Everything stays on your network
CoveSync is a small daemon that runs on each PC. There is no central server — devices talk directly to each other over your local network (LAN or WiFi). Your files never leave your network.
Discover
Devices find each other via UDP multicast — no router config needed
Trust
You verify the certificate fingerprint and accept the device manually
Sync
Files transfer directly over an encrypted connection between your devices
No Dropbox. No iCloud. No Google Drive. No CoveSync servers. Just your devices, talking to each other.
How devices find each other
When CoveSync starts, it broadcasts a UDP multicast announcement on your local network. Every other device running CoveSync on the same network receives this announcement and learns the sender's IP address, port, and certificate fingerprint.
This is entirely local — multicast packets do not leave your router. No DNS lookup, no external server. If two devices are on different networks, they cannot discover each other.
TLS and mutual authentication
Every device generates a self-signed TLS certificate on first launch. This certificate never leaves the device and is not issued by any external certificate authority.
When two devices connect, they use mutual TLS (mTLS) — both sides must present a certificate the other has explicitly trusted. This means:
A new device cannot silently join
Even if an attacker on your network discovers a CoveSync instance, they cannot connect without a certificate that has been individually approved. There is no shared password to intercept.
Trust is explicit and one-time
The first time you see a new device, you verify its fingerprint — a short string shown in both UIs. Once accepted, the fingerprint is stored and re-verified on every future connection automatically.
All traffic is encrypted
Every byte transferred between devices is encrypted by TLS. File contents, folder names, and metadata are never sent in cleartext — even on your own LAN.
How files are transferred
CoveSync uses a pull-based model. Instead of the sender pushing files to every peer, each device periodically asks its peers "what do you have?" and pulls only what has changed.
The sync cycle works like this:
1. Index exchange
Device A fetches the file index from Device B — a list of filenames, sizes, and last-modified timestamps. No file content is transferred yet.
2. Diff
Device A compares the remote index to its local state. Files that are newer on B (or missing locally) are queued for download.
3. Transfer
Changed files are fetched one at a time over the same mTLS connection. Files are written atomically — a partial download never replaces the existing file.
4. Conflicts
If the same file was modified on both sides since the last sync, the host's version wins. The guest's conflicting copy is saved as filename.conflict.TIMESTAMP so no data is silently lost.
What CoveSync does not do
CoveSync makes no outbound connections to any server outside your network, with two optional exceptions:
Crash reports (opt-in, Android only)
The Android companion app can optionally send anonymous crash reports to help fix bugs. This is off by default and contains only the stack trace, app version, and a random install ID — never file names, file contents, or personal information. You can disable it at any time in Settings.
Version check (optional, PC)
The PC daemon can optionally check for a newer version. If enabled, it makes a single GET request to the CoveSync releases page. This is opt-in and sends no identifying information.
Want to verify this yourself? See the verification guide.