Vaults
A vault is the main storage boundary in Vaulthalla. It defines where file bodies live, how sync behaves, which users and groups can access content, and which encryption and cost controls apply.
Vault Types
Vaulthalla supports two operator-facing vault types:
| Type | Storage location | Best for |
|---|---|---|
| Local | Vaulthalla-managed local state on the host | Low-latency local storage, simple deployments, controlled single-host workflows |
| S3-compatible | AWS S3, Cloudflare R2, or another S3-compatible provider | Remote object storage, cloud-backed archives, cross-host access patterns, larger buckets |
Local vaults and S3/R2 vaults use the same high-level access-control model, but they differ in sync policy, request budgets, upstream object encryption, and recovery planning.
Metadata And File Bodies
Vaulthalla stores runtime metadata in PostgreSQL. That metadata includes users, groups, roles, vault definitions, sync policy, remote indexes, shares, audit state, and encryption key records.
File bodies are stored according to the vault type:
- Local vault file bodies live under Vaulthalla-managed local state.
- S3/R2 vault file bodies live in the configured bucket, with optional local cache state depending on sync strategy.
This split matters for backup. A usable disaster recovery plan needs PostgreSQL data, Vaulthalla config/state, and exported recovery material. See Backup And Recovery.
FUSE Mount
The core daemon exposes a Linux filesystem surface at:
1/mnt/vaulthallaThe web console and CLI operate through Vaulthalla permissions and metadata. Host-level filesystem access still depends on the daemon, FUSE health, Linux permissions, and the mounted state.
Ownership
Vault commands can target an explicit owner where supported:
1vh vault info <vault> --owner <user-or-id>2vh vault delete <vault> --owner <user-or-id>Ownership is useful when administrators manage vaults on behalf of users or teams. For scripts, prefer stable ids where possible.
Vault Roles
Vault roles grant permissions inside a vault. Assign them to users or groups:
1vh vault role assign <vault> <role-id> --user alice2vh vault role assign <vault> <role-id> --group operators3vh vault role list <vault>Vault permissions include browsing, creating, downloading, deleting, renaming, moving, sharing, syncing, metadata, tag, version, file-lock, access, and vault management capabilities.
Path-level overrides can further allow or deny permissions for a pattern:
1vh vault role override add <vault> --user alice --pattern "/finance/*" --download --disableEncryption
Vaults use per-vault encryption keys protected by TPM-backed master keys. S3/R2 vaults also have an upstream object encryption setting that controls whether object bodies written to the bucket are encrypted by Vaulthalla before upload.
Use Encryption before changing --encrypt, --no-encrypt, key rotation, or key export behavior.
Create A Vault
Local:
1vh vault create docs --local --desc "Team documents" --quota 50GS3/R2:
1vh vault create archive \2 --s3 \3 --api-key r2-main \4 --bucket vaulthalla-archive \5 --sync-strategy cache \6 --encryptSee Local Vaults, S3 And R2 Vaults, and S3 Gateway Vaults.