Use cheap S3-compatible storage without giving the provider your data.

DeltaGlider encrypts every object with AES-256-GCM before it reaches the bucket. Your encryption key lives in your runtime; the storage provider — Hetzner, Wasabi, Cloudflare, an offshore mirror — sees ciphertext only.

Built by Beshu Tech — 10 senior engineers, since 2017. Same team behind ReadonlyREST (Elasticsearch security) and Anaphora (dashboard-to-PDF reporting), in production at:

How the encryption works

AES-256-GCM, per-object IV, applied after delta compression
Four modes, set per backend: none, aes256-gcm-proxy, sse-kms, sse-s3. No SSE-C.
In proxy-AES mode the key is supplied per backend — env var or ${env:...} reference — and stripped from config exports. The backend (S3, Hetzner, Wasabi, etc.) sees ciphertext only.
Key rotation is per backend, not in-place: the old key stays as a decrypt-only shim while a background re-encrypt job rewrites historical objects, then you delete it. Writes to a bucket being re-encrypted get 503 until the job finishes; reads pass.
Every S3 operation lands in the structured stdout log. There is no per-decrypt audit event in proxy-AES mode — the key never leaves the process, so there's nothing to log it against. If you need "who decrypted what, when," use sse-kms and read CloudTrail.

How key custody stays in your runtime

Proxy runs in YOUR VPC / on YOUR Kubernetes / on YOUR bare metal
In proxy-AES mode, the encryption key never leaves the proxy process
Backend credentials never leave the proxy process
No phone-home, no telemetry, no SaaS dependency
Source code is GPL-3.0 — your security team can read every line

What we don't claim

"SOC 2 compliant" — DeltaGlider produces audit logs you can ship into a SOC-2-attested SIEM. The proxy itself is software, not a compliance regime.
"FIPS 140-3 validated" — we use the RustCrypto aes-gcm crate for AES-256-GCM. If you need FIPS, ship the FIPS-validated crypto layer underneath us.
"GDPR-compliant" — DeltaGlider supports right-to-be-forgotten propagation via replication-delete and lifecycle expiration. The compliance regime is your problem; the technical primitives are ours.

How a regulated buyer evaluates DeltaGlider

Week 1. Code review. The proxy is open source (GPL-3.0). The encryption module is in src/storage/encrypting.rs. The IAM model is in src/iam/. The admin API surface is in src/api/admin/. Your security team's questions: contact@beshu.tech.

Week 2. Dev-environment deployment. Point a test bucket at the proxy. Run your existing security automation against it (key rotation, audit log validation, IdP integration smoke).

Week 3. Small production pilot on one non-critical bucket.

Week 4. Full deployment plan with Beshu engineering support — via the 30-day production support trial.

Talk to sales

Buying for a regulated environment? Talk to us about a commercial license and production support. Both are tailored to your jurisdiction, audit posture, and procurement workflow.

Email contact@beshu.tech Start with the 30-day trial