Bring Your Own Bucket (BYOB) Storage

Complete Data Sovereignty with Your Own Storage Infrastructure

Overview

BYOB Storage enables enterprises to store documents in their own cloud storage infrastructure. Your data never leaves your control, ensuring compliance with data residency requirements and organizational security policies.

Supported Providers

Tier 1: Major Cloud Providers

Provider S3 Compatible Region Support Enterprise Features
AWS S3 Native 30+ regions IAM, KMS, VPC endpoints
Azure Blob Via adapter 60+ regions RBAC, Key Vault
Google Cloud Storage Via adapter 35+ regions IAM, Cloud KMS

Tier 2: S3-Compatible Providers

Provider Use Case Min Storage Pricing Model
MinIO Self-hosted, air-gapped No minimum Self-managed
Wasabi Cost-effective archival 1 TB $6.99/TB/month
DigitalOcean Spaces Simplicity, CDN included 250 GB $5/month + usage
Backblaze B2 Archival, low egress costs No minimum $6/TB/month
Cloudflare R2 Zero egress fees No minimum $0.015/GB/month

Configuration

AWS S3 

PUT /api/v1/admin/storage/byob
Content-Type: application/json
Authorization: Bearer YOUR_ADMIN_TOKEN

{
  "provider": "aws_s3",
  "config": {
    "bucket_name": "your-archivus-bucket",
    "region": "us-east-1",
    "access_key_id": "AKIA...",
    "secret_access_key": "...",
    "server_side_encryption": "aws:kms",
    "kms_key_id": "arn:aws:kms:us-east-1:123456789:key/..."
  }
}

AWS IAM Policy (Minimum Required):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::your-archivus-bucket",
        "arn:aws:s3:::your-archivus-bucket/*"
      ]
    }
  ]
}

MinIO (Self-Hosted) 

PUT /api/v1/admin/storage/byob
{
  "provider": "minio",
  "config": {
    "endpoint": "https://minio.internal.yourcompany.com",
    "bucket_name": "archivus-documents",
    "access_key_id": "...",
    "secret_access_key": "...",
    "use_ssl": true
  }
}

Wasabi 

PUT /api/v1/admin/storage/byob
{
  "provider": "wasabi",
  "config": {
    "bucket_name": "your-archivus-bucket",
    "region": "us-east-1",
    "access_key_id": "...",
    "secret_access_key": "..."
  }
}

DigitalOcean Spaces 

PUT /api/v1/admin/storage/byob
{
  "provider": "digitalocean",
  "config": {
    "endpoint": "https://nyc3.digitaloceanspaces.com",
    "bucket_name": "your-space-name",
    "region": "nyc3",
    "access_key_id": "...",
    "secret_access_key": "..."
  }
}

Backblaze B2 

PUT /api/v1/admin/storage/byob
{
  "provider": "backblaze",
  "config": {
    "endpoint": "https://s3.us-west-002.backblazeb2.com",
    "bucket_name": "your-bucket",
    "region": "us-west-002",
    "access_key_id": "...",
    "secret_access_key": "..."
  }
}

Cloudflare R2 

PUT /api/v1/admin/storage/byob
{
  "provider": "cloudflare_r2",
  "config": {
    "endpoint": "https://ACCOUNT_ID.r2.cloudflarestorage.com",
    "bucket_name": "your-bucket",
    "access_key_id": "...",
    "secret_access_key": "..."
  }
}

Security

Credential Encryption

All credentials are encrypted using AES-256-GCM before storage:

  • Encryption at rest with rotating keys
  • Credentials never logged or exposed in API responses
  • Separate encryption per tenant

Network Security

Recommended Configuration:

  1. VPC Endpoints (AWS) - Keep traffic on AWS backbone
  2. Private Link (Azure) - Private connectivity
  3. IP Allowlisting - Restrict access to Archivus IPs
  4. Bucket Policies - Enforce HTTPS-only access

Example Bucket Policy (HTTPS Only):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyNonHTTPS",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::your-bucket",
        "arn:aws:s3:::your-bucket/*"
      ],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}

Migration

From Shared Storage to BYOB

Zero-downtime migration process:

# Step 1: Configure BYOB destination
POST /api/v1/admin/storage/migration
{
  "source": "shared",
  "destination": "byob",
  "byob_config": { /* your BYOB config */ }
}

# Step 2: Monitor progress
GET /api/v1/admin/storage/migration/status

# Step 3: Complete migration
POST /api/v1/admin/storage/migration/complete

Migration Process:

  1. Validation - Verify BYOB credentials and permissions
  2. Shadow Mode - New uploads go to both locations
  3. Backfill - Existing documents copied to BYOB
  4. Verification - Integrity checks on all documents
  5. Cutover - Switch reads to BYOB
  6. Cleanup - Remove from shared storage (optional)

Migration Monitoring 

GET /api/v1/admin/storage/migration/status

Response:
{
  "status": "in_progress",
  "phase": "backfill",
  "progress": {
    "total_documents": 15000,
    "migrated": 8500,
    "failed": 0,
    "percent_complete": 56.7
  },
  "estimated_completion": "2026-01-18T15:30:00Z"
}

Storage Architecture

Document Organization 

your-bucket/
├── tenant_{tenant_id}/
│   ├── documents/
│   │   ├── {year}/
│   │   │   ├── {month}/
│   │   │   │   ├── {document_id}.{ext}
│   │   │   │   └── {document_id}_thumb.png
│   ├── analytics/
│   │   └── parquet/
│   │       └── {table}_{date}.parquet
│   └── exports/
│       └── {export_id}.zip

Metadata Storage

Document metadata remains in Archivus database:

  • File references point to BYOB locations
  • Search indexes maintained by Archivus
  • AI embeddings stored separately (configurable)

Tier Availability

Storage Option Team Enterprise
Shared Storage Default Available
Dedicated Bucket Available Available
BYOB Storage 6 providers 6 providers + custom
Multi-Region Replication - Available
Custom Encryption Keys - Available

API Reference

Storage Admin Endpoints

Endpoint Method Description
/admin/storage/config GET Current storage configuration
/admin/storage/byob PUT Configure BYOB storage
/admin/storage/byob/validate POST Test BYOB credentials
/admin/storage/migration POST Start migration
/admin/storage/migration/status GET Migration progress
/admin/storage/migration/complete POST Complete migration

Troubleshooting

Connection Issues 

# Test connectivity
POST /api/v1/admin/storage/byob/validate
{
  "provider": "aws_s3",
  "config": { /* your config */ }
}

Common Issues:

Error Cause Solution
AccessDenied IAM permissions Check bucket policy and IAM role
NoSuchBucket Bucket doesn’t exist Create bucket first
InvalidAccessKeyId Wrong credentials Verify access key
SignatureDoesNotMatch Wrong secret key Verify secret key
ConnectionTimeout Network issue Check VPC/firewall settings

Need help configuring BYOB? Contact Enterprise Support →