Security¶
TruSpace implements multiple layers of security.
Security Architecture¶
flowchart TB
subgraph Transport["Transport Security"]
TLS[TLS/HTTPS]
IPFS_ENC[IPFS Encrypted Channels]
end
subgraph Auth["Authentication"]
JWT[JWT Tokens]
BCRYPT[Bcrypt Passwords]
end
subgraph Storage["Storage Security"]
DOC_ENC[Document Encryption]
PRIV_NET[Private IPFS Network]
end
subgraph Access["Access Control"]
WORKSPACE[Workspace Permissions]
MEMBER[Member Roles]
endAuthentication¶
Password Storage¶
- Passwords hashed with bcrypt
- Unique salt per password
- Cost factor of 12 rounds
Session Management¶
- JWT tokens for API authentication
- Configurable expiration
- Secure token storage
Encryption¶
Document Encryption¶
Documents are encrypted before IPFS storage:
- Algorithm: AES-256-CBC
- Key derivation: Workspace ID based
- Decryption: Only through TruSpace API
Network Encryption¶
- All IPFS peer connections are encrypted
- Support for private IPFS networks via swarm keys
Private Network¶
For sensitive deployments, use private IPFS:
Access Control¶
Workspace Levels¶
| Role | View | Edit | Delete | Admin |
|---|---|---|---|---|
| Viewer | ✓ | ✗ | ✗ | ✗ |
| Editor | ✓ | ✓ | ✗ | ✗ |
| Admin | ✓ | ✓ | ✓ | ✓ |
Best Practices¶
- Change default secrets in production
- Use private IPFS networks for sensitive data
- Enable HTTPS via reverse proxy
- Regular backups of SQLite database
- Keep software updated