Security
PulseDB takes security seriously. Connection credentials are encrypted at rest and never exposed to the client.
Encryption at rest
Connection passwords are encrypted using AES-256-GCM:
- Each password gets a unique random initialization vector (IV)
- Encryption key derived via SHA-256 from the master key
- Master key auto-generated on first run or set via
ENCRYPTION_KEYenv var - Backward compatible: legacy plaintext passwords are migrated on read
API security
- Passwords are never returned to the client
- API responses mask passwords as
"••••••••" - Database connections are established server-side only
- Connection test endpoints accept plaintext passwords (user-facing operation)
Best practices
- Use Docker with a dedicated volume for persistent data
- Set
ENCRYPTION_KEYvia environment variable (not in source code) - Keep the encryption key separate from the data volume when possible
- Use SSL/TLS for PostgreSQL connections (
ssl: true) - Regularly rotate database credentials
Reporting vulnerabilities
If you discover a security vulnerability, please report it privately:
- Email: security@elmoziml.com
- GitHub: Security Advisory
Do not open a public GitHub issue.
Response timeline
- Acknowledgment within 48 hours
- Initial assessment within 5 business days
- Fix timeline communicated after assessment