Docs/Security & Operations

Credential Management

DBConvert Streams separates configuration (connection names, hosts, ports) from secrets (passwords, certificates, keys). Configuration is stored in a config backend (SQLite for desktop, Consul for server). Secrets are encrypted in a dedicated secrets backend and merged at runtime.

Secrets backends

The backend is selected via the SECRETS_BACKEND environment variable:

BackendValueUse case
Encrypted filefile (default)Desktop and single-server deployments
HashiCorp VaultvaultOptional for server deployments

What is stored

Each connection stores a ConnectionSecrets record with the following fields:

FieldDescription
PasswordDatabase password
DSNGenerated connection string
SSLModeSSL/TLS mode
CACertCA certificate (PEM)
ClientCertClient certificate (PEM)
ClientKeyClient private key (PEM)
SSHPasswordSSH tunnel password
SSHPrivateKeySSH tunnel private key
SSHPassphraseSSH key passphrase

Secrets never appear in config files, API responses to list endpoints omit SSH/SSL details, and credentials are only merged into connection objects at runtime when needed.

Encrypted file backend

The default backend encrypts all secrets into a single file using:

  • XChaCha20-Poly1305 for authenticated encryption
  • Argon2id for key derivation (3 iterations, 64 MB memory, 4 threads)

File format

SegmentSizeDescription
Magic bytes4 bytesDBCS
Version1 byteFormat version (currently 1)
Salt32 bytesRandom salt for Argon2id
Nonce24 bytesXChaCha20-Poly1305 nonce
CiphertextVariableEncrypted JSON with auth tag

Master key

The master key is used with Argon2id to derive the encryption key. It is resolved in this order:

  1. SECRETS_MASTER_KEY environment variable (if set)
  2. OS keyring (service: DBConvert Streams, user: secrets-master-key)
  3. Auto-generated (32 random bytes, base64-encoded) and stored in the OS keyring

On desktop, the master key is managed automatically via the OS keyring. For headless or server deployments using the file backend, set SECRETS_MASTER_KEY explicitly.

File location

Set with the SECRETS_FILE_PATH environment variable — the location is always explicit, there is no implicit default. The desktop app points it at its own data directory (for example ~/.local/share/dbconvert-streams/secrets/secrets.enc on Linux).

Vault backend (optional)

Server deployments can optionally store secrets in HashiCorp Vault using the KV v2 secrets engine. If not configured, the encrypted file backend is used by default.

Secrets are stored at: secret/data/connections/{userID}/{connectionID}

The backend automatically enables the KV v2 engine if not already present, and includes retry logic for initial connection (10 attempts, 3-second intervals).

Configuration

Environment variableDescriptionDefault
VAULT_ADDRVault server addresshttp://localhost:8200
VAULT_TOKENVault authentication token(required)

Environment variables reference

VariableDescriptionDefault
SECRETS_BACKENDBackend selection: file or vaultfile
SECRETS_FILE_PATHPath to the encrypted secrets file(required, no default)
SECRETS_MASTER_KEYMaster key for file backend encryptionAuto-generated, stored in OS keyring
VAULT_ADDRVault server addresshttp://localhost:8200
VAULT_TOKENVault authentication token(required for vault backend)