- Abstracts away the underlying storage backend. Currently, we support OCI registries as storage backends but you can expect blob storage, Artifactory and other storage backends to be supported in the future.
- Makes sure that the pieces of evidence are stored in a tamper-proof manner. This is achieved by storing the evidences named after their SHA256 content digest, which is calculated by the client, verified by the CAS server.
- Enables support of large pieces of evidence since the content digest reference is what will be stored in the attestation.

Manage Storage Backends
You can setup as many CAS backends as you want, but you can only have one enabled as default and one as fallback at the time. This default backend will be used during the attestation process to store the pieces of evidence. The fallback backend will be used when the default backend fails or is unreachable,Chainloop periodically validates the credentials of configured CAS backends. Only backends that are marked as default or fallback and are not the built-in
inline backend are checked. If any of these backends start to fail authentication or access checks, Chainloop will automatically send an email notification to the organization’s owners so they can rotate or fix the credentials.Fallback Backend
The fallback backend provides high availability for your artifact storage. When configured:- Chainloop first attempts to store artifacts in the default backend
- If the default backend is unreachable or fails validation, Chainloop automatically switches to the fallback backend
- Your attestation process continues without interruption
- Web UI
- CLI
You can manage your CAS backends in the Storage Backends Section.

Storage Backend providers
New CAS Backends will be added over time. If yours is not implemented yet, please let us know
Platform operators: Chainloop Enterprise can also auto-provision a dedicated CAS backend for every organization in your installation via Managed CAS, so end users don’t need to bring their own storage.
Inline
Chainloop comes pre-configured with what we call aninline backend that embeds the pieces of evidence in the resulting attestations.
OCI registry
Add a new OCI registry backend
- Google Artifact Registry
- Azure Container Registry
- GitHub packages
- DockerHub
- AWS Container Registry
Rotate credentials
Set as default
Set as fallback
AWS S3
Chainloop also supports storing artifacts in AWS S3 Blob Storage.Pre-requisites
To connect your AWS account to Chainloop you’ll need:- S3 Bucket Name
- Bucket Region
- AccessKeyID
- SecretAccessKey

[bucketName] with the actual name of the bucket you created in the step before.

Rotate credentials
Azure Blob Storage
Chainloop also supports storing artifacts in Azure Blob Storage.Pre-requisites
To connect your Azure storage account you’ll need the following information- Active Directory Tenant ID
- Service Principal ID
- Service Principal Secret
- Storage account name






Rotate credentials
Cloudflare R2
Cloudflare R2 is compatible with AWS S3 and can be configured in Chainloop by providing a custom endpoint. Pre-requisites- AccessKeyID
- SecretAccessKey
- Bucket Name
- Endpoint

aws-s3 provider and providing the custom endpoint.
Minio
Minio is an S3-compatible blob storage that can be configured in Chainloop by providing a custom endpoint. Pre-requisites- AccessKeyID
- SecretAccessKey
- Bucket Name
- Minio Endpoint


aws-s3 provider and providing the custom endpoint
Give it a try
If everything went well, you should be able to upload and download artifact materials, let’s give it a tryUpload a file to your OCI repository
Download by content digest (sha256)
