I have 3 devices: A, B - linux, C - android. All have syncthing v1.30.0.
First there was folder shared from A(send only) to C(receive only), no encryption. Then B appeared, A shared folder with B(receive only encrypted) encrypted. No devices are auto-accept.
After that stange started to happen: B and C started to start sharing folder to each other, although I didn’t wan’t that, because of encryption only on one side. That led to them trying to share folder unencrypted, and getting log on B:
“remote expects to exchange plain data, but is configured to be encrypted (0 remain)”
Also at first I saw them showing suggestions to share folder, I chose “ignore”, but that didn’t help. If I manually remove folder from sharing, that works only for a short time, then they silently start sharing again. That leads to constant disconnection between B and C due to that error with encryption. Just for complete information, folders shared exactly in the same scenario but unencrypted were also shared between devices but ofc without any problems.
To sum up, the issue is that devices keep sharing folder although were told to ignore, and despite manual removing folder from shared, and go disconnected to each other because of this.
This looks like a bug to me, but may be I’m missing something.
Truth to be told, I believe you are missing something. The stuff you are talking about, establishing connection between devices and sharing folders, is basic functionally which has been implemented “forever” and which frankly just works.
Let’s start with trying to describe the situation:
You have three devices. Correct?
Are all of these under your direct control?
You mention encrypted. Do you want files on at least one device to be encrypted? A typical scenario where this is wanted is when a device is not under your exclusive control, such as a device in a colo.
Please share screenshots of Syncthing from all three devices where we can see:
Yes, I want file on one device to be encrypted. This device is a vps server which is used for backups, and I wouldn’t like files there to be unencrypted.
I will share screenshots later if needed, right now according to what @wweich told that seems to be expected.
An Untrusted Remote Device is one that you’re not allowed to share a folder to without an encryption password configured. This is configured on each Device that doesn’t trust the Untrusted Remote Device. See Untrusted (Encrypted) Devices — Syncthing documentation .
I would suggest you turn off the Introducer function if you don’t want Syncthing peers to try to automatically add new Devices.
That’s true, A is an introducer and auto-accept for B and C.
Aha, I see. So there is a conflict: A introduces the folder to C and B between themselves, ignoring the fact that one of them has it encrypted.
But shouldn’t it be overriden for this case? If A shares folder to B encrypted, B shouldn’t get that folder unencrypted from C via introducer - this might be a security concern if it actually tries to share folder unencrypted.
Also C shouldn’t accept sharing same folder from B via introducer if it knows B has this folder encrypted but C has plain.
And aside from how I think it should work in case of introducing encrypted folders, I just can’t manually make B and C to ignore sharing this folder. I can uncheck sharing folder on one device, it works for a while, but after restart the same loop starts over. On C(android) I get msg that B want to share, press “Ignore”, folder is added to ignored, but after restart that “ignored” entry is gone.
Why do you need Introducer for just three devices? This option is useful if you’ve got a large number of devices, which you don’t want to connect with each other manually, but with just three, you should simply be able to do the same by hand very quickly.
To be honest, I don’t think anyone has tested this kind of a mixture of encrypted folders and Introducer enabled at the same time.
That seemed handy when I was setting everything up. I have more than 3 devices, it’s ~5 active(few vps backups), and I like that when I share a folder with my backup node, all my other devices also start sharing(if folder already was shared) that folder with backup node, which is always online. No need to go and make multiple manual sharings. Very useful for mesh network of devices with few backups nodes.
I’ll try to switch introducer off and see what happens.
Shall I create a bug report on github? May be this is not a number one use case, but this behaviour still looks wrong to me.
Also I’d like to say thanks to all you guys, contributors and supporters of any kind, this is a super great app!
Please be aware that a synchronized copy in itself is NOT a backup. Consider if one of your devices is hit by ransomware… ALL your files on ALL devices will be lost.
This can be mitigated to some extent by using the Syncthing feature “File versioning”, but I for one is not willing to call that a full fledged backup.
The basic setup you have is IMO a good start, to which you can add this: Do a proper backup using e.g. restic on the device you call “backup node” to e.g. USB disks.
I certainly think that what happened to you is bad, bit I don’t know what the most “unsurprising” expected behavior would be. But yeah, a bug report is probably a good start.
Yup, I’m doing daily restic backups with 3d\weekly\monthly to B2(backblaze) on my backup node(they are just few vps nodes), and they are receive-only, while my main device has most folders in send-only. So ransomware would really be a problem if happed on my “daily usage” devices, but here, well, restic should come to help. So syncthing I’m using not strictly for backups, but as a tools to sync files between devices.
Regarding the “unsurprising behavior”, I have 2 approaches on my mind. First is just to ignore automatically sharing folders if they are not both in same encryption state. Both unencrypted or both encrypted with same password is good, otherwise don’t share. And probably give a one-time notification. Second is simpler: if folder is shared as encrypted, just don’t count it as eligible to introducing it to others never mind what. Only manually set up sharing.
