Tahoe-LAFS is described as "the first decentralized storage system with provider-independent security". Its name indicates that it's a "file system" but it's different than traditional file systems in ways that are important to understand before you start using it. This page will try to explain at a high level, in plain English, how Tahoe-LAFS works and provide links that will allow you to learn about it in detail.

Before we go any further, please read the one-page summary, then come back here. As you saw on that page, Tahoe-LAFS provides a guarantee that you can store your data on servers that you don't trust, and the administrators of those servers won't be able to read your data. It does this by encrypting the data before it stores it on those servers, so that all they see is random-looking bits and they can't recover the actual content of your files. Tahoe-LAFS also guards against the failure of the storage servers by storing the same data on more than one of them. Of course, this will use more disk storage than simply storing the file once, but you can decide how you'd like to trade off extra storage for fault-tolerance.

Capabilities

Tahoe-LAFS uses encryption to guarantee that you can read your data but other people can't, even if they control one or more storage servers. To read a file you need to know how to find the encrypted bits (the "storage index"), and how to decrypt them (the "encryption key"). It's a yes/no proposition: it doesn't matter who you are, or what group you're in, or if you're a "superuser" or not; if you know these things then you'll be able to read the file, if you don't know them then you won't be able to.

Tahoe-LAFS combines the location and the decryption key into a single string called a "capability" which looks something like URI:CHK:riplmjitnwh25ur3jomzyxrww4:et4gkxykswl7lstw5q4g5suf6y2xyyphvid5nn2r3ktvhytbs5da:3:10:3472. A file can have different capabilities, for example, one capability might allow you to read the file but a different capability might allow you to read and write the file.

It's important to understand that a capability specifies the location of a file, but it's different than a traditional file system "path". Traditional filesystems start at a well-known "root" and allow users to explore the filesystem from there. Because the root is well-known, you can go to it and list the files in it. You can also go "up" from any directory to its parent. Because users can explore file systems in this way, each user would be able to do anything they wanted unless there were some sort of inline permission check, so these filesystems implement "Access Control List" (ACL) permission checks. These checks prevent users from doing things they can figure out how to do, but are not permitted to do. In other words, I can discover a directory's existence, and learn its name, but I might not be allowed to read from it.

Tahoe-LAFS, on the other hand, has no well-known "root" - each directory tree is identified by a capability and can't be discovered in any other way. This capability acts like a traditional file system directory in that users can browse down from it to see files in it and in the tree below it, but they can't browse "up" to see other directories within the same Tahoe-LAFS file system. It's as if each directory in Tahoe-LAFS is a root directory. Users cannot discover things that they're not supposed to know, so the in-line ACL checks implemented by traditional file systems are unnecessary.

It's worth taking some time to learn about the capability model: http://en.wikipedia.org/wiki/Capability-based_security

Sharing

Revoking

http://en.wikipedia.org/wiki/Capability-based_security
http://en.wikipedia.org/wiki/Access_control_list