What about Encrypted Nodes

thejack · July 4, 2019, 8:06am

Hello!

I know that this has been discussed a while ago, but what about encrypted nodes for untrusted servers like Resilio Sync has. I am currently using their product, but since their pace of development has slown down quite a bit, I fear that they might abandon their product. Syncthing would be the best alternative, but I need those encrypted folders.

Cheers, thejack

Catfriend1 · July 4, 2019, 9:02am

So from my reading this hasn’t been finished because of the concept only partially fitting to preserve everything syncthing currently has in regard to functionality. Syncthing is designed for trust between accepted nodes and distrust to unknown devices.

DonPedro · July 5, 2019, 9:01am

If you want to have only encrypted data “on the other side” and you are on Windoze you might try to combine syncthing with cryptsync:

cryptsync

cryptsync source code

E. g. don’t syncthing your original folder but use cryptsync to create a parallel crypted version on your local machine. And then you syncthing this to somewhere else. This is at least useful when doing a “peer backup” of personal data amongst friends. You trust them as being yours friends, anyway you don’t want them to be able to peek in your life insurance contract or whatever.

Stafen Küng BTW belongs to the TortoiseSVN Team, a Windows GUI client for the SVN versioning system: TortoiseSVN, so this is widely used software (despite the rise of git).

bt90 · July 5, 2019, 4:26pm

Alternative to cryptsync: https://cryptomator.org/

uok · July 5, 2019, 5:30pm

or Duplicati

diver-down · July 8, 2019, 8:04pm

I’m glad I’m not the only one here with this concern! I too am stuck with my entire organization using the Resilio semi-abandonware, mainly because we absolutely must have untrusted (encrypted) node support. I’d be more than willing to pay/donate to get untrusted nodes up in Syncthing, but in the meantime will check out the posted options.

Thanks OP for (continuing) to raise awareness. There are dozens of us. Dozens!

AudriusButkevicius · July 8, 2019, 11:36pm

There is a bounty on it

EVsAREfaster · December 5, 2019, 5:10pm

I eagerly want this as well. Hence I’m putting mas dinero into this. Bounty is over $4,000! I’d recommend any amount to keep awareness on this. It’s difficult to do it right, so money hopefully encourages a smart dev to work on this.

https://www.bountysource.com/issues/1474343-support-for-file-encryption-e-g-non-trusted-servers

Catfriend1 · December 6, 2019, 8:25am

Yehaaaaa: https://github.com/syncthing/syncthing/pull/6214

@calmh made a nice draft. It’s still at an early stage, I guess. I wonder how one would read the encrypted data from the encrypted device in case the source would be no longer available. Just curious:-)

calmh · December 6, 2019, 10:35am

Yeah, all data is there in the folder, including the (encrypted) file metadata tagged on to the (encrypted) file, so the idea in the long term is that you could say for example syncthing --decrypt-folder ~/mystuff --password "the password I didn't forget".

EVsAREfaster · March 6, 2020, 9:22am

Bounty has hit $4500!

tzarta · March 12, 2020, 3:44pm

So, what about them? Can anoyone provide us with an update.

Recently shifted from Resilio Sync, this (ans Selective Sync) are the only features I miss

calmh · March 12, 2020, 3:50pm

There is an implementation, which is mostly technically sound and done, but needs some UI work to drive home. I’ve been busy on other things, but it’s coming.

tzarta · March 12, 2020, 3:55pm

Great news. So if I would merge that pull request and compile syncthing locally, that would work

calmh · March 12, 2020, 4:06pm

Assuming you figure out how to configure it, it should.

tzarta · March 16, 2020, 7:03pm

I did figure out how to, it seemed to work pretty well - at first.

But there is one caveat: I assume that Syncthing stores the filename in an encrypted “blob”, which is then sent to the encrypted node. Well, that works pretty good on UNIX-systems, such as my MacBook, but if there is a Windows node in play, it send the path with their respective path seperator - the “\”. And that’s the point when there will be a lot of folders named “folder\subfolder” showing up on your mac.

At least that is what I think is going on - might be something else. Only thing I know from the user perspective is that these folders (all 0-sized) are starting to show up after enabling the feature.

Details:

Code used: The latest encryption branch from your repo(https://github.com/calmh/syncthing/tree/encryption)
macOS used: catalina (the files are showing up here)
Windows used: Windows 10, latest build

But thanks for your efforts, I appreciate it

calmh · March 16, 2020, 7:05pm

Can you clarify the topology and which devices are encrypted or not?

Oh, I just realized what might be going on. Yeah, the metadata encryption might be before the slash normalization, so Windows style paths “leak” out over the wire, which shouldn’t happen.

tzarta2 · March 16, 2020, 7:36pm

(I am tzarta, but since that is a new account, I cannot post more than 3 posts, so I created a new one)

Topology: MacBook <-> Linux NAS <-> Windows The Mac and the PC are also connected, all connections to the NAS are encrypted via the encryptionPassword option, same password on each device.

If you need logs, just ask.

Thanks for the quick response

calmh · March 16, 2020, 7:59pm

Thanks, no logs required for now.

(I upgraded your other account so you’ll suffer less limits.)

EVsAREfaster · April 22, 2020, 3:23pm

Bounty has hit $5,000 for encrypted untrusted nodes functionality.