TeamDrive System Architecture

The TeamDrive System consists of the Scalable Server Network and the so-called TeamDrive Endpoints.

TeamDrive Endpoints include instances of the TeamDrive Agent, the TeamDrive App and the Web Portal. Collectively these are also referred to as installations of the TeamDrive Client.

The TeamDrive Scalable Server Network consists of multiple Host Server, Registration Server, External Authentication Services and Web Portals. Whereby the Web Portal functions as both a server and an endpoint.

Also part of the TeamDrive Network is a single instance of the TeamDrive Name Server (TDNS). For more details see TeamDrive Name Server (TDNS).

All components in the TeamDrive System are illustration below:

../_images/TeamDrive_SystemOverview.png

In TeamDrive, files are stored in what is referred to as a “Space”. A Space has a number of endusers or members who are also given access to the files. The files are exchanged via a “Depot” on a TeamDrive Host Server.

Each Space has its own 256-bit AES key, which is used to encrypt the files in the Space as soon as the files leave the computer of the enduser. The key is known only by the TeamDrive Client software running on the devices of the members of a Space.

TeamDrive Endpoints

An endpoint in the TeamDrive System is the point where encryption and decryption of data takes place. As an end-to-end encrypted system, all data flowing through TeamDrive is encrypted, and is only decrypted when it reaches an endpoint.

All TeamDrive Endpoints are registered as “Devices” belonging to a particular TeamDrive user on a Registration Server. Each endpoint corresponds to an installation of the TeamDrive Client, either an Agent or an App on a desktop or mobile platform, or as a instance of the TeamDrive Agent running on the Web Portal.

Upon installation of the TeamDrive Client the user is required to register or login to a user account on a TeamDrive Registration Server. Once a device has been registered the user has access to the Host Server Depot (or Depots) that has been assigned to the user. Spaces can be created in the Depot and files uploaded to the TeamDrive Cloud managed by the Host Servers.

invitations to other users to join a Space are sent securely via the Registration Server.

TeamDrive Agent

The TeamDrive Agent is service that can be installed on a Mac, Windows or Linux host in order to synchronise data from the local file system to one or more Spaces in the TeamDrive System. In this was the TeamDrive Agent can be used as a component in a automated workflow.

The agent has a Web browser user-interface, which allows for remote access if required.

TeamDrive App

The TeamDrive App software is installed on an enduser’s desktop computer or mobile device. Upon installation the enduser must complete a registration or login process. Following installation the user may create Spaces, accept invitations to join a Space and send invitations to Spaces under the users control.

Data is replicated transparently between all devices connected to a Space. On a desktop computer a Space may be mapped to a folder in the local file system, or appear as a virtual directory in the file system.

On mobile devices all spaces are “virtual” which means that the files are loaded transparently on demand, and may be cached locally.

TeamDrive Web Portal (Endpoint)

The TeamDrive Web Portal provides access to the TeamDrive system via a browser-based interface. Users can login to a Web Portal and gain access to Spaces of which they are members.

The Web Portal operates by hosting a TeamDrive Agent on behalf of the enduser. A TeamDrive Agent on the Web Portal runs in a secure sandbox provided by the Host System and may employ “local encryption” of the endpoint for additional security (see Local Encryption for details).

Scalable Server Network

TeamDrive is a distributed system consisting of multiple Registration Servers, Host Servers and Web Portals and other components like External Authentication Services.

The TeamDrive Name Server (TDNS) is a central registration point for various services. All server components, other than Host Servers (see below), must be registered on TDNS. Other services (such as a Web Shop) that access the Registration Server API must be also be registered on TDNS.

TDNS also maintains a central directory of usernames and emails of all registered TeamDrive users. All these values are stored as hashes. No user associated data is stored in plain text on TDNS. For further details on TDNS see TeamDrive Name Server (TDNS).

The TDNS directory is used to locate the Registration Server associated with a particular user. Once this is established a user can be redirected accordingly, by a Registration Server. Users are also directed to a particular Web Portal and External Authentication Service as required.

As a result, TeamDrive server components can be hosted by independent hosting partners, and also in individual customer datacenters. In this way, customers and partners can maintain complete control of their enduser data. This includes the encrypted data belonging to Spaces as well as backups, and also ensures the privacy of user registration data, and statistical data, such as: Space size and transfer rates.

TeamDrive Registration Server

The TeamDrive Registration Server stores information about all registered TeamDrive users. This includes the username, registration email address, a bcrypt password hash and the Public Keys of the enduser. This is the data that is essentially required for the functioning of TeamDrive.

In addition to this, the Registration Server also stores optional profile data provided by the user. This includes the user’s language, telephone numbers and a profile picture. This information is encrypted with a key which is only shared with other users via the Space data exchange mechanism. In other words, only users that belong to the same space can exchange profile data.

The email address is verified during initial installation using an activation code as described in the section: Registration.

The Registration Server provides a secure messaging service based on RSA encryption that is used between the TeamDrive Clients. The secure messaging service is used to inviting other users to join a Space (see section: Joining a Space (Accepting an Invitation)).

One of the Registration Servers is designated as the Master Registration Server. The first Provider created on the Master Registration Server (called the “Default Provider” of the Registration Server) has all privileges to manage the TeamDrive Network. This effectively means the data stored by TDNS is managed on the Admin Console of the Master Registration Server, by users with privileges at the level of the Default Provider.

TeamDrive Host Server

The Host Server is responsible for the storage and transfer of changes that occur in Spaces. Each Space is associated with a Depot on a Host Server. The storage and transfer mechanism allows clients to synchronize data, even when the other members of a Space are not concurrently online.

All files stored on a TeamDrive Host Server are encrypted with the 256-bit AES key belonging to the Space.

On installation all Host Servers must be registered on a Registration Server.

TeamDrive Web Portal (Service)

As mentioned above the Web Portal is both an endpoint and a service in the TeamDrive System. The users of one or more Providers (see Account Concept) may be directed towards a particular Web Portal. In is also possible to direct users with an email address of a registered domain name to a particular Web Portal. This way customers can ensure that their users use a designated Web Portal.

The Web Portal serice also support the “inbox” concept as it is implemented in TeamDrive. On the Account level you can create an inbox which can then be used in Spaces to receive uploaded files into specified folders from users that are not necessary registered TeamDrive users.

External Authentication Service

TeamDrive users can be authenticated by an external service such corporate LDAP server or Active Directory. In addition, users registered in the Azure or Google cloud, or any service that supports an open protocol such as OAuth2 can all be authenticated by TeamDrive without the need for explicit registration. This is done using a TeamDrive External Authentication Service.

A TeamDrive External Authentication Service is usually hosted by the customer and establishes the link between the TeamDrive components and an authentication service or user registry.

Once the External Authentication Service has been setup, users registered in the external sytem can login to TeamDrive using their email address and password associated with the external system.

The browser interface of the External Authentication Service can be customized to make it clear to the user where they are logging-in. The user password remains private to the external system, and cannot be intercepted by any of the TeamDrive components.