The TCFS Architecture

TCFS relies on a very simple architecture. Data is stored in encrypted form on the server filesystem. Each time an application running on a client has to read data, the client kernel requests the appropriate block of data from the server. The server ships the block of data in encrypted form to the client. The client decrypts the block of data before passing it to the application. A write operation is accomplished in a similar way. Suppose a client application wishes to write data on a filesystem. The application passes the data to the client that encrypts the data and passes it to the server. The server, upon receiving data from the client over the network, stores the data on the filesystem.

This architecture has several advantages:

• Minimal trust model. The TCFS architecture does not rely on the the server nor the network being trusted. In fact, the server only sees encrypted data and data travels over the network only in encrypted form. As we will see when we discuss the implementation details, the client can detect any unauthorized modification of data. Of course, since clients can access data only through the servers, TCFS cannot prevent servers from erasing the data or from denying access to the clients. All the encryptions and decryptions are performed by the client on which the application is running. Thus the application and the user have to trust the client kernel used to access the filesystem. This is not a serious limitation for cases in which users employ personal workstations to access files.

• Low system administration impact. TCFS does not require any additional duty to the system administrator of the server. All filesystem maintenance operations on the servers need not to know about TCFS. Actually, the system administrator himself might ignore that his local filesystem is actually a TCFS filesystem.

• Low impact on client applications. TCFS was designed to reduce the impact on the applications. Client applications access files on a TCFS filesystem through the usual system calls and thus they need not to be re-written or re-compiled to work with TCFS. Client applications need not to deal with key management.

• Low impact on the user. Besides issues regarding key management, TCFS has little or no impact on the final user. She can still access her files using the same applications and ignore completely that the files she is accessing are stored on a remote server in encrypted form. TCFS guarantees to the users and to the applications a level of transparency similar to NFS. Nonetheless, TCFS provides users needing a greater control on the encryption/decryption policy, the ability to control which files are encrypted and which are not.