diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index a5ead6502..17922932a 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -12,7 +12,7 @@ on:
 
 env:
   NODE_VERSION: 20
-  JAVA_VERSION: 17
+  JAVA_VERSION: 21
 
 defaults:
   run:
diff --git a/backend/.idea/misc.xml b/backend/.idea/misc.xml
index 82ab2ccf1..e8e9dd894 100644
--- a/backend/.idea/misc.xml
+++ b/backend/.idea/misc.xml
@@ -8,7 +8,7 @@
       </list>
     </option>
   </component>
-  <component name="ProjectRootManager" version="2" languageLevel="JDK_17" default="true" project-jdk-name="17" project-jdk-type="JavaSDK" />
+  <component name="ProjectRootManager" version="2" languageLevel="JDK_21" project-jdk-name="21" project-jdk-type="JavaSDK" />
   <component name="ProjectType">
     <option name="id" value="jpab" />
   </component>
diff --git a/backend/README.md b/backend/README.md
index 1337db8b9..383aee786 100644
--- a/backend/README.md
+++ b/backend/README.md
@@ -63,5 +63,5 @@ Tell JIB which executable to use (replace `nerctl` with `podman` etc):
 
 3x smaller but takes longer to build. Docker VM requires sufficient memory during the build:
 ```shell script
-mvn clean package -Pnative -Dquarkus.container-image.build=true -Dquarkus.native.container-build=true -Dquarkus.native.builder-image=quay.io/quarkus/ubi-quarkus-mandrel:22.2-java17 -Dquarkus.container-image.tag=latest
+mvn clean package -Pnative -Dquarkus.container-image.build=true -Dquarkus.native.container-build=true -Dquarkus.native.builder-image=quay.io/quarkus/ubi-quarkus-mandrel-builder-image:23.1-java21 -Dquarkus.container-image.tag=latest
 ```
diff --git a/backend/pom.xml b/backend/pom.xml
index d5e7cf0a6..a94e1a29e 100644
--- a/backend/pom.xml
+++ b/backend/pom.xml
@@ -7,16 +7,16 @@
   <version>1.4.0-SNAPSHOT</version>
 
   <properties>
-    <compiler-plugin.version>3.11.0</compiler-plugin.version>
+    <compiler-plugin.version>3.12.1</compiler-plugin.version>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-    <project.jdk.version>17</project.jdk.version>
+    <project.jdk.version>21</project.jdk.version>
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
     <quarkus.container-image.group>cryptomator</quarkus.container-image.group>
     <quarkus.container-image.name>hub</quarkus.container-image.name>
-    <quarkus.platform.version>3.2.12.Final</quarkus.platform.version>
-    <quarkus.jib.base-jvm-image>eclipse-temurin:17-jre</quarkus.jib.base-jvm-image> <!-- irrelevant for -Pnative -->
+    <quarkus.platform.version>3.8.2</quarkus.platform.version>
+    <quarkus.jib.base-jvm-image>eclipse-temurin:21-jre</quarkus.jib.base-jvm-image> <!-- irrelevant for -Pnative -->
     <jwt.version>4.4.0</jwt.version>
-    <surefire-plugin.version>3.1.2</surefire-plugin.version>
+    <surefire-plugin.version>3.2.3</surefire-plugin.version>
   </properties>
 
   <dependencyManagement>
@@ -28,18 +28,6 @@
         <type>pom</type>
         <scope>import</scope>
       </dependency>
-      <dependency>
-        <!-- temporarily pin Flyway version until Quarkus LTS contains Flyway >= 9.21.0; see https://github.com/cryptomator/hub/issues/256 -->
-        <groupId>org.flywaydb</groupId>
-        <artifactId>flyway-core</artifactId>
-        <version>9.22.3</version>
-      </dependency>
-      <dependency>
-        <!-- temporarily pin Flyway version until Quarkus LTS contains Flyway >= 9.21.0; see https://github.com/cryptomator/hub/issues/256 -->
-        <groupId>io.quarkus</groupId>
-        <artifactId>quarkus-flyway</artifactId>
-        <version>3.3.0</version>
-      </dependency>
     </dependencies>
   </dependencyManagement>
 
diff --git a/backend/src/main/java/org/cryptomator/hub/api/AuditLogResource.java b/backend/src/main/java/org/cryptomator/hub/api/AuditLogResource.java
index 73f93bb61..78dd8832f 100644
--- a/backend/src/main/java/org/cryptomator/hub/api/AuditLogResource.java
+++ b/backend/src/main/java/org/cryptomator/hub/api/AuditLogResource.java
@@ -96,30 +96,19 @@ public interface AuditEventDto {
 		Instant timestamp();
 
 		static AuditEventDto fromEntity(AuditEvent entity) {
-			// TODO: refactor to switch in JDK21
-			if (entity instanceof AuditEventDeviceRegister evt) {
-				return new AuditEventDeviceRegisterDto(evt.id, evt.timestamp, AuditEventDeviceRegister.TYPE, evt.registeredBy, evt.deviceId, evt.deviceName, evt.deviceType);
-			} else if (entity instanceof AuditEventDeviceRemove evt) {
-				return new AuditEventDeviceRemoveDto(evt.id, evt.timestamp, AuditEventDeviceRemove.TYPE, evt.removedBy, evt.deviceId);
-			} else if (entity instanceof AuditEventVaultCreate evt) {
-				return new AuditEventVaultCreateDto(evt.id, evt.timestamp, AuditEventVaultCreate.TYPE, evt.createdBy, evt.vaultId, evt.vaultName, evt.vaultDescription);
-			} else if (entity instanceof AuditEventVaultUpdate evt) {
-				return new AuditEventVaultUpdateDto(evt.id, evt.timestamp, AuditEventVaultUpdate.TYPE, evt.updatedBy, evt.vaultId, evt.vaultName, evt.vaultDescription, evt.vaultArchived);
-			} else if (entity instanceof AuditEventVaultAccessGrant evt) {
-				return new AuditEventVaultAccessGrantDto(evt.id, evt.timestamp, AuditEventVaultAccessGrant.TYPE, evt.grantedBy, evt.vaultId, evt.authorityId);
-			} else if (entity instanceof AuditEventVaultKeyRetrieve evt) {
-				return new AuditEventVaultKeyRetrieveDto(evt.id, evt.timestamp, AuditEventVaultKeyRetrieve.TYPE, evt.retrievedBy, evt.vaultId, evt.result);
-			} else if (entity instanceof AuditEventVaultMemberAdd evt) {
-				return new AuditEventVaultMemberAddDto(evt.id, evt.timestamp, AuditEventVaultMemberAdd.TYPE, evt.addedBy, evt.vaultId, evt.authorityId, evt.role);
-			} else if (entity instanceof AuditEventVaultMemberRemove evt) {
-				return new AuditEventVaultMemberRemoveDto(evt.id, evt.timestamp, AuditEventVaultMemberRemove.TYPE, evt.removedBy, evt.vaultId, evt.authorityId);
-			} else if (entity instanceof AuditEventVaultMemberUpdate evt) {
-				return new AuditEventVaultMemberUpdateDto(evt.id, evt.timestamp, AuditEventVaultMemberUpdate.TYPE, evt.updatedBy, evt.vaultId, evt.authorityId, evt.role);
-			} else if (entity instanceof AuditEventVaultOwnershipClaim evt) {
-				return new AuditEventVaultOwnershipClaimDto(evt.id, evt.timestamp, AuditEventVaultOwnershipClaim.TYPE, evt.claimedBy, evt.vaultId);
-			} else {
-				throw new UnsupportedOperationException("conversion not implemented for event type " + entity.getClass());
-			}
+			return switch (entity) {
+				case AuditEventDeviceRegister evt -> new AuditEventDeviceRegisterDto(evt.id, evt.timestamp, AuditEventDeviceRegister.TYPE, evt.registeredBy, evt.deviceId, evt.deviceName, evt.deviceType);
+				case AuditEventDeviceRemove evt -> new AuditEventDeviceRemoveDto(evt.id, evt.timestamp, AuditEventDeviceRemove.TYPE, evt.removedBy, evt.deviceId);
+				case AuditEventVaultCreate evt -> new AuditEventVaultCreateDto(evt.id, evt.timestamp, AuditEventVaultCreate.TYPE, evt.createdBy, evt.vaultId, evt.vaultName, evt.vaultDescription);
+				case AuditEventVaultUpdate evt -> new AuditEventVaultUpdateDto(evt.id, evt.timestamp, AuditEventVaultUpdate.TYPE, evt.updatedBy, evt.vaultId, evt.vaultName, evt.vaultDescription, evt.vaultArchived);
+				case AuditEventVaultAccessGrant evt -> new AuditEventVaultAccessGrantDto(evt.id, evt.timestamp, AuditEventVaultAccessGrant.TYPE, evt.grantedBy, evt.vaultId, evt.authorityId);
+				case AuditEventVaultKeyRetrieve evt -> new AuditEventVaultKeyRetrieveDto(evt.id, evt.timestamp, AuditEventVaultKeyRetrieve.TYPE, evt.retrievedBy, evt.vaultId, evt.result);
+				case AuditEventVaultMemberAdd evt -> new AuditEventVaultMemberAddDto(evt.id, evt.timestamp, AuditEventVaultMemberAdd.TYPE, evt.addedBy, evt.vaultId, evt.authorityId, evt.role);
+				case AuditEventVaultMemberRemove evt -> new AuditEventVaultMemberRemoveDto(evt.id, evt.timestamp, AuditEventVaultMemberRemove.TYPE, evt.removedBy, evt.vaultId, evt.authorityId);
+				case AuditEventVaultMemberUpdate evt -> new AuditEventVaultMemberUpdateDto(evt.id, evt.timestamp, AuditEventVaultMemberUpdate.TYPE, evt.updatedBy, evt.vaultId, evt.authorityId, evt.role);
+				case AuditEventVaultOwnershipClaim evt -> new AuditEventVaultOwnershipClaimDto(evt.id, evt.timestamp, AuditEventVaultOwnershipClaim.TYPE, evt.claimedBy, evt.vaultId);
+				default -> throw new UnsupportedOperationException("conversion not implemented for event type " + entity.getClass());
+			};
 		}
 	}
 
diff --git a/backend/src/main/java/org/cryptomator/hub/api/AuthorityDto.java b/backend/src/main/java/org/cryptomator/hub/api/AuthorityDto.java
index dcdc6666b..cfe468b25 100644
--- a/backend/src/main/java/org/cryptomator/hub/api/AuthorityDto.java
+++ b/backend/src/main/java/org/cryptomator/hub/api/AuthorityDto.java
@@ -31,14 +31,11 @@ protected AuthorityDto(String id, Type type, String name, String pictureUrl) {
 	}
 
 	static AuthorityDto fromEntity(Authority a) {
-		// TODO refactor to JEP 441 in JDK 21
-		if (a instanceof User user) {
-			return UserDto.justPublicInfo(user);
-		} else if (a instanceof Group group) {
-			return GroupDto.fromEntity(group);
-		} else {
-			throw new IllegalStateException("authority is not of type user or group");
-		}
+		return switch (a) {
+			case User u -> UserDto.justPublicInfo(u);
+			case Group g -> GroupDto.fromEntity(g);
+			default -> throw new IllegalStateException("authority is not of type user or group");
+		};
 	}
 
 }
diff --git a/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java b/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java
index 9649d6d26..2acb24c18 100644
--- a/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java
+++ b/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java
@@ -89,7 +89,6 @@ public class VaultResource {
 	@Operation(summary = "list all accessible vaults", description = "list all vaults that have been shared with the currently logged in user or a group in wich this user is")
 	public List<VaultDto> getAccessible(@Nullable @QueryParam("role") VaultAccess.Role role) {
 		var currentUserId = jwt.getSubject();
-		// TODO refactor to JEP 441 in JDK 21
 		final Stream<Vault> resultStream;
 		if (role == null) {
 			resultStream = Vault.findAccessibleByUser(currentUserId);
@@ -130,15 +129,10 @@ public List<VaultDto> getAllVaults() {
 	@APIResponse(responseCode = "200")
 	@APIResponse(responseCode = "403", description = "not a vault owner")
 	public List<MemberDto> getDirectMembers(@PathParam("vaultId") UUID vaultId) {
-		return VaultAccess.forVault(vaultId).map(access -> {
-			// TODO switch to switch expressions, once we can make Authority sealed
-			if (access.authority instanceof User u) {
-				return MemberDto.fromEntity(u, access.role);
-			} else if (access.authority instanceof Group g) {
-				return MemberDto.fromEntity(g, access.role);
-			} else {
-				throw new IllegalStateException();
-			}
+		return VaultAccess.forVault(vaultId).map(access -> switch (access.authority) {
+			case User u -> MemberDto.fromEntity(u, access.role);
+			case Group g -> MemberDto.fromEntity(g, access.role);
+			default -> throw new IllegalStateException();
 		}).toList();
 	}
 
diff --git a/backend/src/main/resources/application.properties b/backend/src/main/resources/application.properties
index 76d81e38d..af3d66e85 100644
--- a/backend/src/main/resources/application.properties
+++ b/backend/src/main/resources/application.properties
@@ -58,7 +58,7 @@ quarkus.datasource.db-kind=postgresql
 quarkus.datasource.jdbc.driver=org.postgresql.Driver
 quarkus.datasource.jdbc.transaction-requirement=off
 quarkus.datasource.jdbc.max-size=16
-quarkus.hibernate-orm.dialect=org.hibernate.dialect.PostgreSQL10Dialect
+quarkus.hibernate-orm.dialect=org.hibernate.dialect.PostgreSQLDialect
 quarkus.hibernate-orm.database.globally-quoted-identifiers=true
 quarkus.flyway.migrate-at-start=true
 quarkus.flyway.locations=classpath:org/cryptomator/hub/flyway