Skip to content
Snippets Groups Projects
Normal view Permalink
configuration.rst 2.75 KiB
Newer Older
Jean-Paul Calderone's avatar
actually write the docs  
Jean-Paul Calderone committed
1 2 
Configuration
=============
Jean-Paul Calderone's avatar
most of the way to storing unblinded tokens and generating pass later
Jean-Paul Calderone committed
3
Jean-Paul Calderone's avatar
actually write the docs  
Jean-Paul Calderone committed
4 5 
Client
------
Jean-Paul Calderone's avatar
most of the way to storing unblinded tokens and generating pass later
Jean-Paul Calderone committed
6
Jean-Paul Calderone's avatar
actually write the docs  
Jean-Paul Calderone committed
7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 
To enable the plugin at all, add its name to the list of storage plugins in the Tahoe-LAFS configuration
(``tahoe.cfg`` in the relevant node directory)::

  [client]
  storage.plugins = privatestorageio-zkapauthz-v1

Then configure the plugin as desired in the ``storageclient.plugins.privatestorageio-zkapauthz-v1`` section.

redeemer
~~~~~~~~

This item configures the voucher redeemer the client will use to redeem vouchers submitted to it.
The ``dummy`` value is useful for testing purposes only.

For example::

  [storageclient.plugins.privatestorageio-zkapauthz-v1]
  redeemer = dummy

A value of ``ristretto`` causes the client to speak Ristretto-flavored PrivacyPass to an issuer server.
In this case, the ``ristretto-issuer-root-url`` item is also required.

For example::

  [storageclient.plugins.privatestorageio-zkapauthz-v1]
  redeemer = ristretto
Jean-Paul Calderone's avatar
Use an invalid domain name for documentation  
Jean-Paul Calderone committed
33 
  ristretto-issuer-root-url = https://issuer.example.invalid/
Jean-Paul Calderone's avatar
actually write the docs  
Jean-Paul Calderone committed
34 35 36 37 

Note that ``ristretto-issuer-root-url`` must agree with whichever storage servers the client will be configured to interact with.
If the values are not the same, the client will decline to use the storage servers.
Jean-Paul Calderone's avatar
notes on configuration  
Jean-Paul Calderone committed
38 39 40 41 42 43 44 
The client can also be configured with the value of a single pass::

    [storageclient.plugins.privatestorageio-zkapauthz-v1]
    pass-value = 1048576

The value given here must agree with the value servers use in their configuration or the storage service will be unusable.
Jean-Paul Calderone's avatar
actually write the docs  
Jean-Paul Calderone committed
45 46 47 48 49 50 51 52 53 54 55 56 
Server
------

To enable the plugin at all, add its name to the list of storage plugins in the Tahoe-LAFS configuration
(``tahoe.cfg`` in the relevant node directory)::

  [storage]
  plugins = privatestorageio-zkapauthz-v1

Then also configure the Ristretto-flavored PrivacyPass issuer the server will announce to clients::

  [storageserver.plugins.privatestorageio-zkapauthz-v1]
Jean-Paul Calderone's avatar
Use an invalid domain name for documentation  
Jean-Paul Calderone committed
57 
  ristretto-issuer-root-url = https://issuer.example.invalid/
Jean-Paul Calderone's avatar
First step towards required server-side ZKAP validation  
Jean-Paul Calderone committed
58
Jean-Paul Calderone's avatar
notes on configuration  
Jean-Paul Calderone committed
59 60 61 62 63 64 65 66 
The value of a single pass in the system can be configured here as well::

  [storageserver.plugins.privatestorageio-zkapauthz-v1]
  pass-value = 1048576

If no ``pass-value`` is given then a default will be used.
The value given here must agree with the value clients use in their configuration or the storage service will be unusable.
Jean-Paul Calderone's avatar
First step towards required server-side ZKAP validation  
Jean-Paul Calderone committed
67 68 69 70 71 72 73 74 
The storage server must also be configured with the path to the Ristretto-flavored PrivacyPass signing key.
To avoid placing secret material in tahoe.cfg,
this configuration is done using a path::

  [storageserver.plugins.privatestorageio-zkapauthz-v1]
  ristretto-signing-key-path = /path/to/signing.key

The signing key is the keystone secret to the entire system and must be managed with extreme care to prevent unintended disclosure.
Jean-Paul Calderone's avatar
Uh I'll be minimally speculative here  
Jean-Paul Calderone committed
75 
If things go well a future version of ZKAPAuthorizer will remove the requirement that the signing key be distributed to storage servers.