Problem adding second trusted device connected to untrusted device

So i’ve been trying out the new functionality a little and there is something I don’t unterstand and wanted to check with you before filing a bug. So heres the setup:

  • 1 untrusted cloud machine and several syncing machines
  • Connecting up the first machine to the untrusted cloud works fine
  • when I try to use the second machine to decode the encrypted folder it will sync but instead will download the encrypted data (8.syncthing-enc …) instead of decoding.
  • It seems to work if I also sync the folder to another trusted machine in parallel.

Am I missing something here? Some configuration option I missed?

On the second machine, did you set the encryption password for the untrusted machine in the sharing tab?

Or a screenshots of the folder share tab would make the situation clear quickly.

Yes, encryption password is used. now it got even weirder. Readout on the second “client” machine:

Log Excerpt:

[D5HBB] 20:34:30 INFO: Puller (folder "Testdaten" (ewn3m-hsfv3), item "K.syncthing-enc\\HD\\SDMJVD344NB98GLN2L6E9USVLBAJLCPJ67C441SB31CT5HFM0QO41DSPEKN0C69KORMPE0BOFP5PFJJR02M0AAS24491B61K0P6NR"): syncing: pull: no such file
[D5HBB] 20:34:30 INFO: Puller (folder "Testdaten" (ewn3m-hsfv3), item "8.syncthing-enc\\14\\SPFR8U965A8JSNRLP18VHD667IN1CR050CN1263S1JM1V0LVQEV1KR15L9S6DJVI5NLSK53C0"): syncing: pull: no such file
[D5HBB] 20:34:30 INFO: Puller (folder "Testdaten" (ewn3m-hsfv3), item "D.syncthing-enc\\SE\\7EC8P16G8596EAHQ7HQSA2H2D4APNU0ELL0T0MDBQ044MGR4POE9SSAP44P0"): syncing: pull: no such file
[D5HBB] 20:34:30 INFO: "Testdaten" (ewn3m-hsfv3): Failed to sync 3 items
[D5HBB] 20:34:30 INFO: Folder "Testdaten" (ewn3m-hsfv3) isn't making sync progress - retrying in 1m18s.

On the untrusted cloud machine: image

so now, after pausing and restarting I get “up to date” on the second machine but still with the encrypted folders instead of the data itself. The other side (the formerly working client) now is disconnected and reports closed: handling index-update for ewn3m-hsfv3: siv: authentication failed

The setup on your second “client” machine should be identical to the first - in terms of password, etc. That you’re getting the the encrypted data indicates you did not set the encryption password.

The thing is even if you don’t set the password on a send-receive folder connected to an untrusted/encrypted folder, you shouldn’t get encrypted data. The connection should drop and you should get a warning saying something like “the other device sends encrypted data, but you didn’t set a password - fix that”.

The only way I can see that you are receiving encrypted data is if either the folder is set up as receive-encrypted or the folder on the untrusted device isn’t actually set up as receive encrypted anymore. Or there’s a bug.

To better understand what’s going on, can we please use A for the first trusted device, U for the untrusted device and B for the second untrusted device.

The latest authentication failed message is happening on device A, and the affected connection is to U, right?
That is also a pointer to the thing I wrote about above: Either U is sending indexes with a different password (shouldn’t happen unless the folder was reset - once a password is set it shouldn’t ever change) or it is sending unencrypted data (that should however cause a connection drop).
Basically even if you did something differently than intended by design (no accusation or anything that you did) what you see shouldn’t happen.
It looks like somehow the device U and B were able to establish a “trusted” relationsship, thus B got encrypted files from U considering them as unencrypted. Those then went back to U, which then sent them on to A which rightfully fails when seeing them (not correctly encrypted).

Can you please store and share all logs from the process, mainly from U and B.

I’m happy to provide the logs. Any specific way how to best do that for you?

ok. Now I don’t understand anything anymore: To provide you with logs, I did reset everything and added a new test folder on A to sync to U. U is set to untrusted at A, so anything else than recieve encrypted on U should not be possible. When I sync the folder first, nothing happens but both A and U will tell me “up to date” (while on U it is empty). When I now pause the Folder on A and then resume it does sync however it stores it on U unencrpyted, while still telling me “receive encrypted” in the GUI.

From my understanding, that should not be possible.

I can only say that I had the same problem a few days ago. Even though I thought that I had set up everything correctly, I got encrypted data mixed with the actual files on one device. I was using v1.14.0 though, so I decided not to report the issue until I test the same configuration with the current RC.

Something is going wrong badly here - I’d like to know what and fix it. I played around with doing similar things (adding folders and adding no/incorrect passwords) and it worked as expected for me. Which isn’t to say there’s no problem, I obviously do things the way I want things done, just that I need your help.
Ideally there’s a clean reproducer, i.e. you can give a list of steps I can follow to encounter the bug myself. If that’s not possible, please post logs. With a test setup there shouldn’t be anything sensitive except maybe IPs, if you consider them sensitive, and “half-sensitive” device IDs (leave just the first block). Redact them if necessary. Then attach the log here in this thread please.

There’s no significant change between v1.14.0 and v1.15.0-rc.1. There have been a few fixes since, but they are not related to anything we are talking here. So likely what you saw is relevant to this issue. You should still upgrade to the latest rc when testing encrypted folders, if only to make sure we are talking about exactly the same thing and line-numbers in logs match.


So I’ll try both. Regarding the logs: Any debugging facilites I should turn on?


  • Devices A+B: Discovery and nat traversal deactivated, Relaying on (Windows x32)
  • Device U: Discovery, nat traversal and relaying deactivated (Ubuntu 20.04 64bit)
  • All Devices on v1.15.0-rc.5, Windows machines using SyncTrayzor
  • Devices A and B are connected to U. Status: Connected (unused)

Steps to reproduce

  • Add new Folder to Device A and share it with encryption password
  • Receive Folder on U and add it.

=> U will now show “Up to date” but will not receive any data. A will show “Syncing” for the device and “up to date” for the folder while not sending any data.

  • Pause the new Folder on A and resume it

=> A and U will now sync but U will now have the unencrypted data at the chosen path.


I repro-ed with the steps above. Looking into it right now - won’t need any logs.

This is a biggish issue unfortunately: The encryption connection handling was created when we still dropped a connection whenever the configuration changed, and relies on that. Now we don’t drop it anymore, and the connection doesn’t get to know about the encryption until it is dropped for another reason (restart, device pause, …).


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.