Doolhof Vault is an S3-compatible object store with client-side cryptography. Files are encrypted on the user's machine before they reach the wire. The platform holds ciphertext; it cannot read its contents.
S3, R2, and B2 are reliable and inexpensive. None are zero-knowledge. Their privacy guarantees stop at "we don't look unless legally compelled." Doolhof Vault is a different architectural category: the platform mathematically cannot read tenant data.
Files are encrypted with XChaCha20-Poly1305 on the user's machine using a key derived from a passphrase via Argon2id. Keys never leave the client. The platform sees only ciphertext and minimal metadata.
Drop-in compatibility for existing S3 tooling — rclone, s3cmd, AWS SDK, MinIO clients. The encryption wrapper is transparent at the wire layer.
Filenames, contents, and per-object sizes are all encrypted before upload. The platform retains bucket-level capacity figures for billing — nothing more.
The CLI does not phone home. The dashboard does not track. The only data collected is bucket capacity aggregated monthly for invoicing.
Four monthly plans. No per-GB metering, no surprise egress bills, no quarterly negotiations. The smallest is free.
Region elected at bucket creation: EU (Frankfurt), Asia (Mumbai), or US (San Francisco). Data remains in the selected region. Cross-region replication available on request.
The encryption is a thin wrapper around an otherwise standard S3 workflow. Existing tooling configures with a custom endpoint and continues to work.
Ciphertext blocks (XChaCha20-Poly1305). Per-block authentication tags. Hash tree for integrity verification. Replicated across three disks in the selected region.
Passphrases. Master keys. Plaintext filenames. Plaintext contents. Access logs beyond a 7-day operational window, automatically rotated.
Data becomes permanently inaccessible. The platform cannot perform recovery because the key was never disclosed to it. Use of a password manager or hardware key is strongly recommended.
No per-GB metering, no surprise egress invoices, no negotiated quarterly contracts. The cheapest one is free. The expensive one is still cheaper than the cloud you'd build it on.
Need more than 5 TB or custom egress? Get in touch — we'll quote against your actual access pattern. Reference: AWS S3 Standard charges ~$0.023/GB-mo before egress. Doolhof Vault includes client-side encryption, zero-knowledge architecture, and known monthly cost.
The S3 API is the lingua franca of object storage. Standard tools configure with a Doolhof endpoint and continue working.
Set type=s3, provider=Other, point at the Doolhof endpoint. No further changes required.
Override endpoint_url, supply Doolhof access keys. All bucket operations work against the standard SDK.
Direct drop-in. S3-API-compatible at the bytestream layer.
Restic, duplicity, borg-via-rclone — all functional. Client-side encryption is additive to whatever the backup tool provides.
Early-access pricing during onboarding. Migration tooling provided.