Help Center


Key structure and flow


A Key, formerly known as "Secret", is a vital piece of information used to identify folders, encrypt data and find peers over the internet.

Key generated by Resilio Sync consists of capital letters from A to Z and numbers from 2 to 7. It can be divided into 2 parts:
1. The first symbol of a Key indicates its type.
2. The rest of a Key (usually 32 symbols) is a 20-byte sequence encoded in Base32 format.

Note that there is one exception: an encrypted-read-only secret is nearly twice as long (65 symbols), its body consisting of 2 keys - Data access key and Data encryption / decryption key, each of 20 bytes Base32 encoded value.

Key types

The first letter of a standard Key determines the Key type. Please see the table below for all available Key types and their usage.

Key type Used for
A Standard Key with read-write permissions. Generated by desktop version of Sync
B Read-only Key. Calculated automatically from an “A”-type secret.
C Read-only one-time Key. Can be calculated from “A” or “B” type secret. Works for a limited amount of time, then disposed.
D Standard Key with read-write permissions and capability to seed data to encrypted nodes. Can be generated by Sync API.
E Read-only Key with capability to get and decrypt data from encrypted nodes (nodes with “D” and “F” types of Key). Calculated automatically from “D” type Key.
F Encrypted Key. Only capable to receive, store and seed data. Cannot decrypt filenames or content. Calculated automatically from “E” or “F” type Key.
R Read-only Key. Obsolete, was generated by pre-1.0 version but still functioning for compatibility. Same as “B”.

Key flow

When a Read-Write (RW) Key is created, Sync automatically generates:
- a pair of asymmetric keys based on RW Key - used to sign and verify file hashes
- a Read-Only (RO) Key based on a public key
- a Share ID based on a RO Key
- The traffic encryption key that is generated separately for every session based on RO key.

Sync uses ED25519 and SHA3 cryptographic algorithms for Key generation.

Once a full set of Keys is ready, Sync attempts to find peers in the following ways (all of them can be disabled in the folder preferences):

1. Tracker server.
Sync connects to the tracker server and supplies it with the ShareID to look for, as well as the associated internal IP:port (while the tracker determines the external IP:port automatically). The tracker responds with the information about other peers that are connected with the same Share ID and their IP:ports (both internal and external). Having this information, the peer can attempt to connect to other peers directly (if internal IP subnet matches, the peer will attempt to connect in LAN first) and a new session key is calculated based on a RO Key.

2. LAN discovery
Every Sync instance subscribes to multicast packets, using port 3838. Every Sync instance sends multicast packets for revealing its presence when it starts or when network changes are detected. These packets contain information about the associated ShareIDs and the IP:port. Once a peer receives a multicast packet with the ShareID it is looking for, it connects to the sender, and traffic will be encrypted once the session key is negotiated.

3. Predefined hosts
Sync will connect to the predefined hosts, sending information about ShareIDs and its IP. If a remote peer is acquiring a peer's ShareID, it initiates the connection(s) and calculates the session key(s)

Key change
When a user changes the Key on one peer, the change will not be distributed automatically. All the peers with the old Key will continue syncing with each other, but will no longer sync with the peer who changed the Key.

This information: DIDN'T HELP / WAS USEFULThanks!


Please note that we won't mail you back. This is just purely feedback on the article above. If you need help from our Support Team, please use the "Contact Support" link at the top of the page.