[{"data":1,"prerenderedAt":561},["ShallowReactive",2],{"docs-\u002Fdocs\u002Fnetwork-security\u002Fcredential-management":3},{"id":4,"title":5,"body":6,"description":552,"extension":553,"meta":554,"navigation":555,"path":556,"redirect":557,"seo":558,"stem":559,"__hash__":560},"docs\u002Fdocs\u002Fnetwork-security\u002Fcredential-management.md","Credential Management",{"type":7,"value":8,"toc":535},"minimark",[9,13,17,22,30,80,84,91,195,198,202,205,222,227,304,308,311,333,339,343,354,358,368,374,377,381,425,429,508,512],[10,11,5],"h1",{"id":12},"credential-management",[14,15,16],"p",{},"DBConvert Streams separates configuration (connection names, hosts, ports) from secrets (passwords, certificates, keys). Configuration is stored in a config backend (SQLite for desktop, Consul for server). Secrets are encrypted in a dedicated secrets backend and merged at runtime.",[18,19,21],"h2",{"id":20},"secrets-backends","Secrets backends",[14,23,24,25,29],{},"The backend is selected via the ",[26,27,28],"code",{},"SECRETS_BACKEND"," environment variable:",[31,32,33,49],"table",{},[34,35,36],"thead",{},[37,38,39,43,46],"tr",{},[40,41,42],"th",{},"Backend",[40,44,45],{},"Value",[40,47,48],{},"Use case",[50,51,52,67],"tbody",{},[37,53,54,58,64],{},[55,56,57],"td",{},"Encrypted file",[55,59,60,63],{},[26,61,62],{},"file"," (default)",[55,65,66],{},"Desktop and single-server deployments",[37,68,69,72,77],{},[55,70,71],{},"HashiCorp Vault",[55,73,74],{},[26,75,76],{},"vault",[55,78,79],{},"Optional for server deployments",[18,81,83],{"id":82},"what-is-stored","What is stored",[14,85,86,87,90],{},"Each connection stores a ",[26,88,89],{},"ConnectionSecrets"," record with the following fields:",[31,92,93,103],{},[34,94,95],{},[37,96,97,100],{},[40,98,99],{},"Field",[40,101,102],{},"Description",[50,104,105,115,125,135,145,155,165,175,185],{},[37,106,107,112],{},[55,108,109],{},[26,110,111],{},"Password",[55,113,114],{},"Database password",[37,116,117,122],{},[55,118,119],{},[26,120,121],{},"DSN",[55,123,124],{},"Generated connection string",[37,126,127,132],{},[55,128,129],{},[26,130,131],{},"SSLMode",[55,133,134],{},"SSL\u002FTLS mode",[37,136,137,142],{},[55,138,139],{},[26,140,141],{},"CACert",[55,143,144],{},"CA certificate (PEM)",[37,146,147,152],{},[55,148,149],{},[26,150,151],{},"ClientCert",[55,153,154],{},"Client certificate (PEM)",[37,156,157,162],{},[55,158,159],{},[26,160,161],{},"ClientKey",[55,163,164],{},"Client private key (PEM)",[37,166,167,172],{},[55,168,169],{},[26,170,171],{},"SSHPassword",[55,173,174],{},"SSH tunnel password",[37,176,177,182],{},[55,178,179],{},[26,180,181],{},"SSHPrivateKey",[55,183,184],{},"SSH tunnel private key",[37,186,187,192],{},[55,188,189],{},[26,190,191],{},"SSHPassphrase",[55,193,194],{},"SSH key passphrase",[14,196,197],{},"Secrets never appear in config files, API responses to list endpoints omit SSH\u002FSSL details, and credentials are only merged into connection objects at runtime when needed.",[18,199,201],{"id":200},"encrypted-file-backend","Encrypted file backend",[14,203,204],{},"The default backend encrypts all secrets into a single file using:",[206,207,208,216],"ul",{},[209,210,211,215],"li",{},[212,213,214],"strong",{},"XChaCha20-Poly1305"," for authenticated encryption",[209,217,218,221],{},[212,219,220],{},"Argon2id"," for key derivation (3 iterations, 64 MB memory, 4 threads)",[223,224,226],"h3",{"id":225},"file-format","File format",[31,228,229,241],{},[34,230,231],{},[37,232,233,236,239],{},[40,234,235],{},"Segment",[40,237,238],{},"Size",[40,240,102],{},[50,242,243,256,271,282,293],{},[37,244,245,248,251],{},[55,246,247],{},"Magic bytes",[55,249,250],{},"4 bytes",[55,252,253],{},[26,254,255],{},"DBCS",[37,257,258,261,264],{},[55,259,260],{},"Version",[55,262,263],{},"1 byte",[55,265,266,267,270],{},"Format version (currently ",[26,268,269],{},"1",")",[37,272,273,276,279],{},[55,274,275],{},"Salt",[55,277,278],{},"32 bytes",[55,280,281],{},"Random salt for Argon2id",[37,283,284,287,290],{},[55,285,286],{},"Nonce",[55,288,289],{},"24 bytes",[55,291,292],{},"XChaCha20-Poly1305 nonce",[37,294,295,298,301],{},[55,296,297],{},"Ciphertext",[55,299,300],{},"Variable",[55,302,303],{},"Encrypted JSON with auth tag",[223,305,307],{"id":306},"master-key","Master key",[14,309,310],{},"The master key is used with Argon2id to derive the encryption key. It is resolved in this order:",[312,313,314,320,330],"ol",{},[209,315,316,319],{},[26,317,318],{},"SECRETS_MASTER_KEY"," environment variable (if set)",[209,321,322,323,326,327,270],{},"OS keyring (service: ",[26,324,325],{},"DBConvert Streams",", user: ",[26,328,329],{},"secrets-master-key",[209,331,332],{},"Auto-generated (32 random bytes, base64-encoded) and stored in the OS keyring",[14,334,335,336,338],{},"On desktop, the master key is managed automatically via the OS keyring. For headless or server deployments using the file backend, set ",[26,337,318],{}," explicitly.",[223,340,342],{"id":341},"file-location","File location",[14,344,345,346,349,350,353],{},"Set with the ",[26,347,348],{},"SECRETS_FILE_PATH"," environment variable — the location is always explicit, there is no implicit default. The desktop app points it at its own data directory (for example ",[26,351,352],{},"~\u002F.local\u002Fshare\u002Fdbconvert-streams\u002Fsecrets\u002Fsecrets.enc"," on Linux).",[18,355,357],{"id":356},"vault-backend-optional","Vault backend (optional)",[14,359,360,361,367],{},"Server deployments can optionally store secrets in ",[362,363,71],"a",{"href":364,"rel":365},"https:\u002F\u002Fwww.vaultproject.io\u002F",[366],"nofollow"," using the KV v2 secrets engine. If not configured, the encrypted file backend is used by default.",[14,369,370,371],{},"Secrets are stored at: ",[26,372,373],{},"secret\u002Fdata\u002Fconnections\u002F{userID}\u002F{connectionID}",[14,375,376],{},"The backend automatically enables the KV v2 engine if not already present, and includes retry logic for initial connection (10 attempts, 3-second intervals).",[223,378,380],{"id":379},"configuration","Configuration",[31,382,383,395],{},[34,384,385],{},[37,386,387,390,392],{},[40,388,389],{},"Environment variable",[40,391,102],{},[40,393,394],{},"Default",[50,396,397,412],{},[37,398,399,404,407],{},[55,400,401],{},[26,402,403],{},"VAULT_ADDR",[55,405,406],{},"Vault server address",[55,408,409],{},[26,410,411],{},"http:\u002F\u002Flocalhost:8200",[37,413,414,419,422],{},[55,415,416],{},[26,417,418],{},"VAULT_TOKEN",[55,420,421],{},"Vault authentication token",[55,423,424],{},"(required)",[18,426,428],{"id":427},"environment-variables-reference","Environment variables reference",[31,430,431,441],{},[34,432,433],{},[37,434,435,437,439],{},[40,436,300],{},[40,438,102],{},[40,440,394],{},[50,442,443,461,473,485,497],{},[37,444,445,449,457],{},[55,446,447],{},[26,448,28],{},[55,450,451,452,454,455],{},"Backend selection: ",[26,453,62],{}," or ",[26,456,76],{},[55,458,459],{},[26,460,62],{},[37,462,463,467,470],{},[55,464,465],{},[26,466,348],{},[55,468,469],{},"Path to the encrypted secrets file",[55,471,472],{},"(required, no default)",[37,474,475,479,482],{},[55,476,477],{},[26,478,318],{},[55,480,481],{},"Master key for file backend encryption",[55,483,484],{},"Auto-generated, stored in OS keyring",[37,486,487,491,493],{},[55,488,489],{},[26,490,403],{},[55,492,406],{},[55,494,495],{},[26,496,411],{},[37,498,499,503,505],{},[55,500,501],{},[26,502,418],{},[55,504,421],{},[55,506,507],{},"(required for vault backend)",[18,509,511],{"id":510},"related-docs","Related docs",[206,513,514,521,528],{},[209,515,516,520],{},[362,517,519],{"href":518},"\u002Fdocs\u002Fnetwork-security\u002Fssl-configuration","SSL Configuration"," — SSL\u002FTLS connection setup",[209,522,523,527],{},[362,524,526],{"href":525},"\u002Fdocs\u002Fnetwork-security\u002Fdatabase-access-configuration","Database Access Configuration"," — Network and firewall setup",[209,529,530,534],{},[362,531,533],{"href":532},"\u002Fdocs\u002Fapi\u002Fconnections","Connections API Workflows"," — Connection management",{"title":536,"searchDepth":537,"depth":537,"links":538},"",2,[539,540,541,547,550,551],{"id":20,"depth":537,"text":21},{"id":82,"depth":537,"text":83},{"id":200,"depth":537,"text":201,"children":542},[543,545,546],{"id":225,"depth":544,"text":226},3,{"id":306,"depth":544,"text":307},{"id":341,"depth":544,"text":342},{"id":356,"depth":537,"text":357,"children":548},[549],{"id":379,"depth":544,"text":380},{"id":427,"depth":537,"text":428},{"id":510,"depth":537,"text":511},"How DBConvert Streams stores and protects database credentials, certificates, and API keys.","md",{},false,"\u002Fdocs\u002Fnetwork-security\u002Fcredential-management",null,{"title":5,"description":552},"docs\u002Fnetwork-security\u002Fcredential-management","LqTnIKJqM2PiNmMxhdQu8SiVP4txywK7CNbOe8boYiM",1783896284491]