 I'm here from Lauren Systems and I have been a long time user of SyncThing. Picture it very similar to Dropbox where it does file synchronization, but it's open source. It is a well documented protocol. The SyncThing team has done a great job of that and it's free. So this has been a solution I've used in a lot of different scenarios and helped out a lot of customers who go, you know, I really need these servers at different locations to synchronize this pool of data or even desktops or laptops or really any device that you need file synchronization in real time along with revision and everything else. I'll leave links to the videos I've done previously on SyncThing. It has improved since I've done those videos so anything that may be missing get the read through the errata, but this is a particular feature that's new that I wanted to cover that is really cool and that is an ability to add untrusted nodes. So essentially what we're going to talk about here is the ability to synchronize multiple devices just like you always go to SyncThing, but also allow for example, this node and this node to have talked to a cloud node in between. Now the problem with putting SyncThing in the cloud of course is I don't trust that cloud provider or this cloud provider. That's a good fair assessment because what if someone gets access to that? Well, they would obviously have access to all the files with the previous version of SyncThing. This new update and that is going to be your prerequisite is make sure we're on the right version because it doesn't show up until later versions and this whole demo is going to be done with version 1.17.0. And with that version, it allows us to add untrusted nodes such as this cloud demo we're doing now granted this one's not in the cloud it's all in my lab it's just on a different network but the concept is the same. But we have the data actively here and then we have the data here in an encrypted form. Now SyncThing has always encrypted the transport layer so the data stream between each node is always been encrypted but the data at rest could not be encrypted because well then it would only sync encrypted data. So the solution sometimes might be to pre encrypt the data and synchronize the encrypted data across but that has its own level of inconvenience on there because now you have to go and unencrypt the data at each point this way we can have unencrypted data here unencrypted data here when it's live so always recommend encrypting data at rest but this node is unaware of the data in terms of anything more than it's passing through it can see the data and we'll show you what it looks like but it's all scrambled because the password we use to encrypt it the cipher we're going to use the cipher built in here plus the password system that they devised for this allows it to become blind to the data including the folder structure file name so it's not just encrypting the contents of the data but all the metadata the only piece of information that is somewhat known by the untrusted node is going to be the size of the data at some point you can't really hide the fact that well if I have 10 gigs of data even if I encrypt it it's still 10 gigs of blob data at that point this node will be blind to but either way this is a really important step towards being able to build out an untrusted node be able to synchronize with other people and never have to worry about this node becoming compromised so that's the whole purpose of this video is to show you how to set that up before we dive into details this video if you'd like to learn more about me and my company head over to laurance systems.com I feel like to hire a short project there's a hires button right at the top if you want to support this channel other ways there's plenty of affiliate links down below to get your deals and discounts on products and services we talk about on this channel now sync thing can't get you a deal on because it's already free so as you gotta do is head over to syncthing.net to download it and that's where we're going to start with assuming that you've already installed sync thing and you've already are at least running the same version as I am to make this work because this was not available in older versions now just to reiterate what I said before data is encrypted before sending this is an important distinction anytime you're doing something where you want to not trust the node on the other end you want to encrypt at the end point so that is what's going to be occurring here so we will cover how we set that up and the transport layer there's nothing different we need to do because as I stated before sync thing has already always encrypted the transport so you it's better of course always run something behind a VPN in case there's ever a problem because you know that way you have one more layer of encryption but if you don't run it behind a VPN you just want to send the protocol over the internet as I stated is encrypted so that is an option for you but more security is always better all depends on the complexity of the setup as I said we are version one point one seven zero running on Linux do not do this is sometimes when I'm doing this you may see an error that this is running as root don't run this as root I did it for the demo because I wanted to build a couple of VMs real quick for this so I didn't bother setting up a separate user for sync thing but that's out of scope for this video but just want to get those things out of way in case you see those errors come up where it says this shouldn't be around as root because you shouldn't now untrusted and trusted so here's the tom sync thing and I actually am actively using this we sync all the graphics videos business documents this is you know been covered in a few other videos I'll leave links below for my usage for syncing and been a great tool and we're going to add one more node to this and the first node we're going to add is the untrusted one so we're going to go here to advanced and you can implicitly say where you want the node to be or where the node is I should say you can use dynamic as in it changes but for purposes video and expediency we're just going to put in the address for each one you could put in a fully qualified domain name there's different methods of doing this but like I said we're just going to be using this for expediency and we're going to check the untrusted box under advanced and we're going to back over to general I'm going to go to our untrusted device here and go to action and we want to show the ID of the untrusted device copy the QR code is because yes sync thing does work as a phone app as well go back over here there's a device name device ID and then we give it a device name do not trust this node there we go pretty simple advanced nothing big here just basic we're going to set it up and get it connected unused now we don't have a folder I want to share yet I mean I could share all my business documents with that that's easily possible we're going to build a separate folder called the data to encrypt there's the data to encrypt and actually I have an untrusted testing folder where I threw a little bit of data in here already and here's that folder with all the random data I just have some silly little things in here some test data some YouTube templates just a few graphics you can see all the file names everything else on this computer right here different folders for example my business docs my graphics my studio all have to have a different folder ID from here and we could even name it ourselves if we wanted to test data simple enough if you want to give it its own name as long as the name is unique to this system you're good all right sharing we want to share this with do not trust this node and we're going to give it a password password one two three now the level of encryption how hard this is to crack is going to be highly dependent on this password so I recommend something way better than password one two three some type of you know random generated gibberish would probably be much better where you have a really high entropy level of encryption because if someone wanted to just work away at it well if it's password one two three it's going to get guessed fast but nonetheless we're just going to use this for simplicity so we put password one two three so here's the folder we're creating here's the location of the data and we're sharing it with the do not trust this node and hit save so the data to encrypt it's not encrypted on this machine do not trust this node it's disconnected right now because we did not finish the ad so we'll hit okay we're going to go ahead add device the way same thing does is there's a node that you want to add and there's a back and forth that has to be accepted first we put in the address of it and the device ID and then it talks to that device ID we put in and then it asked you want to actually you know accept this connection it is a method of logging into both systems so you can't just add a node you have to vote go back and forth those nodes agree to talk to each other important distinction on there in case you're wondering if anyone can just randomly add a node that has a public facing IP they cannot you may get requests for the ad but you have to still accept those ads so we'll go ahead and hit save it'll take a second there is a pause from a time you do this to what resynchronizes as a matter of fact we can just go here and restart so it'll speed it up a little bit try to do this as much as we can in real time hey there we go now it sees the folder if you wait a minute it will see it and it wants to call it root the data to encrypt fair enough we can use that name as I said we're running in a root don't do that of sharing doesn't matter versioning don't bother because with the untrusted node if you do any file versioning you can't see the file name so you don't know what you're versioning so you this node stores everything in single version that's a cool feature it's anything has to have the revision history of things but we can do that with the unencrypted nodes you just don't do it with these so for now they've left it in here so it has the option but like I said it's not particularly useful and we'll just hit save now we've got this note here and this note here and once again I'm just going to restart it real quick because it'll get it going faster same thing here restart and here we go yeah it's going to give me the privileged account error and it's synchronized all the data and I mean all the data looks like this so here let's go ahead and close that and switch over to the terminal and take a closer look so if we look at the directory here there's all the file names we can see and what we call it the data to encrypt not any folders exist in here in the unencrypted but the way syncing handles the encryption is by going through and encrypting all of the folder names while all the file names into a series of folders this is one more piece of metadata that they're obscuring so if we make a directory and then uh what else should we do vim s.txt data data data go back over here and uh yep it added another folder but it did not tell me that there's still only one folder but for each of these there's just another subfolder created but it does not give you any hint that test day one two three was created let's dive a little bit deeper here and let's modify a file let's modify test.txt some more test data and then we write that file out and if we look back over here and we're going to go through recent changes unknown file it's all it tells me is something got updated oh there's that file it took a second now it's updated this one so let's actually go in the folder and see what this looks like so go here and there's that test file and we can see like I said one piece of information we have is that it's small but that's it so if we were to look at that file it's just gibberish there's nothing in here to really indicate anything about the file so as to extract any knowledge or data from it it's just all gibberish here which is exactly what you want so the untrusted node is blind to it now to finish this demo let's add another node that's trusted this way we've encrypted it here we want this to talk to this but not directly because let's say they're behind two spots and we want them to talk to this comment on trusted node but then have unencrypted communication with it all right let's go back over here then and this is a trusted sync thing versus our untrusted one so this is just a separate system I set up same thing we're going to implicitly tell it to connect to the untrusted node go back over to general actions show ID happy paste do not trust this node there we go we can check the untrusted box it doesn't really matter because you'll see in the next step it doesn't matter as much on this side because it's already an untrusted node and declared that way and there's nothing to share with it because we want to be on the receiving end so we don't need to do anything on this other than talk to this device so there we go just to speed things up we'll do action restart all right the device trusted sync thing wants to talk so let's go ahead and hit add device device name trusted sync thing sounds good hit save all right now we need to share this folder this is that encrypted folder on this system but the goal is to get it talking to the other system and allow for the decryption so let's go over here and in order to get the folder to share we're going to click edit let's go to sharing and the data here is encrypted so there's nothing we have to do other than share this folder so let's go ahead and save and it's going to share it with your our trusted device over here and the trusted device is now going to get a prompt from the untrusted device that it would like to share a folder this is the part where the password needs to be saved we can't put the password in over here or defeat the purpose of the untrusted sync thing you want to only ever have the password on each node where the decryption is occurring so now we can go here if untrusted was the password password 123 so make sure I type that right cool this is the do not trust this node it's sharing a file with us and it's called password 123 that's the decryption key now this particular node which for our diagram is this one right here I can create a file on my computer and our trusted node over here can see it but our untrusted node in between cannot so let's go ahead one more time make sure it's up to date this is our trusted one recent changes and of course it can see all the different files let's go back over to the command prompt and if we go over here we see we have a folder called the data to encrypt editing from the other trusted node so there we've edited the test dot text file easy enough and if we look there's going to be some changes it'll take a second to synchronize let's actually go here what are the recent changes unknown file modified that's it unknown file it's what much data as we have over here we look at recent changes here a test dot text was modified by this particular device we even have the device history for each one so this one's uncreatively named tom's being my computer the file was modified last on this particular device and so we go back over to the command prompt and editing from the other trusted node some more data to test now I do talk a little bit you can read through file conflict resolution that is something that it is dealt with in case you're wondering because I have both files open there is methods to deal with it just goes out of scope of this video mostly I really wanted to cover setting up these untrusted nodes and being able to see that you can easily add now a cloud server to it this is just a really great feature I'm really excited about this particular enhancement to sync thing because this has been a common hang-up when people go I really like to use it but I don't want to put a intermediary cloud server in there which would be really convenient but then really potential risky if you have files that are more personal in nature and you want to keep them private and you're worried about the cloud server being attacked so I'll leave links to the syncing documentation I don't think they have it fully updated with exactly how to do this this is one of the reasons I made the video because I want to get more people doing this this is a fairly new feature and in the documentation they do have a warning that it's considered beta but things don't really get out of beta until more people use them report any bugs or use case scenarios that were found that cause issues that's one of the reasons I encourage you using it of course you know back up all your data don't just trust the system etc it's you know still going through a vetting process so here's a documentation they have I wanted to comment to on how they store the password so this password itself is not hashed it is still sorting your config.xml file and let's go over here so we are syncing for each user under the home drive stores.config slash syncing then config.xml and then here is that password so there's that folder we name test data the data to encrypt where that location is and here is the encryption password so obviously really important especially using a high entropy password to back this up but this is where you would be able to access that information if you needed to so you back up the config on each of the trusted nodes the untrusted node doesn't have you this information so it can't decrypt it so if in the event that the untrusted node was compromised this information is not there this is only existing this is how the pre encryption occurs within the trusted nodes and of course they got some of the other details about this so you can read through it but like I said I'm excited about this it's a cool feature that I'm really excited they added to the system and definitely looking forward to testing with it and you know setting up a few extra nodes and seeing if there's any problems with it reporting back and this is something else to make me like syncing even more and I'll leave links to all my other syncing videos and in case I didn't mention earlier yes this supports windows mac linux bsd lots of different platforms are supported syncing things a great tool for all those different platforms and including uh running it on true nas all right thanks and thank you for making it to the end of this video if you enjoyed this content please give it a thumbs up if you like to see more content from this channel hit the subscribe button and the bell icon to hire a sure project head over to laurance systems.com and click on the highest button right at the top to help this channel out in other ways there's a join button here for youtube and a patreon page where your support is greatly appreciated for deals discounts and offers check out our affiliate links and descriptions of all of our videos including a link to our shirt store where we have a wide variety of shirts and new designs come out well randomly so check back frequently and finally our forums forums dot laurance systems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel thank you again and we look forward to hearing from you in the meantime check out some of our other videos