LogoVibeDBTool

Security Policy

How we protect your database credentials and ensure your data remains secure

Overview

VibeDBTool uses AES-256-GCM encryption to secure database passwords at rest. This ensures that even if the database is compromised, passwords remain protected and require both the encrypted data and the master encryption key to decrypt.

Security Architecture

Why This Approach is Secure

AES-256-GCM Algorithm
  • • AES-256 is a military-grade encryption standard
  • • GCM (Galois/Counter Mode) provides both encryption and authentication
  • • Currently considered cryptographically unbreakable
Physical Separation of Keys and Data
  • • Encrypted passwords are stored in the database
  • • The master encryption key is stored only in environment variables
  • • An attacker must compromise both the database and the application server to decrypt passwords
Random Initialization Vector (IV)
  • • Each encryption uses a unique random IV
  • • The same password encrypts differently each time
  • • Prevents pattern analysis attacks
Authentication Tag (AuthTag)
  • • Ensures data integrity and prevents tampering
  • • Any modification to encrypted data will cause decryption to fail
  • • Automatically validates data authenticity
In-Memory Decryption Only
  • • Passwords are decrypted only when needed for database connections
  • • Decrypted passwords never persist to disk
  • • Memory is cleared after use

Implementation Details

Encryption Service

Our encryption service provides secure encryption and decryption of sensitive data:

  • encrypt(plaintext): Encrypts plaintext using AES-256-GCM
  • decrypt(ciphertext): Decrypts ciphertext and validates integrity
  • isEncrypted(value): Checks if a string is already encrypted

Format: Encrypted data is stored as IV:AuthTag:Ciphertext (hex-encoded)

Entity-Level Encryption

Database connections automatically handle encryption:

  • Encrypts passwords before saving to the database
  • Decrypts passwords after loading from the database
  • Provides secure methods for accessing decrypted passwords only when needed

Data Protection

At Rest

All passwords encrypted in database

In Transit

HTTPS/TLS for all API communications

In Memory

Decrypted only when needed, cleared after use

Security Best Practices

What We Do

  • Store the master key securely in environment variables, never in code
  • Use different keys per environment (dev, staging, production)
  • Monitor access logs and track encrypted data access
  • Backup keys securely in password managers or key vaults

What We Never Do

  • Log passwords, even encrypted ones
  • Commit keys to version control
  • Share keys between environments
  • Decrypt unnecessarily - only when establishing connections

Compliance & Auditing

Encryption Standards Compliance

  • AES-256: FIPS 140-2 compliant
  • GCM Mode: NIST recommended for authenticated encryption
  • Key Management: Follows industry best practices for key storage

Audit Trail

All password operations are logged (without exposing actual passwords):

  • Password creation/update timestamps
  • Encryption status
  • Decryption attempts (for connection establishment)

Additional Security Features

Encrypted in transit (TLS)
Encrypted at rest (AES-256)
Read-only connection options
Zero-data retention policy

Security Support

For security-related questions or issues:

  1. Check this documentation first
  2. Review application logs for encryption errors
  3. Verify environment variable configuration
  4. Contact our development team for assistance

References