Secure-Smart-Sync
unlistedby Sen
Forked from Secure-Smart-Sync/Secure-Smart-Sync
Sync your Obsidian vault to Cloudflare R2 with client-side encryption.
Secure-Smart-Sync
Privacy-first Obsidian vault sync via Cloudflare R2 with client-side encryption.
Your files never leave your device unencrypted. No third-party servers. No subscriptions.
Not affiliated with Obsidian Sync. SSS runs entirely on your own Cloudflare R2 bucket. You own the storage, the keys, and the data.
Read the Usage Guidelines before setup. The official site has a visual walkthrough that takes under five minutes.
How it works
|
Zero-Knowledge Encryption Every file is encrypted on your device before it is uploaded. You choose between AES-256-CBC (OpenSSL) or Salsa20+Poly1305 (rclone-compatible). Your password never leaves your device — the storage provider sees only ciphertext. |
Three-Way Diff Engine Compares your local state, the remote state, and the last known sync snapshot. ETags anchor change detection so unchanged files are never re-uploaded. Conflicts are resolved by your rules and backed up automatically. |
|
Smart Sync A few seconds after you stop typing, your vault syncs silently in the background. When Device A finishes, it signals Device B, which pulls the changes within seconds. No manual triggering. No distracting pop-ups. |
Instant Device Pairing Generate a short pairing code on one device. Enter it on another. Your R2 credentials and encryption settings transfer over an AES-GCM encrypted relay and self-destruct after ten minutes. No typing API keys on mobile. |
Get started
1. Create your R2 bucket
Log in to Cloudflare, create an R2 bucket, and generate an API token with read and write permissions. The visual setup guide walks through every step.
2. Install the plugin
Install Secure-Smart-Sync from the Obsidian Community Plugins browser, or download the latest release and copy it to your vault's .obsidian/plugins/ folder.
3. Configure and sync
Open the SSS settings tab, expand Configure Connection, enter your R2 endpoint and credentials, and run a connection test. Enable Smart Sync and you are done. Pair additional devices in under thirty seconds using the built-in pairing code.
Documentation
| Usage Guidelines | Initial setup, configuration reference, and day-to-day usage |
| Security | Cryptographic methods, architecture, and threat model |
| R2 Usage & Limits | Free-tier op analysis across vault sizes and device counts |
| Contributing | Bug reports, pull requests, and documentation |
Security
SSS ships with no analytics, telemetry, or tracking. Encryption keys are generated and stored locally and are never transmitted. The ephemeral pairing relay is open-source, uses AES-GCM end-to-end encryption, and stores nothing after the payload is consumed.
Full cryptographic detail is in SECURITY.md.
The relay source is at xensenx/Secure-Smart-Sync-relay. You can self-host it if you prefer not to use the default instance.
Credits
Remotely Save provided an early reference for S3-compatible storage that helped accelerate the initial prototyping phase. SSS has since been independently rewritten into a different architecture. The portions of Remotely Save that informed this project are licensed under Apache 2.0.
License
Code is released under the MIT License — see LICENSE.
The Secure-Smart-Sync name, logo, and branding are copyright © Sen and are not covered by the MIT License. The code is free to use and modify; the visual identity and project name are not available for redistribution or rebranding.
Support
If the plugin has helped you and saved your time, consider supporting the developer
For plugin developers
Search results and similarity scores are powered by semantic analysis of your plugin's README. If your plugin isn't appearing for searches you'd expect, try updating your README to clearly describe your plugin's purpose, features, and use cases.