tahoe-lafs/docs/about.rst

.. -*- coding: utf-8-with-signature -*-

**********************
Welcome to Tahoe-LAFS!
**********************

What is Tahoe-LAFS?
===================

Welcome to Tahoe-LAFS_, the first decentralized storage system with
*provider-independent security*.

Tahoe-LAFS is a system that helps you to store files. You run a client
program on your computer, which talks to one or more storage servers on other
computers. When you tell your client to store a file, it will encrypt that
file, encode it into multiple pieces, then spread those pieces out among
multiple servers. The pieces are all encrypted and protected against
modifications. Later, when you ask your client to retrieve the file, it will
find the necessary pieces, make sure they haven't been corrupted, reassemble
them, and decrypt the result.

The client creates more pieces (or "shares") than it will eventually need, so
even if some of the servers fail, you can still get your data back. Corrupt
shares are detected and ignored, so the system can tolerate server-side
hard-drive errors. All files are encrypted (with a unique key) before
uploading, so even a malicious server operator cannot read your data. The
only thing you ask of the servers is that they can (usually) provide the
shares when you ask for them: you aren't relying upon them for
confidentiality, integrity, or absolute availability.

.. _Tahoe-LAFS: https://tahoe-lafs.org

What is "provider-independent security"?
========================================

Every seller of cloud storage services will tell you that their service is
"secure".  But what they mean by that is something fundamentally different
from what we mean.  What they mean by "secure" is that after you've given
them the power to read and modify your data, they try really hard not to let
this power be abused.  This turns out to be difficult!  Bugs,
misconfigurations, or operator error can accidentally expose your data to
another customer or to the public, or can corrupt your data.  Criminals
routinely gain illicit access to corporate servers.  Even more insidious is
the fact that the employees themselves sometimes violate customer privacy out
of carelessness, avarice, or mere curiosity.  The most conscientious of
these service providers spend considerable effort and expense trying to
mitigate these risks.

What we mean by "security" is something different.  *The service provider
never has the ability to read or modify your data in the first place: never.*
If you use Tahoe-LAFS, then all of the threats described above are non-issues
to you.  Not only is it easy and inexpensive for the service provider to
maintain the security of your data, but in fact they couldn't violate its
security if they tried.  This is what we call *provider-independent
security*.

This guarantee is integrated naturally into the Tahoe-LAFS storage system and
doesn't require you to perform a manual pre-encryption step or cumbersome key
management.  (After all, having to do cumbersome manual operations when
storing or accessing your data would nullify one of the primary benefits of
using cloud storage in the first place: convenience.)

Here's how it works:

.. image:: network-and-reliance-topology.svg

A "storage grid" is made up of a number of storage servers.  A storage server
has direct attached storage (typically one or more hard disks).  A "gateway"
communicates with storage nodes, and uses them to provide access to the
file store over protocols such as HTTP(S), SFTP or FTP.

Note that you can find "client" used to refer to gateway nodes (which act as
a client to storage servers), and also to processes or programs connecting to
a gateway node and performing operations on the grid -- for example, a CLI
command, Web browser, SFTP client, or FTP client.

Users do not rely on storage servers to provide *confidentiality* nor
*integrity* for their data -- instead all of the data is encrypted and
integrity-checked by the gateway, so that the servers can neither read nor
modify the contents of the files.

Users do rely on storage servers for *availability*.  The ciphertext is
erasure-coded into ``N`` shares distributed across at least ``H`` distinct
storage servers (the default value for ``N`` is 10 and for ``H`` is 7) so
that it can be recovered from any ``K`` of these servers (the default
value of ``K`` is 3).  Therefore only the failure of ``H-K+1`` (with the
defaults, 5) servers can make the data unavailable.

In the typical deployment mode each user runs her own gateway on her own
machine.  This way she relies on her own machine for the confidentiality and
integrity of the data.

An alternate deployment mode is that the gateway runs on a remote machine and
the user connects to it over HTTPS or SFTP.  This means that the operator of
the gateway can view and modify the user's data (the user *relies on* the
gateway for confidentiality and integrity), but the advantage is that the
user can access the file store with a client that doesn't have the gateway
software installed, such as an Internet kiosk or cell phone.

Access Control
==============

There are two kinds of files: immutable and mutable. When you upload a file
to the storage grid you can choose which kind of file it will be in the
grid. Immutable files can't be modified once they have been uploaded.  A
mutable file can be modified by someone with read-write access to it. A user
can have read-write access to a mutable file or read-only access to it, or no
access to it at all.

A user who has read-write access to a mutable file or directory can give
another user read-write access to that file or directory, or they can give
read-only access to that file or directory.  A user who has read-only access
to a file or directory can give another user read-only access to it.

When linking a file or directory into a parent directory, you can use a
read-write link or a read-only link.  If you use a read-write link, then
anyone who has read-write access to the parent directory can gain read-write
access to the child, and anyone who has read-only access to the parent
directory can gain read-only access to the child.  If you use a read-only
link, then anyone who has either read-write or read-only access to the parent
directory can gain read-only access to the child.

For more technical detail, please see the `the doc page`_ on the Wiki.

.. _the doc page: https://tahoe-lafs.org/trac/tahoe-lafs/wiki/Doc

Get Started
===========

To use Tahoe-LAFS, please see :doc:`INSTALL`.

License
=======

Tahoe-LAFS is an open-source project; please see README.rst_ for details.

.. _README.rst: ../README.rst
magic first line tells emacs to use utf8+bom Add ".. -- coding: utf-8-with-signature --" to the first line of each .rst file. This tells emacs to treat the file contents as utf-8, and also to prepend a so-called utf-8 "bom" marker at the beginning of the file. This patch also prepends those markers to each of those files. 2013-11-08 20:31:08 +00:00			`.. -- coding: utf-8-with-signature --`
docs: insert another newline between utf-8 BOF and title 2012-01-22 21:14:27 +00:00
docs: add sphinx index.rst, improve headers 2016-03-30 04:46:11 +00:00			`**********************`
docs: insert newline after utf-8 BOF and before restructuredtext title 2012-01-22 18:21:27 +00:00			`Welcome to Tahoe-LAFS!`
docs: add sphinx index.rst, improve headers 2016-03-30 04:46:11 +00:00			`**********************`

			`What is Tahoe-LAFS?`
			`===================`
replace remaining .html docs with .rst docs Remove install.html (long since deprecated). Also replace some obsolete references to install.html with references to quickstart.rst. Fix some broken internal references within docs/historical/historical_known_issues.txt. Thanks to Ravi Pinjala and Patrick McDonald. refs #1227 2011-05-10 19:16:50 +00:00
doc: about.rst: use unicode emdash, use non-embedded URIs, add clarificaiton of when a file gets its mutable-or-immutable nature embedded URIs, although documented here: http://docutils.sourceforge.net/docs/ref/rst/restructuredtext.html#embedded-uris generate messages like this from rst2html --verbose: quickstart.rst:3: (INFO/1) Duplicate explicit target name: "the tahoe-dev mailing list". Also this patch prepends a "utf-8 BOM" to the beginning of the file. 2011-12-06 17:19:08 +00:00			`Welcome to Tahoe-LAFS_, the first decentralized storage system with`
			`provider-independent security.`

docs: add sphinx index.rst, improve headers 2016-03-30 04:46:11 +00:00			`Tahoe-LAFS is a system that helps you to store files. You run a client`
			`program on your computer, which talks to one or more storage servers on other`
			`computers. When you tell your client to store a file, it will encrypt that`
			`file, encode it into multiple pieces, then spread those pieces out among`
			`multiple servers. The pieces are all encrypted and protected against`
			`modifications. Later, when you ask your client to retrieve the file, it will`
			`find the necessary pieces, make sure they haven't been corrupted, reassemble`
			`them, and decrypt the result.`

			`The client creates more pieces (or "shares") than it will eventually need, so`
			`even if some of the servers fail, you can still get your data back. Corrupt`
			`shares are detected and ignored, so the system can tolerate server-side`
			`hard-drive errors. All files are encrypted (with a unique key) before`
			`uploading, so even a malicious server operator cannot read your data. The`
			`only thing you ask of the servers is that they can (usually) provide the`
			`shares when you ask for them: you aren't relying upon them for`
			`confidentiality, integrity, or absolute availability.`

doc: about.rst: use unicode emdash, use non-embedded URIs, add clarificaiton of when a file gets its mutable-or-immutable nature embedded URIs, although documented here: http://docutils.sourceforge.net/docs/ref/rst/restructuredtext.html#embedded-uris generate messages like this from rst2html --verbose: quickstart.rst:3: (INFO/1) Duplicate explicit target name: "the tahoe-dev mailing list". Also this patch prepends a "utf-8 BOM" to the beginning of the file. 2011-12-06 17:19:08 +00:00			`.. _Tahoe-LAFS: https://tahoe-lafs.org`
replace remaining .html docs with .rst docs Remove install.html (long since deprecated). Also replace some obsolete references to install.html with references to quickstart.rst. Fix some broken internal references within docs/historical/historical_known_issues.txt. Thanks to Ravi Pinjala and Patrick McDonald. refs #1227 2011-05-10 19:16:50 +00:00
			`What is "provider-independent security"?`
			`========================================`

docs: formatting: reflow to fill-column 77 2011-08-19 06:01:10 +00:00			`Every seller of cloud storage services will tell you that their service is`
			`"secure". But what they mean by that is something fundamentally different`
			`from what we mean. What they mean by "secure" is that after you've given`
			`them the power to read and modify your data, they try really hard not to let`
			`this power be abused. This turns out to be difficult! Bugs,`
			`misconfigurations, or operator error can accidentally expose your data to`
			`another customer or to the public, or can corrupt your data. Criminals`
			`routinely gain illicit access to corporate servers. Even more insidious is`
			`the fact that the employees themselves sometimes violate customer privacy out`
Fix typo pointed out by CptPlastic. Signed-off-by: Daira Hopwood <daira@jacaranda.org> 2013-10-22 01:31:52 +00:00			`of carelessness, avarice, or mere curiosity. The most conscientious of`
docs: formatting: reflow to fill-column 77 2011-08-19 06:01:10 +00:00			`these service providers spend considerable effort and expense trying to`
			`mitigate these risks.`

			`What we mean by "security" is something different. *The service provider`
docs: replace emdash characters with plain ASCII 2013-04-09 19:19:58 +00:00			`never has the ability to read or modify your data in the first place: never.*`
doc: about.rst: use unicode emdash, use non-embedded URIs, add clarificaiton of when a file gets its mutable-or-immutable nature embedded URIs, although documented here: http://docutils.sourceforge.net/docs/ref/rst/restructuredtext.html#embedded-uris generate messages like this from rst2html --verbose: quickstart.rst:3: (INFO/1) Duplicate explicit target name: "the tahoe-dev mailing list". Also this patch prepends a "utf-8 BOM" to the beginning of the file. 2011-12-06 17:19:08 +00:00			`If you use Tahoe-LAFS, then all of the threats described above are non-issues`
			`to you. Not only is it easy and inexpensive for the service provider to`
			`maintain the security of your data, but in fact they couldn't violate its`
			`security if they tried. This is what we call *provider-independent`
			`security*.`
docs: formatting: reflow to fill-column 77 2011-08-19 06:01:10 +00:00
			`This guarantee is integrated naturally into the Tahoe-LAFS storage system and`
			`doesn't require you to perform a manual pre-encryption step or cumbersome key`
			`management. (After all, having to do cumbersome manual operations when`
			`storing or accessing your data would nullify one of the primary benefits of`
docs: replace emdash characters with plain ASCII 2013-04-09 19:19:58 +00:00			`using cloud storage in the first place: convenience.)`
replace remaining .html docs with .rst docs Remove install.html (long since deprecated). Also replace some obsolete references to install.html with references to quickstart.rst. Fix some broken internal references within docs/historical/historical_known_issues.txt. Thanks to Ravi Pinjala and Patrick McDonald. refs #1227 2011-05-10 19:16:50 +00:00
			`Here's how it works:`

docs/about.rst: fix broken link for network-and-reliance-topology image. Signed-off-by: David-Sarah Hopwood <david-sarah@jacaranda.org> 2012-11-01 23:09:07 +00:00			`.. image:: network-and-reliance-topology.svg`
replace remaining .html docs with .rst docs Remove install.html (long since deprecated). Also replace some obsolete references to install.html with references to quickstart.rst. Fix some broken internal references within docs/historical/historical_known_issues.txt. Thanks to Ravi Pinjala and Patrick McDonald. refs #1227 2011-05-10 19:16:50 +00:00
docs: formatting: reflow to fill-column 77 2011-08-19 06:01:10 +00:00			`A "storage grid" is made up of a number of storage servers. A storage server`
			`has direct attached storage (typically one or more hard disks). A "gateway"`
docs/about.rst: Reword and remove redundancy. Also avoid "(S)FTP". Signed-off-by: Daira Hopwood <daira@jacaranda.org> 2013-12-04 01:23:11 +00:00			`communicates with storage nodes, and uses them to provide access to the`
Change some instances of "filesystem" that were missed to "file store". Signed-off-by: Daira Hopwood <daira@jacaranda.org> 2015-07-31 17:21:47 +00:00			`file store over protocols such as HTTP(S), SFTP or FTP.`
docs/about.rst: Reword and remove redundancy. Also avoid "(S)FTP". Signed-off-by: Daira Hopwood <daira@jacaranda.org> 2013-12-04 01:23:11 +00:00
			`Note that you can find "client" used to refer to gateway nodes (which act as`
			`a client to storage servers), and also to processes or programs connecting to`
			`a gateway node and performing operations on the grid -- for example, a CLI`
			`command, Web browser, SFTP client, or FTP client.`
replace remaining .html docs with .rst docs Remove install.html (long since deprecated). Also replace some obsolete references to install.html with references to quickstart.rst. Fix some broken internal references within docs/historical/historical_known_issues.txt. Thanks to Ravi Pinjala and Patrick McDonald. refs #1227 2011-05-10 19:16:50 +00:00
docs: formatting: M-x whitespace-cleanup 2011-08-19 06:00:41 +00:00			`Users do not rely on storage servers to provide confidentiality nor`
			`integrity for their data -- instead all of the data is encrypted and`
docs: formatting: reflow to fill-column 77 2011-08-19 06:01:10 +00:00			`integrity-checked by the gateway, so that the servers can neither read nor`
			`modify the contents of the files.`
replace remaining .html docs with .rst docs Remove install.html (long since deprecated). Also replace some obsolete references to install.html with references to quickstart.rst. Fix some broken internal references within docs/historical/historical_known_issues.txt. Thanks to Ravi Pinjala and Patrick McDonald. refs #1227 2011-05-10 19:16:50 +00:00
docs: formatting: M-x whitespace-cleanup 2011-08-19 06:00:41 +00:00			`Users do rely on storage servers for availability. The ciphertext is`
docs/about.rst: correct the description of availability to take into account that shares may not be stored on distinct servers. 2011-10-25 13:25:50 +00:00			erasure-coded into ``N`` shares distributed across at least ``H`` distinct
			storage servers (the default value for ``N`` is 10 and for ``H`` is 7) so
			that it can be recovered from any ``K`` of these servers (the default
			value of ``K`` is 3). Therefore only the failure of ``H-K+1`` (with the
			`defaults, 5) servers can make the data unavailable.`
docs: formatting: reflow to fill-column 77 2011-08-19 06:01:10 +00:00
			`In the typical deployment mode each user runs her own gateway on her own`
			`machine. This way she relies on her own machine for the confidentiality and`
			`integrity of the data.`

			`An alternate deployment mode is that the gateway runs on a remote machine and`
			`the user connects to it over HTTPS or SFTP. This means that the operator of`
			`the gateway can view and modify the user's data (the user relies on the`
			`gateway for confidentiality and integrity), but the advantage is that the`
Change some instances of "filesystem" that were missed to "file store". Signed-off-by: Daira Hopwood <daira@jacaranda.org> 2015-07-31 17:21:47 +00:00			`user can access the file store with a client that doesn't have the gateway`
docs: formatting: reflow to fill-column 77 2011-08-19 06:01:10 +00:00			`software installed, such as an Internet kiosk or cell phone.`
replace remaining .html docs with .rst docs Remove install.html (long since deprecated). Also replace some obsolete references to install.html with references to quickstart.rst. Fix some broken internal references within docs/historical/historical_known_issues.txt. Thanks to Ravi Pinjala and Patrick McDonald. refs #1227 2011-05-10 19:16:50 +00:00
			`Access Control`
			`==============`

doc: about.rst: use unicode emdash, use non-embedded URIs, add clarificaiton of when a file gets its mutable-or-immutable nature embedded URIs, although documented here: http://docutils.sourceforge.net/docs/ref/rst/restructuredtext.html#embedded-uris generate messages like this from rst2html --verbose: quickstart.rst:3: (INFO/1) Duplicate explicit target name: "the tahoe-dev mailing list". Also this patch prepends a "utf-8 BOM" to the beginning of the file. 2011-12-06 17:19:08 +00:00			`There are two kinds of files: immutable and mutable. When you upload a file`
			`to the storage grid you can choose which kind of file it will be in the`
			`grid. Immutable files can't be modified once they have been uploaded. A`
			`mutable file can be modified by someone with read-write access to it. A user`
			`can have read-write access to a mutable file or read-only access to it, or no`
			`access to it at all.`
replace remaining .html docs with .rst docs Remove install.html (long since deprecated). Also replace some obsolete references to install.html with references to quickstart.rst. Fix some broken internal references within docs/historical/historical_known_issues.txt. Thanks to Ravi Pinjala and Patrick McDonald. refs #1227 2011-05-10 19:16:50 +00:00
docs: formatting: reflow to fill-column 77 2011-08-19 06:01:10 +00:00			`A user who has read-write access to a mutable file or directory can give`
			`another user read-write access to that file or directory, or they can give`
			`read-only access to that file or directory. A user who has read-only access`
			`to a file or directory can give another user read-only access to it.`
replace remaining .html docs with .rst docs Remove install.html (long since deprecated). Also replace some obsolete references to install.html with references to quickstart.rst. Fix some broken internal references within docs/historical/historical_known_issues.txt. Thanks to Ravi Pinjala and Patrick McDonald. refs #1227 2011-05-10 19:16:50 +00:00
docs: formatting: M-x whitespace-cleanup 2011-08-19 06:00:41 +00:00			`When linking a file or directory into a parent directory, you can use a`
docs: formatting: reflow to fill-column 77 2011-08-19 06:01:10 +00:00			`read-write link or a read-only link. If you use a read-write link, then`
			`anyone who has read-write access to the parent directory can gain read-write`
			`access to the child, and anyone who has read-only access to the parent`
			`directory can gain read-only access to the child. If you use a read-only`
			`link, then anyone who has either read-write or read-only access to the parent`
			`directory can gain read-only access to the child.`
replace remaining .html docs with .rst docs Remove install.html (long since deprecated). Also replace some obsolete references to install.html with references to quickstart.rst. Fix some broken internal references within docs/historical/historical_known_issues.txt. Thanks to Ravi Pinjala and Patrick McDonald. refs #1227 2011-05-10 19:16:50 +00:00
doc: about.rst: use unicode emdash, use non-embedded URIs, add clarificaiton of when a file gets its mutable-or-immutable nature embedded URIs, although documented here: http://docutils.sourceforge.net/docs/ref/rst/restructuredtext.html#embedded-uris generate messages like this from rst2html --verbose: quickstart.rst:3: (INFO/1) Duplicate explicit target name: "the tahoe-dev mailing list". Also this patch prepends a "utf-8 BOM" to the beginning of the file. 2011-12-06 17:19:08 +00:00			For more technical detail, please see the `the doc page`_ on the Wiki.

			`.. _the doc page: https://tahoe-lafs.org/trac/tahoe-lafs/wiki/Doc`
replace remaining .html docs with .rst docs Remove install.html (long since deprecated). Also replace some obsolete references to install.html with references to quickstart.rst. Fix some broken internal references within docs/historical/historical_known_issues.txt. Thanks to Ravi Pinjala and Patrick McDonald. refs #1227 2011-05-10 19:16:50 +00:00
			`Get Started`
			`===========`

format docs for Sphinx Added indexes, fixed cross-references. Also a few pip-related cleanups I noticed along the way. 2016-03-30 07:55:21 +00:00			To use Tahoe-LAFS, please see :doc:`INSTALL`.
replace remaining .html docs with .rst docs Remove install.html (long since deprecated). Also replace some obsolete references to install.html with references to quickstart.rst. Fix some broken internal references within docs/historical/historical_known_issues.txt. Thanks to Ravi Pinjala and Patrick McDonald. refs #1227 2011-05-10 19:16:50 +00:00
			`License`
			`=======`

Rename README.txt to README.rst, and add Travis-CI and Coveralls badges to it. Signed-off-by: Daira Hopwood <daira@jacaranda.org> 2014-09-09 17:51:44 +00:00			`Tahoe-LAFS is an open-source project; please see README.rst_ for details.`
Update copyright notices. refs #1686 2012-03-13 20:50:57 +00:00
Rename README.txt to README.rst, and add Travis-CI and Coveralls badges to it. Signed-off-by: Daira Hopwood <daira@jacaranda.org> 2014-09-09 17:51:44 +00:00			`.. _README.rst: ../README.rst`