FAQ#

What does Tahoe (not) do for you?#

Tahoe doesn’t make storing secrets go away, it just makes them smaller. The capabilities are NOT dependent on the provider.

Basic Scenarios#

A file is stored in cipher on the cloud HOWEVER the cap is in the clear * Availability

  • Access Control (verify)

  • Access Control (sharing)

  • Access Control (write)

  • encryption at rest

RISK: the cap is in the clear

Incomplete#

A file is store in cipher on the cloud AND the cap is secret * Availability

  • Access Control (verify)

  • Access Control (sharing)

  • Access Control (write)

  • encryption at rest

  • Confidentiality (cap is secured) UNLESS clear in the client

Complete#

A doc is store in cipher on the cloud and user app (using a local binary) “end to encryptions” * Availability

  • Access Control (verify)

  • Access Control (sharing)

  • Access Control (write)

  • encryption at rest

  • Confidentiality (cap is secured)

Delete

The reference(s) to the shares is removed. The shares may still exist, but there is no way to find them.

Recover

regain access to content on an existing device

Restore

copy data onto a new device (eg. the reverse of backup)

Threat Surfaces#

Front end

The part facing the human is the front end. Front end is outside of the Tahoe-lafs security domain. Content is in the clear, unless the front end limits exposure somehow.

Client

The client moves content in and out of Tahoe-lafs. A client creates the capability string and (de)crypts the content in the shares. The tahoe-lafs security boundary is in the client.

Storage node

Storage nodes contain “shares” (fragments) in cipher.

Grid

Storage nodes can be accessed from one or more introducers. The collection of nodes an introducer can access is called a grid.

Introducer

An introducer may be shared or private, depending on how much exposure a user can tolerate. Each introducer has the map of fURL to storages nodes, but the Client decrypts the shares from the storage nodes.

Authentication

A shared introducer might use a method of granting access to a request from a client. (??)

Use Cases#

User collects data from disparate sources for long term storage. (eg. medical records from all providers. User doesn’t know when they will need the records but they don’t want to risk losing them. A community grid will self replicate indefinitely.