syncing veracrypt encrypted container question

Hi everyone,

I had a question for you experts about how syncthing syncs veracrypt encrypted containers.

Here is my environment:

  1. I have two truenas servers.
  2. Each truenas server has an SMB share called: veracrypt
  3. In the veracrypt smb share, there are 2 veracrypt encrypted containers set to a size of 25 GB
  4. Each truenas server has syncthing enterprise setup which are both set to sync a root dataset in truenas to each other. (all children datasets are synced, one of which is the veracrypt dataset that is being shared out via smb)
  5. I’m using windows pcs to access veracrypt encrypted containers

My question is:

How is syncing handled when making changes inside the unlocked veracrypt container? When I add/change a file in a veracrypt encrypted container is it just syncing the one file over or is it syncing the entire 25 GB veracrypt encrypted container over? What happens if source veracrypt container is unlocked and a change is made, but the destination veracrypt container is still locked?

If it is syncing the entire 25 GB veracrypt encrypted folder over every time I do a change, do you have a recommendation on how to avoid that or better handle it so that only changes are synced over and not the entire veracrypt container?

Thank you!

P.S: I’m also aware of truenas passphrased datasets but I ran into many issues with them for shadow copies and a couple other issues too. So i decided to settle with veracrypt encrypted containers instead.

Welcome here @stuser949 !

All Syncthing does is synchronizing files. It does not know anything about file types, containers etc. So it synchronizes the container file.

However, on the receiving side it is trying to minimize data transfer by creating a copy and then requesting only the changes. See Synching large files and differences - #2 by calmh .

You need to make sure yourself that a certain file is touched on one side only at a time. Otherwise you are creating a conflict, and Syncthing will create a conflict file.

You also need to make sure to disable an option called “Preserve modification timestamp of file containers” in VeraCrypt, or otherwise Syncthing won’t be able to detect that your container file has changed.

Thank you very much. It sounds like there may be extra unnecessary overhead because of the way veracrypt is working? I’ve been looking online and see that a encryption program called cryptomator might be more suitable as its folder/file based encryption from what I understand.

Thanks tomas, I saw that too when doing some research!

I also came across crytomator which seems to do encryption based on individual items which may work better for my usecase with syncthing if I understand it correctly.

Would that be correct? Syncthing would sync individual items instead of veracrypt where it may be syncing the entire 25 GB container?

Yeah, I personally sync some virtual machines, which also comprise of very large files, and sync performance isn’t great. First of all, it does use way more data in comparison to dealing with individual, small files, and secondly, you need very fast storage as well, since Syncthing will need to create a temporary file for the whole container on each sync.

That’t good to know! I’m going to test cryptomator today to see how it works and if it suits my usecase.

Thanks!!

gocryptfs / cppcryptfs are also worth a recommendation!

Thank you for that! I’ve setup cryptomator now with some initial difficulties due to my environment but its working now! Any good reasons you can think of why I should look into gocryptfs over cryptomator for windows 11 environments?

Performance (see comparison above) and FIDO2 (not supported by cppcryptfs) are the main reasons for me. Please note that on Android there is DroidFS which I only tested once.

I see that gocryptfs isnt natively supported on windows and the 3rd party software (cppcryptfs) only has 8 developers. Do you have any opinion on that, the logevity and security of the project? Don’t want to use something that might die/be unspported/less secure!

Based on comparison in that link, performance seems to be way better which is tempting by my above mentioned things worries me..

I just noticed that the performance tests is also using very old versions of the software. FOr example, cryptomator 1.4.6 is from the year 2019. Hopefully some improvements have been made since!

Update: I think i’ll stick with cryptomator for now after thinking over it again. I have some important data that I don’t want to be screwing around with.

1 Like

A reasonable consideration but Windows is not my main system so not that important for me. In the end it does not really matter which encryption path you take because in most cases you can switch them with little effort.

It is quite easy to benchmark it yourself with your specific data load. The performance could be insignificant for small volumes but it is not in my case with 300 GB over 100k files.

Just make sure you have backups of your unencrypted data somewhere.

roger that! I do have backups but unfortunately I don’t want to keep this data unencrypted anywhere.

Thank you for all your help!

1 Like