Storj DCS—Private and Secure Storage for Developers

May 13, 2021

Storj DCS (Decentralized Cloud Storage) is the world’s first enterprise-grade, decentralized cloud storage service. Through decentralization, Storj DCS can not only deliver better economics but, more importantly, deliver a greater level of durability, privacy, and security than is possible in a centralized system.

Privacy and security are obviously critical to any cloud data storage platform. At first blush, it might seem that storing your data in a single, robust data center with armed guards and an army of administrators would be more secure than storing pieces of your data across a vast global network of storage devices run by a diverse set of entities. Certainly, there are a unique set of challenges in working in an environment where you must assume that every Storage Node could be compromised or run by an untrustworthy entity. However, by building a system to systematically address those challenges, where the code to address those challenges is open, the net result is an environment that is inherently more secure and private, in much the same way that the internet itself (predicated on a vast global network of routers and bridges run by a diverse set of entities) is inherently more reliable and performant than the centralized communications networks of the past.

Whenever data is stored unencrypted in a centralized location, it can be compromised. 

Storj DCS is designed to be a zero-knowledge, trustless, fully encrypted system in which no individual, device, or entity can be a source of failure—including Storj itself.

The implementation of intelligent technologies like AES-256-GCM encryption, delegated authorization, masked metadata, built into the Storj DCS platform are just part of ensuring all data remains secure and private in a trustless environment. 

The privacy and security behind Storj DCS.

Encryption by default - By default, all data uploaded to Storj is split into 64 MB segments which are encrypted and then broken up into erasure-coded pieces that are distributed worldwide. In a typical deployment, each encrypted segment is broken into 80 erasure-coded pieces, of which any 30 are required to reconstitute the file. Each of the 80 pieces is distributed to a different Storage Node worldwide. Each segment has different encryption keys. Each path is encrypted separately using keys derived from the root encryption key, and the content and metadata are encrypted separately. Users control the automatically generated encryption key, making it simple and secure. In the most secure mode, data is end-to-end encrypted with keys that never leave the client, although we also offer a highly secure server-side encryption option for people who use our Gateway MT product.

Delegated authorization - Storj DCS pushes access management to the client and uses macaroon-based API keys for an added layer of security. This reduces the risk of data loss or extortion; users have key-based ownership of their object data, and they can delegate access as needed. Pushing access management to the edge eliminates the need for access control lists, increasing your privacy. 

Easy-to-use developer tools - Managing your data shouldn’t be a difficult task, and we don’t want users to have to choose between security and ease of use. We implemented intuitive tools to manage both encryption and file sharing. All security information is automatically combined in an “access” security envelope—API and encryption keys are passed automatically via different routes. With Storj DCS, developers gain unprecedented control to maintain privacy while securely sharing data. 

Access management at the edge delivers differentiated value.

Significantly reduced risk from common attacks - Common attacks like ransomware, misconfigured access control lists, leaky buckets, insider threats, honeypots, man-in-the-middle attacks, etc., depend on breaching a central repository of access controls, compromising a credential, or gaining access to a treasure trove of data. The Storj DCS security model eliminates whole categories of typical application attack vectors.

Reduced or eliminated typical threat surfaces - By separating trust boundaries and distributing access management and storage functions, a significant percentage of the typical application threat surfaces are eliminated or made orders of magnitude more complex to attack.

Enhanced data privacy - With access managed peer-to-peer, the platform can separate responsibilities for creating bearer tokens for access management from encryption to use the data. Separation of these concerns enables decoupling storage, access management, and use of data, ensuring greater privacy with greater transparency.

Delegated authorization to the edge - Authorization delegation is decentralized and managed at the edge but derived based on a common, transparent trust framework. This means all access tokens generated at the edge can be efficiently interpreted centrally but without access to the underlying encrypted data—this maximizes privacy and security at scale.

No added cost for security features - Other cloud storage providers have a separate product and associated cost for many security features—for instance, the AWS Detective Solution. Even with the additional cost, the security capabilities don’t match up to the power and control of Storj DCS. Best of all, these security features are included out-of-the-box at no additional cost. 

Private from Storj as well - As indicated above, we’ve designed a system that doesn’t require you to place your trust in any outside entity, including Storj itself. By design, we don’t have the ability to read your data. By design, we don’t have the ability to mine or sell your data or metadata. Even in your interactions with our site, we’ve made commitments around cookies, analytics tools, etc. to maximize privacy. These are detailed in our Privacy Policy and Disclosures Documents.

Ready to see how the decentralized cloud can improve privacy and security for you?

Our team compiled a detailed overview of the privacy and security benefits Storj DCS can deliver. To learn more about our path-based encryption model, our use of Macaroon-based API keys, and many of the underlying technologies that make Storj DCS so private and secure, check out our overview about A New Standard for Data Security. We are open source so that anyone can see and validate the inner workings of the system. Of course, we encourage anyone who is interested to get started with Storj DCS for free, with one of the most generous free tiers in the industry, and with prices 1/5 to 1/10 less the cost of large public clouds services, once you move past the free tier.

Share this blog post

Build on the distributed cloud.

Get S3-compatible object storage with better security, performance and cost.

Start for free
Storj dashboard