diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b8ed93a04..52a55424c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -66,6 +66,7 @@ jobs:
           cp config/content_security_policy.yml.ci config/content_security_policy.yml
           cp config/database.yml.ci config/database.yml
           cp config/mnemosyne.yml.ci config/mnemosyne.yml
+          cp config/storage.yml.ci config/storage.yml
 
       - name: Prepare database
         env:
diff --git a/.gitignore b/.gitignore
index 28dc4d14a..7451a8d3b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -41,6 +41,7 @@
 /config/content_security_policy.yml
 /config/database.yml
 /config/mnemosyne.yml
+/config/storage.yml
 /config/settings.local.yml
 /config/settings/*.local.yml
 /config/environments/*.local.yml
diff --git a/Gemfile b/Gemfile
index 3da54f1ad..9a2eee028 100644
--- a/Gemfile
+++ b/Gemfile
@@ -3,6 +3,7 @@
 source 'https://rubygems.org'
 
 gem 'acts-as-taggable-on'
+gem 'aws-sdk-s3', require: false
 gem 'bcrypt'
 gem 'bootsnap', require: false
 gem 'bootstrap-will_paginate'
diff --git a/Gemfile.lock b/Gemfile.lock
index 0c60a3a8f..300796ab4 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -83,6 +83,25 @@ GEM
       public_suffix (>= 2.0.2, < 7.0)
     amq-protocol (2.3.4)
     ast (2.4.3)
+    aws-eventstream (1.4.0)
+    aws-partitions (1.1147.0)
+    aws-sdk-core (3.229.0)
+      aws-eventstream (~> 1, >= 1.3.0)
+      aws-partitions (~> 1, >= 1.992.0)
+      aws-sigv4 (~> 1.9)
+      base64
+      bigdecimal
+      jmespath (~> 1, >= 1.6.1)
+      logger
+    aws-sdk-kms (1.110.0)
+      aws-sdk-core (~> 3, >= 3.228.0)
+      aws-sigv4 (~> 1.5)
+    aws-sdk-s3 (1.196.1)
+      aws-sdk-core (~> 3, >= 3.228.0)
+      aws-sdk-kms (~> 1)
+      aws-sigv4 (~> 1.5)
+    aws-sigv4 (1.12.1)
+      aws-eventstream (~> 1, >= 1.0.2)
     base64 (0.3.0)
     bcrypt (3.1.20)
     benchmark (0.4.1)
@@ -222,6 +241,7 @@ GEM
     jbuilder (2.14.1)
       actionview (>= 7.0.0)
       activesupport (>= 7.0.0)
+    jmespath (1.6.2)
     jquery-rails (4.6.0)
       rails-dom-testing (>= 1, < 3)
       railties (>= 4.2.0)
@@ -656,6 +676,7 @@ PLATFORMS
 
 DEPENDENCIES
   acts-as-taggable-on
+  aws-sdk-s3
   bcrypt
   better_errors
   binding_of_caller
@@ -754,6 +775,12 @@ CHECKSUMS
   addressable (2.8.7) sha256=462986537cf3735ab5f3c0f557f14155d778f4b43ea4f485a9deb9c8f7c58232
   amq-protocol (2.3.4) sha256=98be5b9244e28dc66acc8351a254dbf45d996c5a0b7d49ab3ff8b72b0d2e6308
   ast (2.4.3) sha256=954615157c1d6a382bc27d690d973195e79db7f55e9765ac7c481c60bdb4d383
+  aws-eventstream (1.4.0) sha256=116bf85c436200d1060811e6f5d2d40c88f65448f2125bc77ffce5121e6e183b
+  aws-partitions (1.1147.0) sha256=4a4c231e7c866c0cab0d5c5f751de2643f6e0b1b3336626bcc4b9e6f71074d4f
+  aws-sdk-core (3.229.0) sha256=792629981ee265a9d126e7c17ca236526b3b5ad4a22ff8fa9cb3c1affd46b087
+  aws-sdk-kms (1.110.0) sha256=b8b4a63fb10422ae737a5279ccc3b27a830ecaa355f1d3afde3784843ebda5e4
+  aws-sdk-s3 (1.196.1) sha256=60b77efa51328a82350d47e9738df2eae1037e83e1f8f20ce82b6cbec07697e1
+  aws-sigv4 (1.12.1) sha256=6973ff95cb0fd0dc58ba26e90e9510a2219525d07620c8babeb70ef831826c00
   base64 (0.3.0) sha256=27337aeabad6ffae05c265c450490628ef3ebd4b67be58257393227588f5a97b
   bcrypt (3.1.20) sha256=8410f8c7b3ed54a3c00cd2456bf13917d695117f033218e2483b2e40b0784099
   benchmark (0.4.1) sha256=d4ef40037bba27f03b28013e219b950b82bace296549ec15a78016552f8d2cce
@@ -825,6 +852,7 @@ CHECKSUMS
   irb (1.15.2) sha256=222f32952e278da34b58ffe45e8634bf4afc2dc7aa9da23fed67e581aa50fdba
   iso-639 (0.3.8) sha256=48b8104a4b55367fda347609e36ef8eeb3a0b4d048b36365371c274958be7535
   jbuilder (2.14.1) sha256=4eb26376ff60ef100cb4fd6fd7533cd271f9998327e86adf20fd8c0e69fabb42
+  jmespath (1.6.2) sha256=238d774a58723d6c090494c8879b5e9918c19485f7e840f2c1c7532cf84ebcb1
   jquery-rails (4.6.0) sha256=3c4e6bf47274340b44d836b8aa1b5472c6d451e2739af5ec094421f39025a7e2
   js-routes (2.3.5) sha256=8279fd3be49916309dfeaee546d659b97986e3edbb47332902e688992b143a4d
   json (2.13.2) sha256=02e1f118d434c6b230a64ffa5c8dee07e3ec96244335c392eaed39e1199dbb68
diff --git a/config/environments/production.rb b/config/environments/production.rb
index 9c9b61ade..7edca7116 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -49,8 +49,8 @@
   # config.action_dispatch.x_sendfile_header = "X-Sendfile" # for Apache
   # config.action_dispatch.x_sendfile_header = "X-Accel-Redirect" # for NGINX
 
-  # Store uploaded files on the local file system (see config/storage.yml for options).
-  config.active_storage.service = :local
+  # Store uploaded files on the local file system by default (see config/storage.yml for options).
+  config.active_storage.service = ENV.fetch('ACTIVE_STORAGE_SERVICE', :local)
 
   # Mount Action Cable outside main process or domain.
   # config.action_cable.mount_path = nil
diff --git a/config/storage.yml.ci b/config/storage.yml.ci
new file mode 100644
index 000000000..6861af3b7
--- /dev/null
+++ b/config/storage.yml.ci
@@ -0,0 +1,3 @@
+test:
+  service: Disk
+  root: <%= Rails.root.join("tmp/storage") %>
diff --git a/config/storage.yml b/config/storage.yml.example
similarity index 82%
rename from config/storage.yml
rename to config/storage.yml.example
index 4942ab669..868b73ef0 100644
--- a/config/storage.yml
+++ b/config/storage.yml.example
@@ -6,6 +6,10 @@ local:
   service: Disk
   root: <%= Rails.root.join("storage") %>
 
+# Local storage is used by default. To use another storage provider in production,
+# please set ACTIVE_STORAGE_SERVICE=amazon and the corresponding configuration.
+# The aws-sdk-s3 GEM is included to support S3-compatible providers. 
+# 
 # Use bin/rails credentials:edit to set the AWS secrets (as aws:access_key_id|secret_access_key)
 # amazon:
 #   service: S3
diff --git a/docs/environment_variables.md b/docs/environment_variables.md
index 7447bda4d..e4b29ba0d 100644
--- a/docs/environment_variables.md
+++ b/docs/environment_variables.md
@@ -25,3 +25,4 @@ The following environment variables are specifically support in CodeHarbor and a
 | `LISTEN_ADDRESS` | `127.0.0.1` in `development` | Specifies the IP address the Vagrant VM server should attach to during development |  
 | `HEADLESS` | `false` | Enables the test environment to work without a window manager for feature tests (e.g., using Vagrant) |  
 | `BROWSER` | `chrome` | Specifies the browser to be used for system tests. Supported are `chrome` or `firefox` |  
+| `ACTIVE_STORAGE_SERVICE` | `local` | Specifies the default ActiveStorage backend in production (configured in [`config/storage.yml`](../config/storage.yml)). |