Google Upspin Secure File-Sharing Released to Open Source

New file-sharing protocols and interfaces called Upspin have been released to open source. Built by Google, Upspin returns access control and data security to the user.

Google has released to open source new file-sharing interfaces and protocols it calls Upspin that allow users to securely share files using a global namespace rather than uploading and downloading content or sharing it first with a web-based service.

Upspin is largely a consumer tool, Google said, but it did not rule out an enterprise type of application.

“Upspin is not an app or a web service, but rather a suite of software components, intended to run in the network and on devices connected to it, that together provide a secure, modern information storage and sharing network,” wrote Google software engineers Andrew Gerrand, Eric Grosse, Rob Pike, Eduardo Pinheiro and Dave Presotto in an announcement.

Google has also positioned Upspin’s access controls and encryption as noteworthy features that could make it attractive to businesses. For example, the owner of a file within Upspin can assign different read, write, delete and other permissions to the user with whom a file is being shared.

Once a user is added to Upspin, file names will begin with their email address followed by a UNIX-like path name, such as “ann@example.com/dir/file.” If the user wishes to share the directory, they would have to add an Access file which helps them describe the rights to be ascribed to the file, such as “read: joe@here.com.”

File content is encrypted in storage and the private key is stored on the user’s client.

“Both the encryption and decryption happen on the user’s client machine, not in the network or on Upspin servers,” Google explained in the Upspin security documentation. “To share a file with a second user, that user must also be able to decrypt it. Upspin handles this automatically, using encryption techniques that allow two users to share encrypted data without disclosing their private keys to each other. The public keys of all users are registered in a central server to enable sharing even between strangers.”

Google was also clear that this was not a company product, but instead strictly an open-source project. Also, Upspin has yet to be integrated with Google’s Key Transparency Server, though it expects to eventually, the engineers said. Key Transparency, announced in January, is a directory that developers may use to for public key lookups during app development. It can be used to find public keys associated with a particular account, while providing for a public audit log of any key changes.

Upspin, should adoption reach any kind of scale, could provide a challenge to Google Drive, Dropbox and other similar services. The project aims to put control over data in a user’s hands rather than with a third-party service provider. Once photos or files are shared with a provider, the user relinquishes a measure of control over how the data is shared and secured.

“All of these problems are in principle easy to solve. If every item of interest had a unique name, and every person, server, PC or phone could evaluate that name to access the item, these problems would fall away,” Google said in the Upspin documentation. “Add to that proper end-to-end security and a coherent sharing model, and a future with uniform, secure, ubiquitous access to data becomes feasible. Download and upload, unauthorized access, siloed data, even email attachments could become relics of the past.”

Suggested articles