Kraterion
Try Kraterion →
S3Object storage

S3 you
actually own.

Same SDKs you already use — boto3, aws-cli, rclone. This is the foundation the runtime sits on: your files, knowledge bases, run records, and memory all live here, sealed before upload and recorded against your account. Not a customer promise. A property of the system.

Try Kraterion →Quickstart
SealedAuditedPortable
https://s3.kraterion.com/assets-prod
Bucket · assets-prod4 files · 138 MB
  • photo-final-v3.jpg2.1 MBSealed
  • dataset-2026-05.parquet118 MBSealed
  • report-q1.pdf482 KBSealed
  • logo-v2.svg24 KBSealed
Just now · aws-cli
recorded
$aws s3 cp ./photo.jpg s3://assets-prod/
upload: ./photo.jpg → photo.jpg
audit record · 9c4a8b21f0e7…
Owneryou@acme-co
At restSealed
Trail6 events
Yours
By construction
Every object recorded against your account
Sealed
Before upload
Encryption is the default, not a setting
Verifiable
End-to-end
Every action has a tamper-evident record
Portable
Anytime
Standard S3 clients on the way in and out
01What's different

Storage that's yours,
in and out.

Most storage products promise ownership in a marketing line. Kraterion makes it a property of the system — enforced by structure, not by trust.

01

You own the bytes.

Every object is recorded against your account, not ours. Cancel the service tomorrow — the files don't disappear. Keep them funded directly, or pull them out via any S3 client. We're a service, not a custodian.

02

Portable, both ways.

No proprietary import, no proprietary export. Point any S3 client in; pull every byte out at ~9× lower egress than AWS. Leaving costs nothing beyond standard egress — no exit tax, no migration window.

Every object is also encrypted before upload, with access you can revoke and a tamper-evident record of every action. See the security model.

02Audit trail

Every action leaves a record.

Storage activity, access changes, knowledge runs, agent invocations — they all write to the same append-only log. Each row has a uniquely-IDed digest you can verify independently, without trusting us.

Audit · bucket assets-prodlast 24 hours
  • 14:02:11UPLOAD
    photo-final-v3.jpgby you@acme-co.com · 2.1 MB · sealed
    9c4a8b21f0e7c2…
  • 13:58:22ISSUE
    share token · kr_share_test_92ac…scope support-docs · origin docs.acme-co.com
    4f1ab3a0e7c2f9…
  • 13:55:07REVOKE
    share token · kr_share_test_1a8b…access policy updated · enforced at t+0
    fa0012a4e7c2f1…
VerifiableIndependently
Append-onlyNo mutations
VisibilityBy you · by anyone you choose
03Under the surface

Same S3 surface.
Different spine.

Your S3 client hits a single gateway endpoint. Behind it, three concerns run in parallel — the encryption envelope, the storage layer, and the ownership + audit record — without you wiring any of them.

Request lifecycle · S3 PUT objectSigV4 · HTTPS · multipart
01YOUR SIDE02KRATERION GATEWAY03STORAGE SPINES3 clientSigV4boto3 · aws-cli · rclone · JS SDKendpoint_url = "s3.kraterion.com"s3.put_object(Bucket="assets-prod",Key="photo.jpg",Body=fp,)GatewayS3-compatible · NestJS + FastifySigV4 authMultipartStreams11 ops · 0 rewrites · TLS 1.3ENCRYPTIONSealed on your device.Envelope encryption · keys split across independent serversSTORAGECiphertext only, at rest.Erasure-coded across nodes · plain HTTPS readIDENTITY & AUDITYou own the object.Revocation stops decryption · digests are verifiablePUT objectSigV4 · TLS 1.3
STORAGE

Files stay yours.

Cancel anytime — your bytes don't move. Any S3 client can pull them.

ENCRYPTION

Keys stay yours.

Revoke and decryption stops. Enforced by structure, not policy.

IDENTITY & AUDIT

Every artifact has a receipt.

Tamper-evident manifest digests you can verify against the chain.

Encrypted with Seal · stored on Walrus · owned on Sui — the three open primitives behind the single endpoint.

Bridge

Same SDKs you already use.
Just change the endpoint.

04Drop-in

Point a client at us.

One environment variable. The S3 commands you already write — PUT, GET, LIST, presigned URLs — work without modification.

import boto3

s3 = boto3.client(
    "s3",
    endpoint_url="https://s3.kraterion.com",
    aws_access_key_id="...",
    aws_secret_access_key="...",
)
s3.upload_file("photo.jpg", "my-bucket", "photo.jpg")
05Move in. Leave the same way.

No proprietary import.
No proprietary export.

Repoint your client and write new objects against the new endpoint, or run a one-shot sync from your old bucket. Leaving works exactly the same way — reverse the endpoint flags, pull every byte out via standard tools. No exit tax, no migration window.

rclone sync s3://old-bucket kraterion:my-bucket --progress
Drop in

Point a client at us.
See for yourself.

One environment variable changes. Everything else stays the same.

Try Kraterion →Read the docs
v 0.1 · testnetAll systems normal
Quickstart
Five lines to a sealed bucket.
Security model
Sealing, revocation, audit trail — in depth.
Pricing
Cheap egress, real free band, no tier surprises.