Title: Port of the Week: Presenting Syncthing
Author: Solène
Date: 04 October 2023
Tags: syncthing privacy security networking
Description: In this article, I will share about the very good
synchronization software Syncthing and present its features
# Introduction
Today's "port of the week" article is featuring Syncthing, a file
synchronization software.
(HTM) Syncthing official project website
Related blog posts:
(HTM) Blog post about the complementary Relay server
(HTM) Blog post about the complementary discovery server
# Quick intro
As stated earlier, Syncthing is a network daemon that synchronize files
between computers/phones. Each Syncthing instance must know the other
instance ID to trust them and find them over the network. The transfer
are encrypted and efficient, the storage itself can be encrypted.
Some Syncthing vocabulary:
* a folder: a local directory that is shared with a remote device,
* a remote device: a remote computer running Syncthing, each of them
have a unique ID and a user-defined name, you can choose which shared
folders you want to synchronize with them
* an item: this word appears when syncing two remotes, an item can be
either a directory or a file that isn't synchronized yet
* a discovery server: a server which helps remotes finding known
remotes over the Internet, or in the worst case scenario, relays data
from a remote to another if they can't communicate directly
# Interesting features
I gathered a list of interesting features that you may find interesting
in Syncthing.
## Security: authentication and encryption
When you need to add a new remote, you need to add the remote's ID on a
Syncthing and trust that one on the remote one. The ID is a human
representation of the Syncthing instance certificate fingerprint. When
you exchange ID, you are basically asked to review each certificate and
allow each instance to trust the other.
All network transfers occurring between two Syncthing are encrypted
using TLS, as the remote certificate can be checked, the incoming data
integrity can be verified and authenticated.
(HTM) Syncthing official documentation about security principles in the software
## Relaying
I guess this is Syncthing killer feature. Connecting two remotes is
very easy and file transfer between them can bypass firewalls and NATs.
This works because the Syncthing offers a default discovery server
which has two purposes:
* if the two servers could potentially communicate to each other but
are behind NATs, it does what we call "hole punching" to establish a
connection between the two remotes and allow them to transfer directly
from one to the other
* if the two servers can't communicate to each other, the discovery
server acts as a relay for the data
The file transfer is still encrypted, but having a third party server
involved may rise privacy issues, and security risks if a vulnerability
can be exploited.
My next blog post will show how to self-host your own Syncthing relay,
for better privacy and even more complicated setups!
Note that the discovery server or the relaying can be disabled! You
could also build a mesh VPN and run Syncthing on each node without
using any relay or discovery server.
## Built-in file versioning
This may be my preferred feature in Syncthing!
On a given Syncthing instance, you can enable per shared folder a
retention policy, aka file versioning in the interface.
Basically, if a file is modified / removed in the share by a remote,
the local instance can keep a hidden copy for a while.
There are different versioning modes, from a simple "trash bin" style
keeping the files for n days, or more elaborated policies like you
could have in backup tools.
(HTM) Syncthing official documentation about file versioning
## Partial share synchronization
For each share, it's possible to write an exclusion filter, this allows
you to either discard sync changes for some pattern (like excluding vim
swap files) or entire directories if you don't want to retrieve all the
shared folder.
The filter works in both way, if you accept a remote, you could write a
filter before starting the synchronization and remove some huge
directories you may not want locally. But this could also allow
preventing a directory to be sent to the remotes, like a temporary
directory for instance.
This is a topic I covered with a very specific use case, only sync a
single file in a directory.
(HTM) Earlier blog post: Configure Syncthing to sync a single file
## Encrypted remotes
A pretty cool feature I found recently was the support for encrypted
shared folders per remote. I'm using syncthing to keep my KeepassXC
databases synchronized between my computers.
As I don't always have at least two of my computers turned ON at the
same time, they can't always synchronize directly with each other, so I
use a remote dedicated server as a buffer to hold the files, Syncthing
encryption is activated for this remote, both my computers can exchange
data with it, but on the server itself you can't get my KeepassXC
databases.
This is also pretty cool as it doesn't leave any readable data on the
storage drive if you use 3rd party systems.
Taking the opportunity here, KeepassXC has a cool feature that allows
you to add a binary file as a key in addition to a password / FIDO key.
If this binary file isn't part of the synchronized directory, even
someone who could access your KeepassXC database and steal your
password shouldn't be able to use it.
## Data chunk based
When Syncthing scans a directory, it will hash all the file into chunks
and synchronize all these chunks to other remotes, this is basically
how BitTorrent work too.
This may sound boring, but basically, this allows Syncthing to move or
rename files on a remote instead of transferring the data again when
you rename / move files in a local shared directory. Indeed, only the
changed paths list is sent, and the chunks used in the files, as the
files already exist on the remote, the data chunks don't have to be
retrieved.
Note that this doesn't work for encrypted remotes as the chunks contain
some path information, once encrypted, the same file with different
paths will look as two different encrypted chunks.
## Bandwidth control
Syncthing GUI allows you to define inbound or outbound bandwidth
limitation, either globally or per remote. If like me, you have a slow
ADSL line with slow upload, you may want to limit the bandwidth used to
send data to set the non-local remotes.
## Support for all attributes synchronization
This may sound more niche, but it's important for some users: Syncthing
can synchronize file permissions, ownership or even extended
attributes. This is not enabled by default as Syncthing requires
elevated privileges (typically running as root) to make it work.
## Runs everywhere
Syncthing is a Go program, it's a small binary with no dependencies,
it's quite portable and runs on Linux, all the BSD, Android, Windows,
macOS etc... There is nothing worse than a synchronization utility
that can't be installed on a specific computer...
# Conclusion
I really love this software, especially since I figured the file
versioning and the encrypted remotes, now I don't fear conflicts or
lost files anymore when syncing my files between computers.
My computers also use a local discovery server that allows my Qubes OS
to be kept in sync together over the LAN.
# Note for SystemD users
When you install Syncthing on your system, you can enable the service
as your user, this will make Syncthing start properly when you log in
with your user:
```
systemctl enable --user syncthing.service
```
# Note for OpenBSD users
Syncthing has to listen for each file change, you will need to increase
the maximum opened files limit for your user, and maybe the limit in
the kernel using the according sysctl.
You can find more detailed information about using Syncthing on OpenBSD
in the file `/usr/local/share/doc/pkg-readmes/syncthing`.