upspin/upspin

Features

• End-to-End Encryption - Encrypts data blocks on the client side before transmission to ensure server-side blindness.
• Block Storage - Separates the metadata layer from the actual storage of encrypted data blocks on store servers.
• File Retrieval Systems - Retrieves files by fetching directory entries and decrypting data blocks from store servers.
• Global Namespace Protocols - Assigns secure, global names to files and data across diverse storage services using a uniform naming protocol.
• Hierarchical Metadata Trees - Organizes file metadata in a directory server as a tree of entries pointing to encrypted blocks in store servers.
• Decentralized Naming Systems - Assigns every user a unique identity within a global, permissioned naming and storage system.
• Identity-Storage Decoupling - Decouples identity resolution from data storage by mapping usernames to servers via a key server.
• End-To-End Encryption Systems - Implements an end-to-end encrypted storage system where only authorized users can decrypt content.
• Hierarchical Access Controls - Manages read and write permissions through recursive directory-based rules and plain-text files.
• Permission Rule Groups - Assigns specific read, write, create, list, or delete permissions to named users or group members via access files.
• Decentralized Identity Frameworks - Registers and resolves user identities with public-key cryptography and a key server.
• Public Key Authentication - Uses public-private key pairs and a key server to authenticate users and verify identities.
• Identity Addressing - Resolves user identities by looking up public keys and directory server addresses from a central key server.
• Public Key Identity Providers - Uses a key-server architecture to map user identities to public keys and server addresses for secure peer discovery.
• Identity-Based File Access Control - Enforces file and directory access permissions using identity-based rules defined in plain-text files.
• Hierarchical Metadata Structures - Organizes file metadata in directory servers as a tree of entries pointing to encrypted blocks.
• Identity-Storage Decoupling Architectures - Separates identity resolution from data storage using a central key server to map usernames to directory and storage server addresses.
• Discovery Key Registration - Generates public-private key pairs and registers public keys with a key server to establish new user profiles.
• Local Caching Layers - Caches recently accessed directory entries and storage blocks locally to reduce network latency and server load.
• Block Caches - Implements block-level caching of storage data to accelerate repeated retrieval of encrypted blocks.
• FUSE-Based Filesystem Mounts - Exposes the remote global namespace as a local filesystem on Linux and macOS using the FUSE interface.
• FUSE Virtual Filesystems - Exposes the remote naming hierarchy as a local mount point via the FUSE kernel module.
• Link Traversal Controls - Requires an access right on a link entry before a caller can follow it to its target to enforce traversal restrictions.
• Unauthorized Response Customization - Hides directory entries or returns privacy errors when a user lacks the necessary access rights to view them.
• Wildcard - Supports wildcard permissioning to grant access rights to all authenticated users or all users within a specific domain.
• File and Folder Permissions - Implements a system for managing read and write access to directories using plain-text access files.
• Metadata Caches - Caches directory entries and storage blocks locally to accelerate repeated data access.

Star history