Skip to content

File Encryption

FolderSync can encrypt your files during synchronization to protect sensitive data. This feature provides end-to-end encryption, meaning your files are encrypted before they leave your device and remain encrypted in cloud storage.

Key Features

  • Complete Encryption: Both file names and file contents are encrypted
  • Password-Only Decryption: Your encrypted files can be decrypted using only your password - no special keys or metadata files required
  • Cloud Storage Compatible: Works with all supported cloud providers (Google Drive, Dropbox, OneDrive, etc.)
  • Memory Efficient: Files are encrypted in streaming chunks, so even large files won't consume excessive memory

Important Requirements

Encryption only works with one-way sync

You must choose either:

  • Sync to the Right (encrypt files while sending files to right side)
  • Sync to the Left (decrypt files while sending file to left side)

Two-way sync is not supported with encryption enabled.

How to Enable Encryption

Step 1: Configure Your Folder Pair

  1. Create a new folderPair and enable encryption
  2. Set Sync Direction to either:
  3. To Right Folder (to encrypt files going to the cloud)
  4. To Left Folder (to decrypt files coming from the cloud)

Encryption must be enabled when creating folderPair

You can not enable encryption on pre-existing folderPair, it must be enabled when creating folderPair.

Step 2: Enable Encryption

  1. Find the File Encryption section
  2. Toggle Enable Encryption to ON
  3. Enter a strong password
  4. Confirm your password
  5. Save your password (we can not help you recover you password if lost)

How It Works

Encrypting Files (Left to right)

When you sync plain files → encrypted destination:

Example: Local Device → Google Drive (encrypted) - Your local files remain unencrypted - Files are encrypted during sync - Encrypted files are stored in Google Drive - Both filenames and contents are encrypted

Encrypted Filename Format: Original: vacation-photos.jpg Encrypted: Rq8jK3mP9xYzABCxyz.fscrypt

Decrypting Files (Right to left)

When you sync encrypted source → plain destination:

Example: Google Drive (encrypted) → Local Device - Encrypted files are read from Google Drive - Files are decrypted during sync - Plain files are stored on your device - Original filenames and contents are restored

Understanding the Encryption

Cryptographic Details

For those interested in the technical implementation:

  • Encryption Algorithm: ChaCha20-Poly1305 (modern, secure, fast)
  • Password Derivation: Argon2id with 64 MB memory, 3 iterations
  • Key Size: 256-bit encryption keys
  • File Encryption: Streaming encryption in 4 MB chunks

This combination provides: - Confidentiality: Nobody can read your files without the password - Integrity: Any tampering with encrypted files will be detected - Authentication: Ensures files haven't been modified - Mobile-Optimized: Designed for efficient operation on mobile devices

What's Protected

Protected: - File contents - File and folder names - File paths and directory structure

Not Protected (metadata): - Approximate file sizes (encrypted files are slightly larger) - Number of files and folders - File modification times (depending on cloud provider)

This is normal for client-side encryption and inevitable for cloud storage compatibility.

Password Security

Creating a Strong Password

Your encryption password is the only way to decrypt your files. Follow these guidelines:

Recommended: - Minimum 8 characters (20+ recommended) - Mix of uppercase and lowercase letters - Include numbers and special characters - Use a passphrase or password manager - Example: BlueMountain$2024!Secure

Avoid: - Common words or patterns - Personal information (birthdays, names) - Short passwords (under 12 characters) - Reusing passwords from other services

⚠️ Critical Password Warning

THERE IS NO PASSWORD RECOVERY!

  • If you forget your password, your encrypted files are permanently inaccessible
  • FolderSync cannot reset or recover your password
  • No backdoor or master key exists
  • Store your password securely (use a password manager)

Recommendation: Before encrypting important files, test the encryption/decryption process with a test folder pair and verify you can successfully decrypt files.

Limitations and Compatibility

Encryption Cannot Be Combined With:

  • ❌ Two-way sync
  • ❌ Backup mode
  • ❌ Move files mode

Performance Considerations:

  • Encryption adds computational overhead
  • Sync speed will be slower than unencrypted sync
  • More battery usage during sync
  • Optimized for mobile devices but still noticeable

File Size Overhead:

  • Encrypted files are approximately 40 bytes larger per 4 MB of data
  • Minimal overhead for most use cases
  • Example: A 100 MB file becomes ~100.0004 MB when encrypted

Use Cases

✅ Good Use Cases:

  • Syncing sensitive documents to cloud storage
  • Backing up private photos and videos
  • Storing financial or medical records
  • Protecting confidential business data
  • Files you need to share with others
  • Collaborative documents (they won't be able to decrypt)
  • Files that need cloud-side processing (thumbnails, search, etc.)
  • Media files you want to stream from cloud without downloading

Troubleshooting

"Encryption only works with one-way sync"

Solution: Change your sync direction from "Two-way" to either "To Left Folder" or "To Right Folder".

"Wrong password" error during decryption

Check: - Are you using the exact password you used for encryption? - Passwords are case-sensitive - Check for extra spaces at the beginning or end

Files won't decrypt

Possible causes: - Wrong password - Files were encrypted with a different FolderSync installation/password - Encrypted files were corrupted or modified - You're syncing the wrong direction

Performance is slow

This is normal: - Encryption requires CPU processing - Try syncing smaller batches of files - Consider syncing during charging - Desktop version may have better performance

Best Practices

  1. Test First: Create a test folder pair with a few files to verify everything works
  2. Document Your Setup: Write down which folders are encrypted and their passwords (store securely!)
  3. Regular Verification: Periodically test that you can decrypt files successfully
  4. Unique Passwords: Use different passwords for different folder pairs
  5. Backup Your Password: Store your encryption password in a secure password manager
  6. Plan for Recovery: Consider keeping an unencrypted backup of critical files in a secure location

Security Notes

Is My Data Safe?

Yes, when properly configured: - Modern, industry-standard encryption (ChaCha20-Poly1305) - Same algorithms used by Signal, WireGuard, TLS 1.3 - Strong password derivation (Argon2id) - No known security vulnerabilities

What Can Cloud Providers See?

Cloud storage providers can see: - That you're storing encrypted files - Approximate number and size of files - When files were uploaded/modified

They cannot see: - Your file names - Your file contents - Your folder structure - Your encryption password

Can FolderSync Decrypt My Files?

No. Your encryption password never leaves your device and is not stored on any server. Only you can decrypt your files.

Getting Help

If you encounter issues with encryption: 1. Check this help section first 2. Verify your password is correct 3. Try with a new test folder pair 4. Contact support with: - Device model and Android/Desktop version - FolderSync version - Cloud storage provider - Error messages (if any) - DO NOT share your encryption password with anyone

Remember: Encryption is a powerful tool for privacy, but it requires careful password management. Always store your password securely and test your setup before relying on it for important data.

CLI

The foldersync-cli tool for desktop can be used to decrypt and encrypt files if you need to decrypt files withhout using FolderSync app directly. See CLI page for more info.