on my systems right now.

Can anyone confirm this works?

.

Which of the two procedures are you thinking of following?

mopani´s seems more straight forward

.

Good choice.

My process is almost identical to mopani’s. The only difference is that a separate backup program picks up my Syncthing config.xml, cert.pem, key.pem and .stignore files as a bundle so I don’t need to handle the pattern files I include separately or add them to my Syncthing folder.

And what program is that?

Yes, I have done this.

I use tarsnap for remote backup and it includes the .stignore files, so I could restore them if necessary.

That is an additional step; having something to pull them all in at once would be nice, but doesn’t feel like its worth the extra work for as infrequently as I would make use of it.

Restic is currently my primary backup tool.

Depending on personal preferences – e.g. budget, commercial vs. open-source, ease-of-use (e.g. GUI), baked-in cloud storage support, etc. – another great option is Duplicacy.

Duplicacy was my go-to until recently switching to Restic. I still use Duplicacy for accessing my older archives, so it’ll be sticking around for a long time.

(Like Syncthing, both Restic and Duplicacy are written in Go.)

Restic in a (small) nutshell…

Create an exclude file (e.g. excludes.txt) to optionally skip things such as Syncthing’s temporary files and index database:

.syncthing.*.tmp
index-v0.14.0.db

If you don’t need encryption and are backing up to a local folder somewhere (hopefully on reliable removable storage media), initialize the target backup folder:

restic init --insecure-no-password --repo /path/to/repository/

(While there are great reasons for encrypting backups, unless you’re 100% certain that you’ll never ever lose the key, keep at least one unencrypted backup.)

Now, whenever you want to back up your Syncthing config folder:

restic backup --verbose --insecure-no-password --skip-if-unchanged --exclude-file /path/to/excludes.txt --repo /path/to/repository/ /path/to/syncthing/config/

Not only can /path/to/syncthing/config/ be changed at any time, adding multiple data sources to the same repository means more duplicate chunks of data will be skipped (saving a lot of storage space). So you can back up your photos folder; later back up your music collection; then your partner’s data folder(s); relative’s data folders; friend’s data folder(s), and so on.

List backups:

restic snapshots --insecure-no-password --repo /path/to/repository/

List files in a backup:

restic ls --insecure-no-password --repo /path/to/repository/ <snapshot ID>

Restore files with a .jpg extension:

restic restore --insecure-no-password --repo /path/to/repository/ --include *.jpg <snapshot ID>

(Swap <snapshot ID> with the actual ID listed by restic snapshots.)

Restic is like a digital Swiss Army Knife for backups. There are all kinds of ways to slice and dice things to fit many use-cases.