Self-certifying File System


In computing, Self-certifying File System is a global and decentralized, distributed file system for Unix-like operating systems, while also providing transparent encryption of communications as well as authentication. It aims to be the universal distributed file system by providing uniform access to any available server, however, the usefulness of SFS is limited by the low deployment of SFS clients. It was developed in the June 2000 doctoral thesis of David Mazières.

Implementation

The SFS client daemon implements the Sun's Network File System protocol for communicating with the operating system, and thus can work on any operating system that supports NFS, including Windows. The client manages connections to remote file systems as necessary, acting as a kind of protocol translation layer. The SFS server works similarly to other distributed file system servers, by exposing an existing disk file system over the network, over the specific SFS protocol. On Unix-like systems, SFS file systems can usually be found at /sfs/hostname:hostID. When an SFS file system is first accessed through this path, a connection to the server is made and the directory is created.

Differences

The primary motivation behind the file system is to address the shortcomings of, administratively configured distributed file systems in larger organizations, and various remote file transfer protocols. It is designed to operate securely between separate administrative realms. For example, with SFS, one could store all their files on a single remote server, and access the same files securely and transparently from any location as if they were stored locally, without any special privileges or administrative cooperation. Available file systems will be found at the same path regardless of physical location, and are implicitly authenticated by their path names — as they include the public-key fingerprint of the server.
In addition to the new perspective, SFS also addresses some commonly raised limitations of other distributed file systems. For example, NFS and SMB clients have to rely on the server for file system security policies, and NFS servers have to rely on the client computer for authentication. This often complicates security, as one compromised computer could breach the security of the entire organization. The NFS and SMB protocols also do not by themselves provide confidentiality or tamper resistance from other computers on the network, without encapsulation layers such as IPsec.
Unlike Coda and AFS, SFS does not provide local caching of remote files and thus is more dependent on network reliability, latency and bandwidth.