3 copies, 3 clouds

January 07, 2023
manav@ente.io

Ente stores 3 copies of your encrypted data, spread across 3 different cloud providers. One of these copies is also placed under an immutable compliance lock and cannot be deleted by anyone except you. Indeed, Ente is the safe home for your memories.

We're happy to present to you a document describing these and other details of our redundancy strategy. This joins our end-to-end encryption architecture document, and together they outline how we keep your data both safe and private.

History

Somewhat coincidentally, this is version 3 of our replication algorithm, so it is three threes ☘️ Let's walk you through the evolution of these:

  • Replication v1: We'd started with a hot storage and a cold backup (even in the earliest days it was still multi-cloud to mitigate denial of service issues). But it didn't take long for us to rediscover the common adage in the data storage world -- one hot storage is not enough :) Cold storage has too long lead times for recovery to be of use if we need to switch providers quickly.

  • Replication v2: We made our replication code more generic, and switched to 2 hot storages + 1 cold storage. This served us good, but over time we discovered two problems: (a) There was a potential for data deletion in case of credential breaches, and (b) the way we'd implemented our replication code was serial and hard to parallelize.

  • Replication v3: The v3 of our replication algorithm, deployed a while back, solved both these problems - there's now an Ulysses pact to prevent the first one, and the code was rearchitected to be arbitrarily scalable to fix the second one. And for full transparency, the specifics of what we're doing and where the data is stored is now publicly documented.

At this point, we feel confident in saying that we have a 3x better system than when we'd started from, and 3x 💪 than other services. Other E2EE services either have not documented what they're doing, or if they have, are usually just relying on a single on-prem or cloud.

Motivation

When we'd first made the shift from being self hosted to providing a service, we realized that self hosting focuses on just the code and ignores the entirely different set of infrastructure problems that come with ensuring that data remains safe and backed up.

We didn't give up though, kept chipping away 🧑‍💻 and solving potential concerns one by one. And all this hard work over years has paid off: Today, we feel strong and confident in our safety.

Our encryption has stood the test of time: 2 years and going strong, zero issues found in our cryptography. Our replication ensures we're protected against all the reasonable threats (and even some unreasonable ones like nuclear war); in fact we sometimes wonder if we've gone too much to the other extreme and have provided too much redundancy, since redundancy comes at the cost of increased prices. To top it off, we already have had one private external audit of our services, and now have signed a contract with a very well known European security firm for an public external audit this spring.

We rest on solid ground. Our work is not done, there is much to improve in the product, but we now sleep sound knowing that we have all the foundations in place to ensure that data on Ente is safe, private and redundantly stored.


If you use Ente please help spread the word - there are many people out there who don't know that a solid secure end-to-end encrypted alternative to big tech already exists!