How To Use Obsidian: Sync for FREE Without The Cloud (And Encrypted Bonus!)

TL;DR

Cryptomator encrypts an Obsidian vault and provides a mounted decrypted view only after unlocking, so decrypted data stays local to the device being used.

Briefing Cornell Notes

Briefing

Local-first note-taking in Obsidian is powerful because vaults live as files on a user’s own devices. That same design becomes a headache when someone switches between a work desktop and a laptop on the road: the vault needs to appear on multiple computers without giving up control of the data or pushing it into a third-party cloud.

A workaround uses three tools to keep an encrypted Obsidian vault synchronized across devices for free. Cryptomator encrypts a vault folder (and can mount it as a virtual “drive” when unlocked). SyncThing then synchronizes the encrypted folder between computers using a peer-to-peer protocol, so only ciphertext is copied across the network. On each device, Cryptomator decrypts locally after SyncThing has delivered the encrypted files, and Obsidian reads the decrypted vault as if it were just another local folder.

The setup starts with installing Cryptomator on every device. A new encrypted vault is created with a chosen name and a storage location on the local drive. After unlocking, Cryptomator reveals a mounted view (an external-drive-like interface) where the user can create the actual Obsidian vault folder. Inside that mounted area, Obsidian behaves normally: users create folders, add Markdown files, and the vault contents are written into the encrypted container. When the vault is closed in Obsidian and the Cryptomator vault is locked, the mounted decrypted view disappears; the underlying encrypted files remain as unreadable “gibberish” until the vault is unlocked again.

To synchronize without cloud storage, the encrypted vault folder (the Cryptomator container) is what gets shared—not the decrypted contents. SyncThing is installed on each computer and configured to connect over the local network for easier setup. A shared folder is added in SyncThing by specifying a folder ID and the local path to the encrypted Cryptomator vault. Devices then exchange authorization: sharing is treated like a two-way approval process, so the user must approve incoming requests before synchronization begins.

Once the encrypted folder is synchronized, changes made on one computer propagate to the other. The receiving device’s Cryptomator unlocks the vault locally, and Obsidian can open the decrypted vault to show the updated notes. The same approach can also support a smaller “phone notes” vault: keep a separate, lighter Obsidian database on a phone, sync it with SyncThing, and view it on the desktop without carrying tens of gigabytes on mobile.

The result is a multi-device Obsidian workflow that preserves local file control, adds encryption at rest via Cryptomator, and avoids cloud providers by using SyncThing to replicate encrypted data between machines. It’s a practical path for anyone who wants portability across computers while keeping the vault’s contents private until they’re unlocked on the device being used.

Cornell Notes

Obsidian vaults are easiest to trust when they stay as local files, but that creates friction across multiple computers. The solution pairs Cryptomator with SyncThing: Cryptomator encrypts the vault and mounts a decrypted view only when unlocked, while SyncThing synchronizes the encrypted container between devices. Each computer then decrypts locally and Obsidian reads the decrypted vault normally. This avoids cloud storage by copying ciphertext peer-to-peer, and it can also power a separate smaller vault for phone notes that syncs to a desktop.

Why does “local files” become a problem for multi-device Obsidian users, and what’s the core fix?

Local vaults mean the data lives on one computer, so a work desktop and a laptop won’t automatically share the same notes. The fix is to keep the vault local but make it portable by syncing the encrypted vault container between devices. Cryptomator handles encryption/decryption locally, while SyncThing replicates the encrypted folder so the same vault appears on both computers.

How does Cryptomator change what’s actually stored on disk versus what Obsidian can read?

Cryptomator stores the vault as an encrypted container folder containing files like the Cryptomator vault metadata (e.g., vault.cryptomater and master key.cryptomater). When the vault is unlocked, Cryptomator mounts a decrypted “external drive” view. Obsidian should create and edit its vault inside that mounted decrypted view; if someone browses the underlying encrypted container directly, the contents look like random, unreadable files.

What exactly gets synchronized with SyncThing—decrypted notes or encrypted data?

SyncThing synchronizes the encrypted Cryptomator vault folder, not the decrypted view. That means only ciphertext is copied between computers. After synchronization, each device unlocks the Cryptomator vault locally so Obsidian can access the decrypted Markdown files.

How does SyncThing sharing work across devices in this workflow?

SyncThing is configured by adding a shared folder using a folder ID and a local path to the encrypted vault on each device. The process requires two-way authorization: one side shares, the other requests/receives the share, and the user approves so synchronization can start. The shared folder can then be selected for syncing on the receiving device.

How can this setup handle a phone without forcing the main vault to live on mobile storage?

A separate, smaller Obsidian vault can be created for phone notes. SyncThing runs on the phone to synchronize that smaller encrypted vault to the laptop/desktop. The desktop then shows those phone notes inside the corresponding decrypted vault, without needing the full daily vault (40–50GB in the example) on the phone.

Review Questions

In this workflow, what is the difference between the Cryptomator encrypted container and the mounted decrypted drive view, and which one should Obsidian write to?
Why does synchronizing the encrypted folder (instead of the decrypted one) matter for privacy in a multi-device setup?
What role do folder IDs and two-way approval play in SyncThing’s synchronization process?

Key Points

1
Cryptomator encrypts an Obsidian vault and provides a mounted decrypted view only after unlocking, so decrypted data stays local to the device being used.
2
SyncThing synchronizes the encrypted Cryptomator vault container between computers, avoiding cloud storage and keeping copied data unreadable without the local password.
3
Obsidian should create and edit the vault inside Cryptomator’s mounted decrypted drive view, not inside the raw encrypted container folder.
4
SyncThing setup relies on sharing a folder via a folder ID and local path, followed by two-way authorization before synchronization starts.
5
The encrypted vault should be locked in Cryptomator (and the vault closed in Obsidian) to remove the decrypted view and prevent accidental access.
6
A separate “phone notes” vault can be synced with SyncThing so mobile devices don’t need to store a large daily vault.
7
This approach supports a multi-device workflow where changes on one computer propagate to others, then appear in Obsidian after local decryption.

Highlights

Encryption and sync are separated: Cryptomator encrypts locally, while SyncThing replicates only encrypted files across devices.

Obsidian behaves normally once the vault is created inside Cryptomator’s mounted decrypted view; the underlying encrypted container remains unreadable.

Two-way authorization in SyncThing controls which devices can sync the shared encrypted vault.

A smaller phone-specific vault can be synced independently, preventing huge main vaults from living on mobile storage.

Topics

Obsidian Vault Sync
Cryptomator Encryption
SyncThing Peer-to-Peer
Local-First Notes
Encrypted Phone Notes