5 Welcome to `Tahoe-LAFS <https://tahoe-lafs.org>`_, the first decentralized
6 storage system with *provider-independent security*.
8 What is "provider-independent security"?
9 ========================================
11 Every seller of cloud storage services will tell you that their service is
12 "secure". But what they mean by that is something fundamentally different
13 from what we mean. What they mean by "secure" is that after you've given
14 them the power to read and modify your data, they try really hard not to let
15 this power be abused. This turns out to be difficult! Bugs,
16 misconfigurations, or operator error can accidentally expose your data to
17 another customer or to the public, or can corrupt your data. Criminals
18 routinely gain illicit access to corporate servers. Even more insidious is
19 the fact that the employees themselves sometimes violate customer privacy out
20 of carelessness, avarice, or mere curiousity. The most conscientious of
21 these service providers spend considerable effort and expense trying to
24 What we mean by "security" is something different. *The service provider
25 never has the ability to read or modify your data in the first place --
26 never.* If you use Tahoe-LAFS, then all of the threats described above are
27 non-issues to you. Not only is it easy and inexpensive for the service
28 provider to maintain the security of your data, but in fact they couldn't
29 violate its security if they tried. This is what we call
30 *provider-independent security*.
32 This guarantee is integrated naturally into the Tahoe-LAFS storage system and
33 doesn't require you to perform a manual pre-encryption step or cumbersome key
34 management. (After all, having to do cumbersome manual operations when
35 storing or accessing your data would nullify one of the primary benefits of
36 using cloud storage in the first place -- convenience.)
40 .. image:: https://tahoe-lafs.org/~zooko/network-and-reliance-topology.png
42 A "storage grid" is made up of a number of storage servers. A storage server
43 has direct attached storage (typically one or more hard disks). A "gateway"
44 uses the storage servers and provides access to the filesystem over HTTP(S)
47 Users do not rely on storage servers to provide *confidentiality* nor
48 *integrity* for their data -- instead all of the data is encrypted and
49 integrity-checked by the gateway, so that the servers can neither read nor
50 modify the contents of the files.
52 Users do rely on storage servers for *availability*. The ciphertext is
53 erasure-coded into ``N`` shares distributed across at least ``H`` distinct
54 storage servers (the default value for ``N`` is 10 and for ``H`` is 7) so
55 that it can be recovered from any ``K`` of these servers (the default
56 value of ``K`` is 3). Therefore only the failure of ``H-K+1`` (with the
57 defaults, 5) servers can make the data unavailable.
59 In the typical deployment mode each user runs her own gateway on her own
60 machine. This way she relies on her own machine for the confidentiality and
61 integrity of the data.
63 An alternate deployment mode is that the gateway runs on a remote machine and
64 the user connects to it over HTTPS or SFTP. This means that the operator of
65 the gateway can view and modify the user's data (the user *relies on* the
66 gateway for confidentiality and integrity), but the advantage is that the
67 user can access the filesystem with a client that doesn't have the gateway
68 software installed, such as an Internet kiosk or cell phone.
73 There are two kinds of files: immutable and mutable. Immutable files have
74 the property that once they have been uploaded to the storage grid they can't
75 be modified. Mutable ones can be modified. A user can have read-write
76 access to a mutable file or read-only access to it (or no access to it at
79 A user who has read-write access to a mutable file or directory can give
80 another user read-write access to that file or directory, or they can give
81 read-only access to that file or directory. A user who has read-only access
82 to a file or directory can give another user read-only access to it.
84 When linking a file or directory into a parent directory, you can use a
85 read-write link or a read-only link. If you use a read-write link, then
86 anyone who has read-write access to the parent directory can gain read-write
87 access to the child, and anyone who has read-only access to the parent
88 directory can gain read-only access to the child. If you use a read-only
89 link, then anyone who has either read-write or read-only access to the parent
90 directory can gain read-only access to the child.
92 For more technical detail, please see the `the doc page
93 <https://tahoe-lafs.org/trac/tahoe-lafs/wiki/Doc>`_ on the Wiki.
98 To use Tahoe-LAFS, please see `quickstart.rst <quickstart.rst>`_.
103 You may use this package under the GNU General Public License, version 2 or,
104 at your option, any later version. See the file `COPYING.GPL
105 <../COPYING.GPL>`_ for the terms of the GNU General Public License, version
108 You may use this package under the Transitive Grace Period Public Licence,
109 version 1 or, at your option, any later version. The Transitive Grace Period
110 Public Licence has requirements similar to the GPL except that it allows you
111 to wait for up to twelve months after you redistribute a derived work before
112 releasing the source code of your derived work. See the file `COPYING.TGGPL
113 <../COPYING.TGPPL.rst>`_ for the terms of the Transitive Grace Period Public
116 (You may choose to use this package under the terms of either licence, at
projects / tahoe-lafs / tahoe-lafs.git / blob