Configuring SyncThing Untrusted (Encrypted) Devices

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

tom here from lauren systems and i have been a long time user of sync thing picture it very similar to dropbox where it does file synchronization but it's open source it is a well documented protocol the sync thing team has done a great job of that and it's free so this has been a solution i've used in a lot of different scenarios and helped out a lot of customers who go you know i really need these servers at different locations to synchronize this pool of data or even desktops or laptops or really any device that you need file synchronization in real time along with revision and everything else i'll leave links to the videos i've done previously on sync thing it has improved since i've done those videos so anything that may be missing at the read through the errata but this is a particular feature that's new that i wanted to cover that is really cool and that is an ability to add untrusted nodes so essentially what we're going to talk about here is the ability to synchronize multiple devices just like you always could a sync thing but also allow for example this node and this node to ha talk to a cloud node in between now the problem with putting sync thing in the cloud of course is i don't trust that cloud provider or this cloud provider that's a good fair assessment because what if someone gets access to that well they would obviously have access to all the files with the previous version of sync thing this new update and that is going to be a prerequisite is make sure we're on the right version because it doesn't show up until later versions and this whole demo is going to be done with version 1.17.0 and with that version it allows us to add untrusted nodes such as this cloud demo we're doing now granted this one's not in the cloud it's all in my lab it's just on a different network but the concept is the same but we have the data actively here and then we have the data here in an encrypted form now syncing has always encrypted encrypted the transport layer so the data stream between each node has always been encrypted but the data at rest could not be encrypted because well then it would only sync encrypted data so the solution sometimes might be to pre-encrypt the data and synchronize the encrypted data across but that has its own level of inconvenience on there because now you have to go and unencrypt the data at each point this way we can have unencrypted data here unencrypted data here when it's live so always recommend encrypting data at rest but this node is unaware of the data in terms of anything more than it's passing through it can see the data and we'll show you what it looks like but it's all scrambled because the password we used to encrypt it the cipher we're going to use the cipher built in here plus the password system that they've devised for this allows it to become blind to the data including the folder structure file name so it's not just encrypting the contents of the data but all the metadata the only piece of information that is somewhat known by the untrusted node is going to be the size of the data at some point you can't really hide the fact that well if i have 10 gigs of data even if i encrypt it it's still 10 gigs of blob data at that point this node will be blind to but either way this is a really important step towards being able to build out an untrusted node be able to synchronize with other people and never have to worry about this node becoming compromised so that's the whole purpose of this video is to show you how to set that up before we dive into details this video if you'd like to learn more about me and my company head over to lawrences.com if you like to hire shareproject there's a hires button right at the top if you want to support this channel other ways there's plenty of affiliate links down below to get your deals and discounts on products and services we talk about on this channel now sync thing can't get you a deal on because it's already free so all you gotta do is head over to sync thing.net to download it and that's where we're gonna to start with assuming that you've already installed syncthing and you've already are at least running the same version as i am to make this work because this was not available in older versions now just to reiterate what i said before data is encrypted before sending this is an important distinction anytime you're doing something where you want to not trust the node on the other end you want to encrypt at the end point so that is what's going to be occurring here so we will cover how we set that up and the transport layer there's nothing different we need to do because as i stated before same thing has already always encrypted the transport so you do it's better of course always to run something behind a vpn in case there's ever a problem because you know that way you have one more layer of encryption but if you don't run it behind a vpn you just want to send the protocol over the internet as i stated it is encrypted so that is an option for you but more security is always better all depends on the complexity of the setup as i said we are version 1.170 running on linux do not do this is sometimes when i'm doing this you may see an error that this is running as root don't run this as root i did it for the demo because i wanted to build a couple of vms real quick for this so i didn't bother setting up a separate user for same thing but that's out of scope for this video i just want to get those things out of the way in case you see those errors come up where it says this shouldn't be around as root because you shouldn't now untrusted and trusted so here's the thomsync thing and i actually am actively using this we think all the graphics videos business documents this is you know been covered in a few other videos i'll leave links below for my usage for same thing and been a great tool and we're going to add one more node to this and the first node we're going to add is the untrusted one so we're going to go ahead and advanced and you can implicitly say where you want the node to be or where the node is i should say you can use dynamic as in the changes but for purposes video and expediency we're just going to put in the address for each one you could put in a fully qualified domain name there's different methods of doing this but like i said we're just going to be using this for expediency and we're going to check the untrusted box under advanced and bring it back over to general i'm going to go to our untrusted device here and go to action and we want to show the id of the untrusted device copy the qr code is because yes sync thing does work as a phone app as well go back over here there's a device name device id and then we give it a device name do not trust this node there we go pretty simple advanced nothing big here just basic we're going to set it up and get it connected unused now we don't have a folder i want to share yet i mean i could share all my business documents with it that's easily possible we're going to build a separate folder called the data to encrypt there's the data to encrypt and actually i have an untrusted testing folder where i threw a little bit of data in here already and here's that folder with all the random data i just have some silly little things in here some test data some youtube templates just a few graphics you can see all the file names and everything else on this computer right here different folders for example my business docs my graphics my studio all have to have a different folder id from here and we could even name it ourselves if we wanted to test data simple enough if you want to give it its own name as long as the name is unique to this system you're good all right sharing we want to share this with do not trust this node and we're going to give it a password password one two three now the level of encryption how hard this is to crack is going to be highly dependent on this password so i recommend something way better than password123 some type of you know random generated gibberish would probably be much better where you have a really high entropy level of encryption because if someone wanted to just work away at it well if it's password123 it's going to get guest fast but nonetheless we're just going to use this for simplicity so we put password123 so here's the folder we're creating here's the location of the data and we're sharing it with the do not trust this node and hit save so the data to encrypt but it's not encrypted on this machine do not trust this node it's disconnected right now because we did not finish the add so we'll hit ok we're going to go ahead and add device the way sync thing does is there's a node that you want to add and there's a back and forth that has to be accepted first we put in the address of it and the device id and then it talks to that device id we put in and then it asks do you want to actually you know accept this connection it is a method of logging into both systems so you can't just add a node you have to go back and forth those nodes agree to talk to each other important distinction on there in case you're wondering if anyone can just randomly add a node that has a public-facing ip they cannot you may get requests for the ad but you have to still accept those ads so we'll go ahead and hit save it'll take a second there is a pause from the time you do this to it re-synchronize as a matter of fact we can just go here and restart so it'll speed it up a little bit try to do this much we can real time hey there we go now it sees the folder if you wait a minute it will see it and it wants to call it root the data to encrypt fair enough we can use that name as i said we're running it as root don't do that of sharing doesn't matter versioning don't bother because with the untrusted node if you do any file versioning you can't see the file name so you don't know what you're versioning so you this node stores everything in single version uh that's a cool feature same thing has to have the revision history of things but we can do that with the unencrypted nodes you just don't do it with these so for now they've left it in here so it has the option but like i said it's not particularly useful and we'll just hit save now we've got this note here and this node here and once again i'm just going to restart it real quick because it'll get it going faster same thing here restart and here we go yeah it's going to give me the privileged account error and it synchronized all the data and i mean all the data looks like this so here let's go ahead and close that and switch over to the terminal and take a closer look so if we look at the directory here there's all the file names we can see and uh would we call it the data to encrypt not any folders exist in here in the unencrypted but the way syncing handles the encryption is by going through and encrypting all of the folder names well all the file names into a series of folders this is one more piece of metadata that they're obscuring so if we make a directory and then uh what else should we do bim s.text data data data go back over here and uh yep it added another folder but it did not tell me that there's still only one folder but for each of these there's just another subfolder created but it does not give you any hint that testday123 was created let's dive a little bit deeper here and let's modify a file let's modify test.text some more test data and then we write that file out and if we look back over here and we're going to go through recent changes unknown file it's all it tells me is something got updated oh there's that file it took a second now it's updated this one so let's actually go in the folder and see what this looks like so go here and there's that test file and we can see like i said one piece of information we have is that it's small but that's it so if we were to look at that file it's just gibberish there's nothing in here to really indicate anything about the file so as to extract any knowledge or data from it it's just all gibberish here which is exactly what you want so the untrusted node is blind to it now to finish this demo let's add another node that's trusted this way we've encrypted it here we want this to talk to this but not directly because let's say they're behind two spots and we want them to talk to this common untrusted node but then have unencrypted communication with it all right let's go back over here then and this is a trusted sync thing versus our untrusted one so this is just a separate system i set up same thing we're going to implicitly tell it to connect to the untrusted node go back over to general actions show id copy paste do not trust this node there we go we can check the untrusted box it doesn't really matter because you'll see in the next step it doesn't matter as much on this side because it's already an untrusted node and declared that way and there's nothing to share with it because we want to be on the receiving end so we don't need to do anything on this other than talk to this device so there we go just to speed things up we'll do action restart all right the device trusted sync thing wants to talk so let's go ahead and hit add device device name trusted sync thing sounds good hit save all right now we need to share this folder this is that encrypted folder on this system but the goal is to get it talking to the other system and allow for the decryption so let's go over here and in order to get the folder to share we're going to click edit let's go to sharing and the data here is encrypted so there's nothing we have to do other than share this folder so let's go ahead and save and it's going to share it with our trusted device over here and the trusted device is now going to get a prompt from the untrusted device that it would like to share a folder this is the part where the password needs to be saved we can't put the password over here or defeat the purpose of the untrusted sync thing you want to only ever have the password on each node where the decryption is occurring so now we can go here if untrusted was the password password123 so make sure i typed that right cool this is the do not trust this node it's sharing a file with us and it's called password123 that's the decryption key now this particular node which for our diagram is this one right here i can create a file on my computer and our trusted node over here can see it but our untrusted node in between can not so let's go ahead one more time make sure it's up to date this is our trusted one recent changes and of course it can see all the different files let's go back over to the command prompt and if we go over here we see we have a folder called the data to encrypt editing from the other trusted node so there we've edited the test.txt file easy enough and if we look there's going to be some changes it'll take a second to synchronize let's actually go here what are the recent changes unknown file modified that's it unknown file that's what much data is we have over here we look at reese's changes here a test.text was modified by this particular device we even have the device history for each one so this one's uncreatively named toms being my computer the file was modified last on this particular device and so we go back over to the command prompt and editing from the other trusted node some more data to test now i do talk a little bit you can read through file conflict resolution that is something that it is dealt with in case you're wondering if i have both files open there is methods to deal with it just goes out of scope of this video mostly i really wanted to cover setting up these untrusted nodes and being able to see that you can easily add now a cloud server to it this is just a really great feature i'm really excited about this particular enhancement to sync thing because this has been a common hang up when people go i really like to use it but i don't want to put a intermediary cloud server in there which would be really convenient but then really potentially risky if you have files that are more personal in nature and you want to keep them private you're worried about the cloud server being attacked so i'll leave links to the sync thing documentation i don't think they have it fully updated with exactly how to do this this is one of the reasons i made the video because i want to get more people doing this this is a fairly new feature and in the documentation they do have a warning that it's considered beta but things don't really get out of beta until more people use them report any bugs or use case scenarios that were found that cause issues that's one of the reasons i encourage using it of course you know back up all your data don't just trust the system etc it's you know still going through a vetting process so here's the documentation they have i wanted a comment too on how they store the password so this password itself is not hashed it is still sorting your config.xml file and let's go over here so we are syncing for each user under the home drive stores dot config sync thing then config.xml then here is that password so there's that folder we named test data the data to encrypt where that location is and here is the encryption password so it's obviously really important especially using a high entropy password to back this up but this is where you would be able to access that information if you needed to so you back up the config on each of the trusted nodes the untrusted node doesn't have this information so it can't decrypt it so if in the event that a untrusted node was compromised this information is not there this is only existing this is how the pre-encryption occurs within the trusted nodes and of course they get some of the other details about this so you can read through it but like i said i'm excited about this it's a cool feature that i'm really excited they added to the system and uh definitely looking forward to testing with it and you know setting up a few extra nodes and seeing if there's any problems with it reporting back and uh this is something else to make me like syncing even more and i'll leave links to all my other sync thing videos and in case i didn't mention earlier yes it supports windows mac linux bsd lots of different platforms are supported sync things a great tool for all those different platforms and including running it on truenass all right thanks and thank you for making it to the end of this video if you enjoyed this content please give it a thumbs up if you'd like to see more content from this channel hit the subscribe button and the bell icon to hire a shared project head over to lawrences.com and click on the hire us button right at the top to help this channel out in other ways there's a join button here for youtube and a patreon page where your support is greatly appreciated for deals discounts and offers check out our affiliate links in the descriptions of all of our videos including a link to our shirt store where we have a wide variety of shirts and new designs come out well randomly so check back frequently and finally our forums forums.laurensystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel thank you again and we look forward to hearing from you in the meantime check out some of our other videos you

Info

Channel: Lawrence Systems

Views: 29,533

Rating: undefined out of 5

Keywords: LawrenceSystems

Id: hT373XZHNvk

Channel Id: undefined

Length: 20min 17sec (1217 seconds)

Published: Tue Jun 08 2021