Library modules
Users’ files - where are they?
Whenever user wants to store or read file at some location - be it inbox or his private space, following things do happen:
- System resolves his profile location
- His profile is read from some storage (and typically cached, then direct cache access happens)
- Based on his profile content, root folder where data should be read/written is deduced
- If data is going to private space - request path is encrypted
- Root path is prepended to request path
- Encryption/decryption of data happens
- Credentials required to access the storage are added (BucketAccessService)
- Data stream with path is sent to storage adapter
- Optionally, storage adapter analyzes based on protocol which storage service to use
- Storage adapter stores the data
This diagram shows path resolution flow for private space with more details. It is mostly same both for private and inbox files, with the only difference that private files have relative path (relative to private space location) additionally encrypted.
Storing private files
Private files are always encrypted using users’ secret symmetric key. Additionally their path is encrypted too, but this encryption is very special in the sense that it has form of a/b/c encrypted as encrypted(a)/encrypted(b)/encrypted(c), so that folder traversal operations are efficient.
Writing files to privatespace
Reading files from privatespace
Sharing files with another user
Shared files are protected using asymmetrical cryptography, so that sender encrypts file with recipients’ public key and only recipient can read it using his private key. Paths are kept unencrypted for inbox.