Security

PulseDB takes security seriously. Connection credentials are encrypted at rest and never exposed to the client.

Encryption at rest

Connection passwords are encrypted using AES-256-GCM:

  • Each password gets a unique random initialization vector (IV)
  • Encryption key derived via SHA-256 from the master key
  • Master key auto-generated on first run or set via ENCRYPTION_KEY env var
  • Backward compatible: legacy plaintext passwords are migrated on read

API security

  • Passwords are never returned to the client
  • API responses mask passwords as "••••••••"
  • Database connections are established server-side only
  • Connection test endpoints accept plaintext passwords (user-facing operation)

Best practices

  1. Use Docker with a dedicated volume for persistent data
  2. Set ENCRYPTION_KEY via environment variable (not in source code)
  3. Keep the encryption key separate from the data volume when possible
  4. Use SSL/TLS for PostgreSQL connections (ssl: true)
  5. Regularly rotate database credentials

Reporting vulnerabilities

If you discover a security vulnerability, please report it privately:

Do not open a public GitHub issue.

Response timeline

  • Acknowledgment within 48 hours
  • Initial assessment within 5 business days
  • Fix timeline communicated after assessment