What about Encrypted Nodes


I know that this has been discussed a while ago, but what about encrypted nodes for untrusted servers like Resilio Sync has. I am currently using their product, but since their pace of development has slown down quite a bit, I fear that they might abandon their product. Syncthing would be the best alternative, but I need those encrypted folders.

Cheers, thejack

1 Like

So from my reading this hasn’t been finished because of the concept only partially fitting to preserve everything syncthing currently has in regard to functionality. Syncthing is designed for trust between accepted nodes and distrust to unknown devices.

If you want to have only encrypted data “on the other side” and you are on Windoze you might try to combine syncthing with cryptsync:


cryptsync source code

E. g. don’t syncthing your original folder but use cryptsync to create a parallel crypted version on your local machine. And then you syncthing this to somewhere else. This is at least useful when doing a “peer backup” of personal data amongst friends. You trust them as being yours friends, anyway you don’t want them to be able to peek in your life insurance contract or whatever.

Stafen Küng BTW belongs to the TortoiseSVN Team, a Windows GUI client for the SVN versioning system: TortoiseSVN, so this is widely used software (despite the rise of git).


Alternative to cryptsync: https://cryptomator.org/

or Duplicati

I’m glad I’m not the only one here with this concern! I too am stuck with my entire organization using the Resilio semi-abandonware, mainly because we absolutely must have untrusted (encrypted) node support. I’d be more than willing to pay/donate to get untrusted nodes up in Syncthing, but in the meantime will check out the posted options.

Thanks OP for (continuing) to raise awareness. There are dozens of us. Dozens!

There is a bounty on it

I eagerly want this as well. Hence I’m putting mas dinero into this. Bounty is over $4,000! I’d recommend any amount to keep awareness on this. It’s difficult to do it right, so money hopefully encourages a smart dev to work on this.



Yehaaaaa: https://github.com/syncthing/syncthing/pull/6214

@calmh made a nice draft. It’s still at an early stage, I guess. I wonder how one would read the encrypted data from the encrypted device in case the source would be no longer available. Just curious:-)

1 Like

Yeah, all data is there in the folder, including the (encrypted) file metadata tagged on to the (encrypted) file, so the idea in the long term is that you could say for example syncthing --decrypt-folder ~/mystuff --password "the password I didn't forget".


Bounty has hit $4500!


So, what about them? Can anoyone provide us with an update.

Recently shifted from Resilio Sync, this (ans Selective Sync) are the only features I miss

There is an implementation, which is mostly technically sound and done, but needs some UI work to drive home. I’ve been busy on other things, but it’s coming.

Great news. So if I would merge that pull request and compile syncthing locally, that would work

Assuming you figure out how to configure it, it should.

I did figure out how to, it seemed to work pretty well - at first.

But there is one caveat: I assume that Syncthing stores the filename in an encrypted “blob”, which is then sent to the encrypted node. Well, that works pretty good on UNIX-systems, such as my MacBook, but if there is a Windows node in play, it send the path with their respective path seperator - the “\”. And that’s the point when there will be a lot of folders named “folder\subfolder” showing up on your mac.

At least that is what I think is going on - might be something else. Only thing I know from the user perspective is that these folders (all 0-sized) are starting to show up after enabling the feature.


But thanks for your efforts, I appreciate it

1 Like

Can you clarify the topology and which devices are encrypted or not?

Oh, I just realized what might be going on. Yeah, the metadata encryption might be before the slash normalization, so Windows style paths “leak” out over the wire, which shouldn’t happen.

(I am tzarta, but since that is a new account, I cannot post more than 3 posts, so I created a new one)

Topology: MacBook <-> Linux NAS <-> Windows The Mac and the PC are also connected, all connections to the NAS are encrypted via the encryptionPassword option, same password on each device.

If you need logs, just ask.

Thanks for the quick response

1 Like

Thanks, no logs required for now.

(I upgraded your other account so you’ll suffer less limits.)

Bounty has hit $5,000 for encrypted untrusted nodes functionality.