DEV Community

Cover image for Considering Syncthing at work
TaiKedz
TaiKedz

Posted on

Considering Syncthing at work

Header image (C) Tai Kedzierski

We had a need at work to pass large files around, to colleagues who could not get onto the VPN. It was company data, so spinning up an instance on a cloud provider was not an option. We needed something that would either go through company servers, or a peer-to-peer encrypted transfer. Enter: Syncthing.

Syncthing uses end-to-end encryption to send files directly to other devices. If two devices are on the same network, the instances communicate directly with eachother. If not, they send traffic, encrypted, via a relay server (akin to a router).

This solution can be useful for sending large files between workstations, when other means are unavailable.

Of course, the Internet is vast, and the bits and bytes need to make a few hops before they can reach destination. It's also an external solution, so your company might have questions it would want to ask before greenlighting it.

Here is my reasoning that allows me to say, "hey, under these conditions, this solution is trustable."

Security considerations

Trustability of Solution

Syncthing claims to be secure and E2E encrypted. The solution is well-known and several years old ; it is reasonable to presume it has attracted sufficient scrutiny from the security community and nothing has been flagged as troublesome/buggy that still exists from a security standpoint.

For most purposes, including corporate use, I would tend to be satisfied with the general status of this tool.

I would not use it in a highly sensitive environment without further scrutiny, and proper approval channels.

Trustability of Build

Use of syncthing in sensitive environments may need to consider how to determine whether the build of the syncthing binary is untampered with.

Installing from a well-known distro's default repositories provides a usually suitable level of assurance that it will abide by its security claims, and that the implementation is pristine (within the scope of the distro repo's practises).

I would assert that any of the mirrors for Debian, Ubuntu, Fedora, RHEL and SuSE are suitable in this regard.

Trustability of Relay

If two syncthing instances are on the same network, they will transfer data between eachother directly, without a third-party. If the two instances are on different networks, they will make use of a publicly hosted relay machine.

All content being E2E encrypted, this should not be an issue whatsoever for security. This does depend on the installed copy being clean, and the caveat in "Trustability of Solution" stands.

Beyond that, the relay acts much like a router - packets pass through it, fully encrypted.

Installation

(On Windows, use WSL with any of Ubuntu recent LTS, Fedora recent, openSUSE LTS, Debian recent...)

The Syncthing team provide their own APT repository - instructions for adding it are on their own website: https://apt.syncthing.net/

Do NOT use user-contributed repositories:

  • ppa - there isn't an official one, use the above APT instructions
  • snap/flatpak sources - don't do it
  • docker images - don't do it
  • third-party repositories - don't do it
  • Arch AUR is to be rejected outright for any privacy/security-related solution
sudo apt-get update && sudo apt-get install syncthing -y
# Run it in the background
syncthing > syncthing.log 2>syncthing-errors.log &
Enter fullscreen mode Exit fullscreen mode

Syncthing will open a browser to your http://localhost:8384

Add a device by going to the bottom right section and "add device"

Device (example): A24RVJV-RCBOM6L-6PRUIEX-YRDRD6C-LWFFS7C-3Q2XN8G-IC5ZFWG-R2WBCQ2

You can get the ID of your own device by going to top right menu: Actions : Show ID. This ID can be shared with others. This allows a device to be recognised by a peer.

The operator of a device can then choose to share a specific folder with another device it has recognised and registered, it will send a share request to that device. The device receiving the share request must confirm the share.

With this share established, the workstation operators can use the defined sync folder to synchronise the data

Top comments (1)

Collapse
 
moopet profile image
Ben Sinclair

Because paranoia, I use syncthing but have an encrypted "secrets" directory, so that if someone gets access to any of my devices running syncthing they'll still not be able to do anything with newly synced data.