Ente is a photo storage service, that employs client-side encryption to secure your data.
A few weeks ago we shipped a feature to share links to your albums, that can be viewed by family and friends who are not on Ente.
These links are accessible on mobile and desktop both, end-to-end encrypted.
What follows is an overview of this system's design.
When your client requests to create a link for an album, our server generates a
unique string and stores it against that album as its
accessToken is used from there on to authenticate requests from a
receiver to access this album along with the files in it.
Each of your files are encrypted with their own keys. These keys are then stored on our servers after being encrypted with the parent album's key.
This key, that can be used to decrypt the contents of the album and indirectly
the files within it, is referred to as the
More documentation about our envelope encryption is available here: ente.io/architecture/#file-encryption
When a client requests to create a shareable link, our server generates an
accessToken for the album and returns it to the client.
The client then puts together this
representation of the
albumKey, forming a URL that contains all the
information necessary to access and decrypt the contents of the album.
The resulting URL would look like:
Note: To ensure that the album remains end-to-end encrypted, the
albumKeyis appended to the URL fragment (the part that follows the
#). URL fragments are a client side only information that is never relayed to servers.
The server exposes a differential fetching API that returns the details of files that have been added/updated/removed since a specific timestamp.
The client fetches and caches this response, to ensure a good user experience for large albums.
The encrypted fields within this response (like the album name and file keys)
can be decrypted using the
albumKey present in the URL fragment. The decrypted
file keys are then used to decrypt the individual file and thumbnail blobs.
These decrypted blobs are finally rendered in a responsive gallery reusing
components from our web client.
We deliberated for more time than we would like to admit on our abuse mitigation strategies. For now,
- Only paid customers can share links to their albums.
- Albums can be viewed at most on 50 devices (apart from the one linked below).
- People who have access to an album can report the content for abuse here.
We will listen to customer feedback and iterate on these.
Thank you for reading this far!
Here are some photos we clicked at our team outing the last year: albums.ente.io/?t=CsuRcc4k#4mXoniwdpWxnLQ9cFXWPJxy93YEh7wttNf9emc7ucmEZ