Context
Ente is a photo storage service, that employs client-side encryption to secure your data.
A few weeks ago we shipped a feature to share links to your albums, that can be viewed by family and friends who are not on Ente.
These links are accessible on mobile and desktop both, end-to-end encrypted.
What follows is an overview of this system's design.
Key Terms
Access Token
When your client requests to create a link for an album, our server generates a
unique string and stores it against that album as its accessToken
.
This accessToken
is used from there on to authenticate requests from a
receiver to access this album along with the files in it.
Album Key
Each of your files are encrypted with their own keys. These keys are then stored on our servers after being encrypted with the parent album's key.
This key, that can be used to decrypt the contents of the album and indirectly
the files within it, is referred to as the albumKey
.
More documentation about our envelope encryption is available here: ente.io/architecture/#file-encryption
Flows
Sharing
When a client requests to create a shareable link, our server generates an
accessToken
for the album and returns it to the client.
The client then puts together this accessToken
and base58
encoded
representation of the albumKey
, forming a URL that contains all the
information necessary to access and decrypt the contents of the album.
The resulting URL would look like:
https://albums.ente.io/{accessToken}#{albumKey}
.
Note: To ensure that the album remains end-to-end encrypted, the
albumKey
is appended to the URL fragment (the part that follows the#
). URL fragments are a client side only information that is never relayed to servers.
Receiving
The server exposes a differential fetching API that returns the details of files that have been added/updated/removed since a specific timestamp.
The client fetches and caches this response, to ensure a good user experience for large albums.
The encrypted fields within this response (like the album name and file keys)
can be decrypted using the albumKey
present in the URL fragment. The decrypted
file keys are then used to decrypt the individual file and thumbnail blobs.
These decrypted blobs are finally rendered in a responsive gallery reusing
components from our web
client.
Abuse Mitigation
We deliberated for more time than we would like to admit on our abuse mitigation strategies. For now,
- Only paid customers can share links to their albums.
- Albums can be viewed at most on 50 devices (apart from the one linked below).
- People who have access to an album can report the content for abuse here.
We will listen to customer feedback and iterate on these.
Closing Notes
This was the most upvoted feature on our roadmap and we are happy to have shipped this. There are more improvements planned, that have been discussed in the launch post.
Thank you for reading this far!
Here are some photos we clicked at our team outing the last year: albums.ente.io/?t=CsuRcc4k#4mXoniwdpWxnLQ9cFXWPJxy93YEh7wttNf9emc7ucmEZ