Enterprise-grade S3-compatible object storage written in Rust. Built for performance, security, and multi-cluster replication.
Go beyond basic S3 compatibility. These advanced capabilities set Hafiz apart from MinIO, Ceph, and even AWS S3 itself.
Blockchain-style hash chain for every operation. Each entry cryptographically links to the previous — detect tampering instantly with chain verification.
SHA-256 content-addressable storage with automatic reference counting. Identical files across any bucket share a single copy — save up to 90% storage.
Automatic zstd compression on write, transparent decompression on read. Skips already-compressed formats like images, video, and archives.
Generate time-limited access tokens for any bucket — no S3 credentials needed. Set read/write/list permissions, expiration, and download limits.
Auto-generate thumbnails, strip EXIF metadata, and convert image formats on upload. Async processing — zero impact on upload latency.
Subscribe to object changes via Server-Sent Events. Get instant notifications for creates and deletes — per-bucket or global channels.
Mount any bucket over standard mount -t nfs4 — no client install, works from Linux, macOS, Windows, and ESXi. Built on Sun RPC + XDR, not a reverse proxy. MinIO and Ceph don't ship this.
hafiz-mount s3://bucket /mnt --rw and write with vim, cp, rm like any local disk. Range-reads on open, single-PUT flush on close, sparse writes fill correctly — no full-object downloads.
Filter events by prefix, suffix, size, or metadata before they fan out to webhooks — with per-target retry, exponential back-off, and a dead-letter queue. Configure once, route to any downstream.
The SQL engine infers CSV / JSON column types before executing the query, so WHERE age > '20' returns the right rows instead of string-ordering "100" before "20". No other S3 implementation does this.
Every inter-node /cluster/* call is wrapped in an HMAC-SHA256 envelope with ±300s freshness and constant-time signature compare. Drop a rogue node on the same network and the cluster quietly rejects it.
Objects migrate STANDARD → STANDARD_IA → GLACIER based on last access time, with per-bucket thresholds. Zero-config cold-data savings without a separate lifecycle engine.
| Feature | Hafiz | AWS S3 | MinIO |
|---|---|---|---|
| S3 API Compatible | ✓ | ✓ | ✓ |
| Object Lock (WORM) | ✓ | ✓ | ✓ |
| S3 Select (SQL on Objects) | ✓ | ✓ | ✗ |
| Erasure Coding | ✓ | ✓ | ✓ |
| Immutable Audit Log (Blockchain) | ✓ | ✗ | ✗ |
| Data Deduplication | ✓ | ✗ | ✗ |
| Object Compression (zstd) | ✓ | ✗ | ✗ |
| Temporary Bucket Sharing | ✓ | ✗ | ✗ |
| Object Transform Pipeline | ✓ | ✗ | ✗ |
| Real-Time Change Stream (SSE) | ✓ | ✗ | ✗ |
| Air-Gap Offline Sync | ✓ | ✗ | ✗ |
| LDAP / Active Directory | ✓ | ✗ | ✓ |
| Written in Rust | ✓ | ✗ | ✗ |
| Open Source (Self-Hosted) | ✓ | ✗ | ✓ |
Rock-solid S3 compatibility with the security and reliability your organization demands.
Built in Rust with async I/O for maximum throughput. Handle millions of objects with minimal latency.
AES-256-GCM encryption, Object Lock (WORM), LDAP integration, and comprehensive audit logging.
90+ S3 API endpoints. Works seamlessly with AWS CLI, SDKs, and existing S3 tools.
Real-time replication across data centers with bidirectional or unidirectional sync modes.
Offline data transfer for classified networks. USB/tape export-import with checksum verification.
Object versioning with delete markers, lifecycle policies, and automatic expiration rules.
Prometheus metrics, Grafana dashboards, health endpoints, and comprehensive request tracing.
Run SQL queries directly on CSV and JSON objects. Filter and extract data server-side without downloading.
Reed-Solomon data protection distributes shards across nodes. Survive failures and reconstruct from partial data.
Axum-based HTTP layer with 90+ endpoints
AWS Signature V4 & LDAP authentication
Filesystem & S3 proxy backends
SQLx with PostgreSQL & SQLite
AES-256-GCM encryption engine
Built as a multi-crate Rust workspace for maintainability and performance. Each component is designed to be efficient, testable, and secure.
Get Hafiz running with Docker in under a minute. Compatible with all S3 tools and SDKs out of the box.
View Quick Start Guide# Clone and build git clone https://github.com/shellnoq/hafiz.git cd hafiz docker build -t hafiz:local . # Run Hafiz docker run -d \ --name hafiz \ -p 9000:9000 \ -v hafiz-data:/data \ -e HAFIZ_ROOT_ACCESS_KEY=hafizadmin \ -e HAFIZ_ROOT_SECRET_KEY=hafizadmin \ hafiz:local # Test with AWS CLI aws --endpoint-url https://hafiz.local:9000 s3 mb s3://my-bucket aws --endpoint-url https://hafiz.local:9000 s3 cp file.txt s3://my-bucket/
Secure offline data transfer for classified networks, disaster recovery sites, and environments without network connectivity.
Transfer data to physically isolated networks without any network connectivity. Perfect for military, government, healthcare, and critical infrastructure.
Deploy Hafiz today and take control of your object storage with enterprise-grade security and performance.