I am working on https://baolib.org.
Applications on the public cloud raise strong concerns about data protection. As an architect, I spend a meaningful part of my time ensuring the security of customers’ data in the cloud.
Bao introduces an innovative approach where data remains on local devices while the cloud provides encrypted storage for synchronization and peer exchange. Because cloud providers cannot access the data, the need for due diligence is reduced.
Any feedback is welcome.
Three questions:
Why blockchain for access rights? A signed Merkle structure or a Certificate Transparency-style log would give the same guarantees without the operational complexity. What does the blockchain add here that a simpler append-only signed registry doesn't?
The threat model is unclear. If the blockchain provider controls validation, the "accessible only to end users" guarantee depends on trusting that provider. This is the oracle problem — the chain guarantees integrity of what's inside it, but not the truthfulness of what gets written in. Who runs the chain, and what happens if they're compromised or write false access rights?
Go is listed first in the bindings but the example code is Python. Is the Go binding at feature parity, or is Python the primary target?
1. Perhaps I am misusing the "blockchain" term. The access is granted with signed blocks. Each block can introduce some changes, like granting/removing access to other users, including the encryption key with an envelope. Each block links to the previous via hash. There is no consensus mechanism.
2. The vault is defined by a storage and the public keys of the creator. A client must know in advance the creator keys and he will use those keys to verify the signature. The creator then can grant admin rights to other users with specific blocks. An access grant not signed by an admin, will be rejected by a user. It is not really about data truth, because the target is more information exchange. Does it answer the question?
3. Go is the implementation language, not really a binding. I use Python in the first example because it is more compact. However the guide shows samples for all supported languages. The primary target is Go for server side and Dart for mobile. Python is effective for samples and experiments.