What are the app ID and the app secret and what is their use?¶
When you create a new app in your dashboard, you get an app ID and an app secret.
The app ID is used client-side to configure FileKit to use your app. It is a unique, randomly generated identifier.
The app secret is used on your servers to create Tanker identities. It contains a private signature key allowing FileKit to validate that the end-user corresponding to a given Tanker identity was authenticated and authorized by your server.
How are files encrypted?¶
Each end-user has an asymmetric user key, which is generated and stored on their browser. The public user keys are stored on Tanker's servers.
When upload() is called, a new symmetric key, called the file key, is generated. The file contents are encrypted using this key. The encrypted file is then uploaded to a cloud storage.
The file key is then asymmetrically encrypted using the author's and the recipients' public user keys. The encrypted file key is also stored on Tanker's servers.
When a recipient calls download(), they get the encrypted file from the cloud storage, and the encrypted resource key from Tanker's server. Using the private user key stored in their browser, they decrypt the file key. This file key is in turn used to decrypt the file.
If you want more detail about Tanker's protocol, you can read the technical specification of Core on GitHub.
What are Tanker identities and what is their use?¶
Tanker identities are similar to authentication tokens, and are used to identify your app users. They are signed, allowing FileKit to validate that the user was authenticated and authorized by your server.
Identities also contain some sensitive information, necessary for FileKit's proper functioning. They should only be distributed to authenticated users.
Is there a master key?¶
No. Files encrypted by an end-user can only be decrypted by themselves and the intended recipients.
Does Tanker have access to encryption keys?¶
No. Tanker servers only see encrypted keys and public keys.
Does Tanker have access to my data?¶
Again, no. Tanker does not have any access to encryption keys, thus Tanker can never access any data.
What is test mode?¶
Test mode is an option that can be toggled when creating a new app. Enabling test mode will save the app secret on Tanker's servers.
Tanker can then use the app secret to generate Tanker identities with Tanker's fake authentication.
Why shouldn't test mode be used in production?¶
When test mode is enabled, Tanker could technically perform a split-view attack on your end-users, forcing them to share files with unintended recipients.
While this attack is very difficult to pull off and requires a deep understanding of Tanker's infrastructure, we recommend that you create a new app, with test mode disabled, for use in production.
What is Tanker's fake authentication?¶
Tanker's fake authentication is a quality-of-life feature for development. It mimics a typical user-management system, creating and storing Tanker identities in your stead, using your app secret.
This allows for quicker testing and development, as you don't have to integrate Tanker identities in your user-management code immediately.
Why shouldn't Tanker's fake authentication be used in production?¶
Tanker's fake authentication handles users instead of your server. This means that Tanker has full control over the generated identities, and could use them to access encrypted data.
For the solution to be secure, the user identities must be handled on your own servers.
What encryption algorithms are used?¶
To have all the details about Tanker's protocol, you can read the technical specification of Core.