Lessons Learned: Syncthing + TrueCrypt containers

I am collaborating with 1 colleague on a project. We decided to test using Syncthing to distribute documents and keep up-to-date with edits. We also agreed to use 1 TrueCrypt container to encrypt all files.

Our first attempt was a failure. Here’s why:

(1) “A” creates a TC container on 03/23/2015 @ 13:00:00. The container is mounted (unencrypted), and several files are placed inside the container. The container is then dismounted (encrypted) and placed inside the shared folder and then synced.

(2) “B” receives the container in his shared folder, mounts it from inside the shared folder, and proceeds to edit the files. He dismounts the container leaving it in the shared folder on 03/24/2015 @ 17:00:00 and syncs.

(3) “A” never receives the edits. The original container content created on 03/23/2015 remains on “A”'s machine.

The problem is that the original container’s metadata (size and time created) is unchanged by “B”. Mounting, editing files, and dismounting doesn’t change the TC file’s metadata. Thus the 2 devices have different contents in their container.


(1) We setup both devices “A” and “B” as peers, no master. (2) To edit files, “B” removes the container from the shared folder (to another location) and immediately syncs. This removes the container from both “A” and “B”. (3) When the edits are done, “B” puts the container back into the shared folder, syncs - and it propagates properly to both devices.

Kind of clumsy - but it works. If anyone has a better Syncthing method to achieve this, I would be interested in your thoughts.


I’ve just disovered a TrueCrypt setting (in Preferences) that enables time-stamping of container edits. Just uncheck the box highlighted in yellow:

1 Like

There’s a truecrypt setting to change the last modified time on the crypt when it’s saved. Can’t remember exactly where, but it’s there. That caught me out, too

Thanks @canton7 - I found it too. See edit of my original post. :blush:

EDIT: TrueCrypt audit has been completed so I am more optimistic about it than when I wrote this post.

Original post:

Are you open to using something besides TrueCrypt? Are you aware of the controversy surrounding TrueCrypt that even the developers have recommended against using it.

For example: If you used EncFS you’ll have better interaction with Syncthing. EncFS encrypts files and folders in an individual level. It’s also more trusted than TrueCrypt, while being easy to setup on Windows, Mac and Linux.

You can create an encrypted folder on one machine, and set Syncthing to watch that folder. Share the folder with the other machine, and share the folder key through a safe method.

Now when you want to work on your project, mount the encrypted folder to the system using EncFS, do your work and each file change will be noticed by Syncthing and synced automatically to the other folder.

BUT Syncthing can only see the encrypted versions of the files and folders, because Syncthing is only watching the encrypted folder, not the temporary mounted folder that you are doing your work in.

With this method, Syncthing will only sync changes you make to files inside the folder, instead of re-syncing the entire TrueCrypt container every time. So you no longer have to manually move the files and folders every time. Because the encrypted version are synced in the background for you, and you only mount and decrypt them when needed.

Let me know if you have any questions or if anything is unclear.



Thanks xHN35RQ. I plead nolo contendere (no contest). :relieved:

I am neither a cryptography expert nor an IT professional, so I am not going to defend 1 crypto product over another alternative. I am aware of the lengthy debates easily found all over the web and media about mass surveillance programs and encryption exploits being developed by 3 letter government agencies with $X*10^9 budgets.

I am also aware that the anonymous developers of TrueCrypt mysteriously terminated the project in May 2014. At the same time, there are no known exploits of TC, and we are all waiting for the final crowdfunded 3rd party security review. I believe it’s expected to be released mid-2015.

Your suggestion to use EncFS is a good one, I employed EncFS when I was using DropBox and decided that I didn’t really trust them with my data. In order for their de-duplication algorithms to work, I assumed they had to be scanning files. That was before I discovered Syncthing. LOL.

The new EncFSMP program is really nice, and Windows + OS X users probably will find that it works really well in tandem with Syncthing for the reasons you described in your comments.


Ok cool, just wanted to make sure you’re aware of potential pitfalls :smiley:

BTW, besides EncFS you can check out Boxcryptor Classic which offer similar functionality.

1 Like

Came here to recommend encfs as well. A big upside is that you’ll avoid conflicts if two users modify two different files at the same time, while one big container will have painful conflicts in these scenarios.

Can’t you just sync the contents of the TC container (i.e. the drive it is mounted on)? Transmission is encrypted anyway and all (two) peers are supposed to see the file. I would sync the whole container only if it gets stored on a non-trustworthy backup server or something.

Yeah, we could. After all, TLS handles the en-route encryption. We simply preferred having the files encrypted on the end-points - so we went with the TC (or EncFS) approach.

Agreed! Our team has recently expanded, and we have 1 member located 11 time zones away from me. To facilitate 24 x 7 syncing, we installed Syncthing on a 3rd party VPS, and end-point encryption immediately became a much higher priority.

EncFs is not considered safe. You can find some info online about it.

If security and sync is important, I would recommend GPG clones where you work on your doc but put gpg version of the file on sync. Because GPG needs key and a pass it is more secure. You can create some scripts to copy files to your sync folder regularly after encrypting them with Gpg.

1 Like

EncFS is not considered safe if an untrusted device or adversary has more than one snapshot of the ciphertext. For more information see the EncFS Security Audit from Feb 2014

For the use case presented by OP it seems EncFS is a good solution. However your suggestion of GPG encrypted shares is excellent. Do you have any examples of software that could help automate OP’s workflow using GPG?

Another option is to create your own encrypted file container ala TrueCrypt using LUKS and cryptsetup. Arch Linux wiki also has a tutorial on this.

Thanks for posting this, I’m working with the exact same issue, specifically, using Syncthing for storing backups on an un-trusted backup server.

A quick note on the crypto:

I wouldn’t feel any pressure to switch if you fell like TrueCrypt is working for you. On Apr 2, a third-party firm released the results of a full audit of TrueCrypt source, they did not find a back door or any serious issues,. EncFS failed a similar audit, and the revisions to the truecrypt source done by VeraCrypt haven’t been audited. VeraCrypt may end up being a good option going forward, though there use of the truecrypt source is a clear violation of the TrueCrypt license. If someone ever got cranky about it, they probably could be shut down.

1 Like

@selfuntitled Thanks for reminding me, I’ve done further research and went back to revise my previous posts. I don’t trust any TrueCrypt forks at the moment and am cautiously optimistic about TrueCrypt thanks both to the results of the audit, and Jacob Appelbaum sharing at the last CCC that as of 2012 TrueCrypt was still a major problem for attackers.