One binary. Every feature.
VaultS3 bundles the capabilities you'd assemble from several tools, or pay an enterprise license for, into a single self-hosted server.
S3 API & compatibility
SigV4 authentication
Full AWS Signature V4 incl. streaming (aws-chunked) uploads. A drop-in for the AWS SDKs, aws-cli, rclone, and boto3.
Multipart & presigned URLs
Large-file multipart uploads, presigned GET/PUT for credential-free sharing, and CopyObject.
Versioning & WORM
Per-bucket versioning with delete markers, plus object-lock / retention for compliance.
Lifecycle, CORS & policies
Expiration & transition rules, CORS configuration, bucket policies, and object tagging.
S3 Select (SQL)
Run SQL SELECT queries directly against CSV, JSON, and Parquet objects, so you fetch only the rows and columns you need instead of whole files.
Security & encryption
Server-side encryption
Transparent AES-256-GCM encryption at rest with a configurable master key.
Per-bucket keys
Each bucket can hold its own key, with rotation and crypto-shredding, for true multi-tenant isolation.
SSE-C
Customer-provided keys: the server encrypts/decrypts with your key and stores only its MD5, never the key itself.
IAM, OIDC & audit
Users, groups, and S3-compatible policies; OIDC SSO login (Google, Keycloak, Auth0) with role mapping; a tamper-aware audit trail and access logs.
Hardened & audited
60+ hardening fixes across multiple dedicated security passes: AES-256-GCM, SigV4 validation, presigned-URL isolation, path-traversal and SSRF guards, upload size caps, rate limiting, and CSP headers.
Durability & scale
Erasure coding
Reed-Solomon sharding across disks with a background healer that auto-reconstructs degraded objects.
Raft clustering (Beta)
Strongly-consistent metadata via HashiCorp Raft with a consistent-hash placement ring and automatic failover.
Scales to millions of objects
Metadata-indexed listing and per-bucket counters keep the dashboard and S3 API fast at scale.
Tiering & backup
Transparent hot/cold tiering to local or remote storage, plus scheduled full / incremental backups.
Small-file packing (Beta)
Pack many tiny objects into large append-only volumes with background compaction, avoiding per-file overhead when you store millions of small files.
Beyond storage
Semantic / vector search
Embed text objects via any OpenAI-compatible endpoint and run similarity + RAG queries. No separate vector DB.
Active-active replication
Bidirectional replication with vector clocks and pluggable conflict resolution, plus one-way push.
Event notifications & Lambda
Webhooks, Kafka, NATS, Redis, AMQP, PostgreSQL, and Elasticsearch, with per-bucket prefix/suffix filtering, plus object-triggered function execution and virus scanning.
Compression
Transparent zstd compression on write that skips already-compressed formats.
Full-text search
Index and search object text content, not just key names, from the dashboard with sortable, paginated results.
Workflow & migration
Migrate from MinIO
Point the dashboard wizard at any S3 source, pick buckets, and import with live progress: streamed, auto-retried, and cancellable. Preserves original dates, metadata, bucket policies, and tags.
Bucket snapshots & rollback
Git-for-buckets: commit a bucket's state, diff it against live, and roll back in one click. It even resurrects deleted objects. lakeFS-style versioning in a single binary.
Cost estimator
See what your data would cost on S3, GCS, R2, B2, or Wasabi (storage plus egress) right from the dashboard. Self-hosting is egress-free.
Auto-update
Opt-in daily release check with a dashboard banner, plus checksum-verified self-update. Your object data is never touched.
Operate it anywhere
Single binary
No external database or dependencies, just one static binary for Linux, macOS, and Windows (amd64 + arm64).
Docker & Kubernetes
An 80MB image, a production Helm chart, a CRD-driven Kubernetes operator, and a Prometheus metrics endpoint.
Built-in dashboard
A complete management UI served from the same binary, optionally on its own port.
FUSE mount
Mount a bucket as a local filesystem for tools that expect files instead of an API.
Spin it up in 30 seconds
One binary or one container. No license key, no account, no telemetry. Just object storage that works.