syncing veracrypt encrypted container question

Hi everyone,

I had a question for you experts about how syncthing syncs veracrypt encrypted containers.

Here is my environment:

  1. I have two truenas servers.
  2. Each truenas server has an SMB share called: veracrypt
  3. In the veracrypt smb share, there are 2 veracrypt encrypted containers set to a size of 25 GB
  4. Each truenas server has syncthing enterprise setup which are both set to sync a root dataset in truenas to each other. (all children datasets are synced, one of which is the veracrypt dataset that is being shared out via smb)
  5. I’m using windows pcs to access veracrypt encrypted containers

My question is:

How is syncing handled when making changes inside the unlocked veracrypt container? When I add/change a file in a veracrypt encrypted container is it just syncing the one file over or is it syncing the entire 25 GB veracrypt encrypted container over? What happens if source veracrypt container is unlocked and a change is made, but the destination veracrypt container is still locked?

If it is syncing the entire 25 GB veracrypt encrypted folder over every time I do a change, do you have a recommendation on how to avoid that or better handle it so that only changes are synced over and not the entire veracrypt container?

Thank you!

P.S: I’m also aware of truenas passphrased datasets but I ran into many issues with them for shadow copies and a couple other issues too. So i decided to settle with veracrypt encrypted containers instead.

Welcome here @stuser949 !

All Syncthing does is synchronizing files. It does not know anything about file types, containers etc. So it synchronizes the container file.

However, on the receiving side it is trying to minimize data transfer by creating a copy and then requesting only the changes. See Synching large files and differences - #2 by calmh .

You need to make sure yourself that a certain file is touched on one side only at a time. Otherwise you are creating a conflict, and Syncthing will create a conflict file.

You also need to make sure to disable an option called “Preserve modification timestamp of file containers” in VeraCrypt, or otherwise Syncthing won’t be able to detect that your container file has changed.

Thank you very much. It sounds like there may be extra unnecessary overhead because of the way veracrypt is working? I’ve been looking online and see that a encryption program called cryptomator might be more suitable as its folder/file based encryption from what I understand.

Thanks tomas, I saw that too when doing some research!

I also came across crytomator which seems to do encryption based on individual items which may work better for my usecase with syncthing if I understand it correctly.

Would that be correct? Syncthing would sync individual items instead of veracrypt where it may be syncing the entire 25 GB container?

Yeah, I personally sync some virtual machines, which also comprise of very large files, and sync performance isn’t great. First of all, it does use way more data in comparison to dealing with individual, small files, and secondly, you need very fast storage as well, since Syncthing will need to create a temporary file for the whole container on each sync.

That’t good to know! I’m going to test cryptomator today to see how it works and if it suits my usecase.

Thanks!!

gocryptfs / cppcryptfs are also worth a recommendation!