Infrastructure

RustFS Sovereign Storage

Post-quantum secure object storage with S3-compatible API

RustFS is Tasmanian Cloud's sovereign object storage solution, providing S3-compatible storage with post-quantum cryptography and zero-egress pricing for Australian traffic.

Overview

RustFS delivers:

  • S3-Compatible API: Drop-in replacement for AWS S3
  • Post-Quantum Security: Kyber-768 and Dilithium-3 encryption
  • Zero Egress Fees: No charges for AU-based data transfer
  • 100% Tasmanian: Data never leaves Australian jurisdiction
  • Immutable Backups: WORM-compliant storage options
flowchart TB
    subgraph "RustFS Architecture"
        CLIENT[Client Applications]
        
        subgraph "Access Layer"
            S3API[S3-Compatible API]
            ADMIN[Admin API]
        end
        
        subgraph "Security Layer"
            PQ[Post-Quantum Crypto
            Kyber-768 + Dilithium-3]
            ENC[Client-Side Encryption]
        end
        
        subgraph "Storage Layer"
            NODE1[RustFS Node 1]
            NODE2[RustFS Node 2]
            NODE3[RustFS Node 3]
        end
        
        subgraph "Backend"
            CEPH[Ceph Cluster]
            ZFS[ZFS Pools]
        end
    end
    
    CLIENT --> S3API
    S3API --> PQ
    PQ --> ENC
    ENC --> NODE1
    ENC --> NODE2
    ENC --> NODE3
    NODE1 --> CEPH
    NODE2 --> CEPH
    NODE3 --> CEPH

Features

S3-Compatible API

Full compatibility with AWS S3 API:

FeatureStatusNotes
Buckets✅ FullCreate, list, delete
Objects✅ FullPUT, GET, DELETE, HEAD
Multipart Upload✅ FullLarge file support
Versioning✅ FullObject versioning
ACLs✅ FullAccess control lists
Lifecycle✅ FullObject lifecycle policies
CORS✅ FullCross-origin requests
Events🔄 PartialWebhook notifications

Post-Quantum Cryptography

flowchart LR
    subgraph "Encryption Flow"
        DATA[Plaintext Data] --> CLIENT[Client-Side Encryption]
        CLIENT --> KYBER[Kyber-768 KEM
        Key Encapsulation]
        KYBER --> DILITHIUM[Dilithium-3
        Digital Signatures]
        DILITHIUM --> AES[AES-256-GCM
        Data Encryption]
        AES --> STORAGE[Encrypted Storage]
    end

Cryptographic Primitives:

ComponentAlgorithmSecurity Level
Key EncapsulationKyber-768NIST Level 3
Digital SignaturesDilithium-3NIST Level 3
Symmetric EncryptionAES-256-GCM256-bit
Hash FunctionSHA3-256256-bit

Storage Tiers

TierDurabilityAvailabilityUse CasePrice
Hot99.999999999%99.99%Active data, websites$0.05/GB/mo
Warm99.999999999%99.9%Backups, archives$0.03/GB/mo
Cold99.99999999%99.5%Long-term retention$0.01/GB/mo
Glacier99.9999999%On-demandCompliance archives$0.005/GB/mo

Deployment

Prerequisites

  • Proxmox VE 8.0+
  • Ceph cluster (for backend storage)
  • Minimum 3 nodes for HA
  • 10Gbps network recommended

Installation

Step 1: Create VMs

# Create RustFS node VMs on Proxmox
for i in 1 2 3; do
  qm create 910$i \
    --name rustfs-node-$i \
    --memory 16384 \
    --cores 8 \
    --cpu host \
    --net0 virtio,bridge=vmbr30 \
    --scsihw virtio-scsi-single \
    --scsi0 local-zfs:500,format=raw \
    --ostype l26 \
    --agent enabled=1
done

Step 2: Install RustFS

# On each RustFS node
apt update && apt install -y rustfs

# Configure RustFS
cat > /etc/rustfs/config.toml << 'EOF'
[server]
bind = "0.0.0.0:9000"
admin_bind = "127.0.0.1:9001"

[storage]
backend = "ceph"
ceph_config = "/etc/ceph/ceph.conf"
ceph_pool = "rustfs-data"

[security]
enable_pq_crypto = true
pq_algorithm = "kyber768_dilithium3"
client_encryption = true

[s3]
enabled = true
region = "tasmania-1"
EOF

# Start RustFS
systemctl enable rustfs
systemctl start rustfs

Step 3: Configure Ceph Backend

# Create Ceph pool for RustFS
ceph osd pool create rustfs-data 128 128
ceph osd pool application enable rustfs-data rustfs

# Set pool properties
ceph osd pool set rustfs-data size 3
ceph osd pool set rustfs-data min_size 2

Step 4: Cluster Configuration

# On node 1 - Initialize cluster
rustfs cluster init --node-id 1 --bind 10.0.30.11:9000

# On nodes 2 and 3 - Join cluster
rustfs cluster join --node-id $i --bind 10.0.30.1$i:9000 --seed 10.0.30.11:9000

Usage

AWS CLI Configuration

# Configure AWS CLI for RustFS
aws configure set aws_access_key_id YOUR_ACCESS_KEY
aws configure set aws_secret_access_key YOUR_SECRET_KEY
aws configure set region tasmania-1

# Create alias for RustFS endpoint
alias rustfs-s3='aws s3 --endpoint-url https://s3.tasmanian.cloud'

Basic Operations

# Create a bucket
rustfs-s3 mb s3://my-bucket

# Upload a file
rustfs-s3 cp file.txt s3://my-bucket/

# Download a file
rustfs-s3 cp s3://my-bucket/file.txt ./

# List buckets
rustfs-s3 ls

# List objects
rustfs-s3 ls s3://my-bucket/

# Sync directory
rustfs-s3 sync ./local-dir s3://my-bucket/remote-dir/

SDK Examples

Python (boto3)

import boto3

s3 = boto3.client(
    's3',
    endpoint_url='https://s3.tasmanian.cloud',
    aws_access_key_id='YOUR_KEY',
    aws_secret_access_key='YOUR_SECRET',
    region_name='tasmania-1'
)

# Upload with client-side encryption
s3.put_object(
    Bucket='my-bucket',
    Key='sensitive-data.txt',
    Body=b'confidential data',
    ServerSideEncryption='aws:kms'
)

# Download
response = s3.get_object(Bucket='my-bucket', Key='sensitive-data.txt')
data = response['Body'].read()

JavaScript (AWS SDK v3)

import { S3Client, PutObjectCommand } from "@aws-sdk/client-s3";

const client = new S3Client({
  endpoint: "https://s3.tasmanian.cloud",
  region: "tasmania-1",
  credentials: {
    accessKeyId: "YOUR_KEY",
    secretAccessKey: "YOUR_SECRET",
  },
});

await client.send(new PutObjectCommand({
  Bucket: "my-bucket",
  Key: "file.txt",
  Body: "Hello from Tasmanian Cloud!",
}));

Integration with Paymenter

Configure RustFS as the backup destination for Paymenter:

# Edit Paymenter .env
BACKUP_DRIVER=s3
S3_ENDPOINT=https://s3.tasmanian.cloud
S3_ACCESS_KEY_ID=paymenter_backup_key
S3_SECRET_ACCESS_KEY=your_secret
S3_BUCKET=paymenter-backups
S3_REGION=tasmania-1
S3_USE_PATH_STYLE_ENDPOINT=true

Performance

Benchmarks

MetricSingle Node3-Node Cluster
Read Throughput2 GB/s5 GB/s
Write Throughput1.5 GB/s4 GB/s
Read IOPS50,000150,000
Write IOPS30,00090,000
Latency (p99)5ms8ms

Optimization Tips

  1. Use multipart uploads for files >100MB
  2. Enable compression for text-based content
  3. Configure lifecycle policies to move old data to cheaper tiers
  4. Use Cloudflare R2 as CDN for global distribution

Monitoring

Metrics

MetricDescriptionAlert Threshold
storage_used_bytesTotal storage used>80% capacity
request_rateRequests per second>10,000 req/s
error_rateFailed requests>0.1%
latency_p9999th percentile latency>100ms
replication_lagData replication delay>5 seconds

Health Check

# Check RustFS health
curl http://localhost:9001/health

# Expected response
{
  "status": "healthy",
  "nodes": 3,
  "storage_used": 549755813888000,
  "storage_total": 1099511627776000,
  "uptime": 86400
}

Pricing

Storage Pricing

TierPrice (per GB/month)Minimum
Hot$0.05None
Warm$0.031 TB
Cold$0.0110 TB
Glacier$0.00550 TB

Request Pricing

OperationPrice (per 1,000 requests)
PUT, COPY, POST$0.005
GET, SELECT$0.0004
DELETEFree

Egress Pricing

DestinationPrice (per GB)
Australia$0.00 (FREE)
New Zealand$0.02
Asia Pacific$0.08
Europe$0.09
Americas$0.09

Tasmanian Cloud Architecture

High-level architecture overview of Tasmanian Cloud's sovereign infrastructure

Security Hardening

Security configuration and hardening guidelines for Tasmanian Cloud infrastructure

On this page

OverviewFeaturesS3-Compatible APIPost-Quantum CryptographyStorage TiersDeploymentPrerequisitesInstallationStep 1: Create VMsStep 2: Install RustFSStep 3: Configure Ceph BackendStep 4: Cluster ConfigurationUsageAWS CLI ConfigurationBasic OperationsSDK ExamplesPython (boto3)JavaScript (AWS SDK v3)Integration with PaymenterPerformanceBenchmarksOptimization TipsMonitoringMetricsHealth CheckPricingStorage PricingRequest PricingEgress PricingRelated Documentation