IceVault 🧊

A lightweight macOS menu bar app for automated cold backups to AWS S3 Glacier Deep Archive.

The Problem

I have a Thunderbolt 3 DAS with two bays sitting on my desk — about 5TB of photos and videos spanning nearly a decade. Nikon NEFs, Sony ARWs, Final Cut projects, timelapses, music videos. The kind of stuff that's irreplaceable.

My old backup was Backblaze on a different machine. Setting it up again means re-uploading everything and paying ~$18/month indefinitely. For data I almost never need to access, that felt wrong.

The Math

Service	Monthly Cost (5TB)	Retrieval
Backblaze B2	~$30/mo	Instant
Wasabi	~$35/mo	Instant
S3 Glacier Deep Archive	~$5/mo	12-48 hours

For a backup you hope to never need? $5/month wins.

The Build

I wanted something better than a cron'd aws s3 sync — a proper native app that lives in the menu bar and just works. So Ody and I built one. In a day.

Tech stack:

Swift + SwiftUI (native macOS, MenuBarExtra)
AWS SDK for Swift (S3 with Glacier Deep Archive storage class)
GRDB (SQLite for local file inventory + multipart tracking)
KeychainAccess (credentials in macOS Keychain, not plaintext)

What It Does

Core backup:

❄️ Scans source folders, diffs against local SQLite DB — only uploads new/changed files
📦 Always uploads with DEEP_ARCHIVE storage class (enforced, not optional)
📊 Live progress in the menu bar: files count, bytes, session status
🛑 Cancellable mid-backup — already uploaded files stay marked as done

Resilience (because 5TB uploads take days):

⚡ Multipart uploads for large files (>100MB) — 100MB chunks
🔄 Per-part resume — if a 10GB video stops mid-upload, it picks up from the last completed part, not the beginning
🔁 Auto-retry with exponential backoff — 3 attempts per operation, 2s → 8s → 32s on transient errors
🧹 Stale multipart cleanup — aborts incomplete uploads older than 7 days (S3 charges for those)

Auth — the Backblaze problem: Most backup tools either use long-lived static keys (Backblaze style) or SSO that expires every 8 hours. We wanted something closer to "log in once, forget about it."

IceVault supports both:

AWS IAM Identity Center (SSO) — recommended. Set session duration to 90 days, get a refresh token that auto-renews hourly. Native macOS notifications when your session is about to expire, one-click re-auth.
Static access keys — stored in macOS Keychain. Truly never expires, good for unattended scheduled backups.

Settings & history:

🔐 AWS credentials in macOS Keychain (never UserDefaults or plaintext)
🧪 "Test Connection" to verify your bucket before backing up
📜 History view with past backup jobs, file counts, status badges
⚙️ LaunchAgent scheduling (daily/weekly/custom interval)
🖥️ --backup headless mode for cron/LaunchAgent

The Drive

Current backup snapshot:

Total: ~5.5 TB
Files: 246,742
Photo library: ~4.2 TB (2016–2024)
Video library: ~806 GB
Catalogs/previews: ~100 GB
RAW mix: 41,000 Nikon NEFs + 33,000 Sony ARWs

A decade of work, uploading right now.

Getting Started

Option 1: Homebrew (easiest)

brew install --cask icevault

Option 2: Build from source

git clone https://github.com/lydakis/icevault
cd icevault
./scripts/build-app.sh
open build/IceVault.app

See docs/AWS_SETUP.md for the full AWS setup guide — SSO or static keys, with least-privilege IAM policy JSON.

Production Ready

IceVault is now a proper macOS app:

✅ Comprehensive test suite (3000+ lines)
✅ GitHub Actions release workflow
✅ Homebrew cask support
✅ Custom app icon (GPT-image-1 generated vault dial)
✅ Signed & notarized releases

Open Source

MIT licensed. If you have a drive full of photos gathering dust with no backup — grab it from Homebrew, clone the repo, or download a release.

github.com/lydakis/icevault

What's Next

File exclusion patterns (skip Lightroom previews, .DS_Store, etc.)
Bandwidth throttling
Multiple source directories
Restore UI (though aws s3 cp works fine for the rare case you need it)

Built in a day. Uploading a decade. $5/month. 🧊