Osage Cloud
Storage · Osage Cloud
Storage
Au repos — chiffré, vérifiable.
Forms
- Object — S3-compatible API; MinIO, Garage, or partner S3 region. Used for blobs, snapshots, Litestream replication target.
- Block — persistent volumes for compute; Ceph, Longhorn, or cloud-provider equivalent.
- File — shared filesystems for compute clusters; NFS, CephFS.
- Archive — cold storage for long-tail audit and ledger data; tape or object-cold-tier.
Encryption at rest
All storage tiers encrypt at rest under the canonical CEK envelope — Osage KMS root, per‑org KEK, per‑file CEK, AES‑256‑GCM with AAD‑bound nonces. Spec: osage.tech/docs/storage.
For object storage, the AAD binds the ciphertext to (bucket, key, object_version, org_id). Stolen ciphertext cannot be replayed against a different bucket / key / org.
SQLite replication
Litestream streams the WAL of every SQLite database to object storage for point-in-time recovery; libSQL / LiteFS replicates to read replicas geographically. Documented restore runbook; tested quarterly.
Erasure & lifecycle
- Crypto‑shredding via KMS KEK revocation — one API call renders an org’s entire dataset unreadable.
- Object-lifecycle rules for ledger / audit retention windows.
- Legal hold and right-to-erasure flows for GDPR / CCPA jurisdictions.