WEDC Team 6 min read

Building Multi-Device Encrypted File Sync with Syncthing

Syncthing keeps files synchronized across all your devices — laptop, phone, home server, cloud VM — without any data transiting a third-party server. Setup takes under 20 minutes.

What Syncthing Does (and Does Not Do)

Syncthing is an open-source, decentralized file synchronization tool. It:

  • Keeps one or more folders synchronized between any number of devices.
  • Encrypts all data in transit with TLS (mutual authentication via device certificates).
  • Stores data only on your own devices — no cloud server is ever involved.
  • Works across LAN, cellular, and the public internet automatically.

It is not a backup tool — if you delete a file on one device, it deletes everywhere. Use it alongside a separate backup solution (restic, Borg).

Core Concepts

Device ID: A 26-character identifier derived from each device's TLS certificate. Devices authenticate each other by ID — no central authority.

Folder: A directory you choose to share. You configure which other device IDs can access each folder.

Discovery: Syncthing uses both a global discovery server and local LAN broadcast. For private setups, you can disable global discovery and run your own relay/discovery servers.

Installation

Linux (server / home lab)

# Debian/Ubuntu — official repo
curl -s https://syncthing.net/release-key.gpg | gpg --dearmor -o /usr/share/keyrings/syncthing-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/syncthing-archive-keyring.gpg] https://apt.syncthing.net/ syncthing stable" | tee /etc/apt/sources.list.d/syncthing.list
apt update && apt install -y syncthing

Run as a systemd service:

systemctl enable --now syncthing@$(whoami)

The web UI is available at http://127.0.0.1:8384.

Docker

services:
  syncthing:
    image: syncthing/syncthing:latest
    restart: unless-stopped
    environment:
      PUID: "1000"
      PGID: "1000"
    volumes:
      - ./syncthing-config:/var/syncthing
      - /home/user/Sync:/data/Sync     # folder to sync
    ports:
      - "8384:8384"   # web UI
      - "22000:22000" # sync protocol TCP
      - "22000:22000/udp"
      - "21027:21027/udp"  # discovery

Android / iOS

Download the official Syncthing app from the Play Store or F-Droid (Android) or from the App Store (iOS, "Möbius Sync" wrapper). Add your server's device ID to pair.

Adding Devices

  • Open the web UI on your home server: http://localhost:8384
  • Navigate to Add Remote Device
  • Paste the Device ID from your laptop or phone (found in its Syncthing settings under "Device ID")
  • Give it a name and confirm on both devices when the pairing prompt appears.

    • Sharing a Folder

  • On the server UI, click Add Folder
  • Set the path: /data/Sync
  • Under Sharing, tick the devices you want to share this folder with
  • Accept the share request on each remote device

    • Within seconds (on LAN) or minutes (over internet), files start syncing.

    Securing the Web UI

    By default, the web UI has no authentication. Fix this immediately:

  • ActionsSettingsGUI
  • Set a strong username and password
  • Enable TLS for the GUI (generates a self-signed cert, or point to your CA)

    • For remote access to the GUI, put it behind your web gateway:

    syncthing.yourdomain.com {
  forward_to localhost:8384
  basicauth {
    username $2a$14$...   # bcrypt hash
  }
}

    Advanced: Untrusted (Encrypted) Folders

    Syncthing 1.18+ supports encrypted folders. The encrypting device holds the real data; the storage device holds only encrypted blobs and cannot read the content — useful for syncing to a cloud VM or a friend's server without trusting them with your data.

    Folder type on storage device: Receive Encrypted
Encryption password: set on the sharing device

    This turns an untrusted VPS into a reliable off-site sync point for your most sensitive files.

    Practical Use Cases

    ScenarioFolderDevices Developer dotfiles~/.configLaptop, work laptop, home server Photo library~/PhotosPhone, NAS, backup VPS Project notes~/NotesAll devices + encrypted cloud relay Shared team docs/srv/sharedAll team members' machines

    Conclusion

    Syncthing provides Dropbox-class convenience with zero cloud dependency. Once running, it requires almost no maintenance — devices come online and sync automatically. Combined with Vaultwarden for credential management and restic for backups, you have a complete, privacy-preserving personal cloud stack.

    WEDC members get a ready-made Docker Compose stack combining Syncthing, Vaultwarden, and Caddy with pre-configured TLS and systemd service files — deployable in a single docker compose up -d.

    Enjoyed this article?

    WEDC members get access to the full library of tutorials, downloadable utility applications, and monthly configuration bundles — plus new content every week.