It is also possible to run and connect to other syncthing devices through SOCKS5 proxies. To relay actual traffic (syncing files) you can setup a syncthing relay-server or use existing servers. To allow for synchronization outside of the local network, its is possible to set up global device search through a discovery server. Devices that have been “introduced by Device-ID” authenticate to each other to allow index comparison and possible updates. Once a device comes online it broadcasts a discovery announcement package on the local network (multicast on ipv6). You can add other devices by specific ID. It is typically installed as a service on every device. All traffic between devices is encrypted with TLS1.2. Syncthing is a tool that allows you to share and synchronize files with multiple devices that form a cluster. Make sure you never share the key with the container! Syncthing Admins can be given this key instead or in addition to the master password. As of today, keepass containers can be encrypted with a (single) key.
Syncthing introducer password#
Aside of the client choice we run a pretty “standard” container with a single master password known to all admins. Debian and Ubuntu offer official packages for keepass2, MacOS users can use keepassX, a port also available for Debian/Ubuntu. We quickly figured that we’d have to use a keepass2-compatible container to allow usage on all required OSs. Keepass is an encrypted database for storing sensitive information like user/password-credentials and notes. We came up with a solution involving a keepass2 password container and Syncthing, a decentralized file sync framework.
Syncthing introducer windows#
run on Linux, MacOS and probably Windows.decentralized sharing (no single point of failure).We evaluated multiple tools under certain criteria:
Syncthing introducer update#
Since those passwords would have to be known to 7 people, we had to find a way to share them without the need to manually update everytime someone provided or changed any data. Therefore we decided we could improve our security by replacing the default credentials with strong passwords that won’t be reused. Sometimes it can also come in handy to have a user/password fallback in case you can’t access the machine with your ssh keys. Sadly it’s impossible to use key-authentication for all devices and some appliances don’t allow for creation of multiple personalized accounts with admin rights. Although we were already using ssh-key-authentication for all our linux-servers, we still had some devices and assets lying around, that were (only) accessible with the vendor-assigned default credentials.
We found we were missing certain security requirements. At synyx we constantly try to improve the quality of the work of the Operations team.