Doolhof Labs · Vault

Encrypted before it leaves you. Decrypted only by you.

Doolhof Vault is an S3-compatible object store with client-side cryptography. Files are encrypted on the user's machine before they reach the wire. The platform holds ciphertext; it cannot read its contents.

Storage that can't read your data

S3, R2, and B2 are reliable and inexpensive. None are zero-knowledge. Their privacy guarantees stop at "we don't look unless legally compelled." Doolhof Vault is a different architectural category: the platform mathematically cannot read tenant data.

Client-side encryption

Files are encrypted with XChaCha20-Poly1305 on the user's machine using a key derived from a passphrase via Argon2id. Keys never leave the client. The platform sees only ciphertext and minimal metadata.

S3-compatible API

Drop-in compatibility for existing S3 tooling — rclone, s3cmd, AWS SDK, MinIO clients. The encryption wrapper is transparent at the wire layer.

Zero-knowledge architecture

Filenames, contents, and per-object sizes are all encrypted before upload. The platform retains bucket-level capacity figures for billing — nothing more.

No telemetry

The CLI does not phone home. The dashboard does not track. The only data collected is bucket capacity aggregated monthly for invoicing.

Flat pricing

Four monthly plans. No per-GB metering, no surprise egress bills, no quarterly negotiations. The smallest is free.

Regional placement

Region elected at bucket creation: EU (Frankfurt), Asia (Mumbai), or US (San Francisco). Data remains in the selected region. Cross-region replication available on request.

If you've used S3, you've used Vault

The encryption is a thin wrapper around an otherwise standard S3 workflow. Existing tooling configures with a custom endpoint and continues to work.

# Install the CLI — single binary, no dependencies
$ curl -sL https://doolhof.tech/install | sh

# Initialize a bucket — passphrase stays on the client
$ doolhof init my-bucket --region eu-fra
$ Enter passphrase: ********

# Upload — encryption happens locally before bytes hit the wire
$ doolhof put my-bucket model.safetensors ./checkpoints/run-42/
uploaded 14.2 GB · encrypted client-side · ciphertext 14.21 GB

# Or use rclone with the compatibility layer
$ rclone copy ~/data doolhof:my-bucket/data --transfers 8

What is stored

Ciphertext blocks (XChaCha20-Poly1305). Per-block authentication tags. Hash tree for integrity verification. Replicated across three disks in the selected region.

What is not stored

Passphrases. Master keys. Plaintext filenames. Plaintext contents. Access logs beyond a 7-day operational window, automatically rotated.

If the passphrase is lost

Data becomes permanently inaccessible. The platform cannot perform recovery because the key was never disclosed to it. Use of a password manager or hardware key is strongly recommended.

Four plans. Flat monthly bill.

No per-GB metering, no surprise egress invoices, no negotiated quarterly contracts. The cheapest one is free. The expensive one is still cheaper than the cloud you'd build it on.

Free
$0/month
For evaluation, small projects, and "I just want to try it."
  • 2 GB encrypted storage
  • Single region
  • S3-compatible API access
  • Egress: 4 GB / month
  • Community support
Sign up
Personal
$9/month
For individual developers, researchers, and indie practitioners.
  • 50 GB encrypted storage
  • Any region (EU · Asia · US)
  • S3-compatible API access
  • Egress: 100 GB / month
  • Email support
Sign up
Team
$99/month
For organizations sharing a pool. Training-data archives, media pipelines, scientific datasets.
  • 5 TB encrypted storage (shared pool)
  • Up to 25 keys per organization
  • Encrypted audit log + restoration SLA
  • Egress: 10 TB / month
  • Direct line to operations
Sign up

Need more than 5 TB or custom egress? Get in touch — we'll quote against your actual access pattern. Reference: AWS S3 Standard charges ~$0.023/GB-mo before egress. Doolhof Vault includes client-side encryption, zero-knowledge architecture, and known monthly cost.

Works with existing tools

The S3 API is the lingua franca of object storage. Standard tools configure with a Doolhof endpoint and continue working.

rclone

Set type=s3, provider=Other, point at the Doolhof endpoint. No further changes required.

AWS SDK · boto3

Override endpoint_url, supply Doolhof access keys. All bucket operations work against the standard SDK.

MinIO clients

Direct drop-in. S3-API-compatible at the bytestream layer.

Backup tooling

Restic, duplicity, borg-via-rclone — all functional. Client-side encryption is additive to whatever the backup tool provides.

Storage that holds bytes, not trust

Early-access pricing during onboarding. Migration tooling provided.