Explain Project>Bucket>Access Grants Passphrase to me like I'm a n00B

Would someone please explain the whole passphrase/encryption scheme to me again? Visually would be ideal, but I don’t think it exists anywhere.

Projects - Have a passphrase that does what exactly? Determines which buckets I can see?

Buckets - Have a passphrase that determines what data I can see, but how is this dependent on the Project passphrase?

Access Grants - grants to buckets have individual passphrases that determine what I can access.

I thought I had this all set up, but I’m redoing all my access, projects, buckets and what to ensure I have this figured out.


The encryption phrase used to encrypt and decrypt your objects (include prefixes - “folders”). In the object storage there is no concept of folders, only buckets and objects. The prefixes (“folder”, “path”) just a part of the object name. Some software could translate it to the virtual folders tree structure.

Access grants: Access Management - Storj DCS Docs and Access Grants - Storj DCS Docs
TL’DR: the access grant is a macaroon (bearer token) that can give you (or anyone who have it) an access to your object, it contains:

  • satellite address
  • API key
  • encryption key
  • access rights (read, write, delete, list)
  • path to the object, starting from the bucket (optional)

The main part - encryption keys are derived from your encryption phrase, so if you have your encryption phrase, you always can recreate an access grant and get an access to your objects. So, do not lose or forget it. If you lose it, nobody can decrypt your objects and you will be forced to delete them to do not waste space.

1 Like