Docs/Security/Credential Encryption
SECURITY5 min read

Credential Encryption

How Conexor encrypts and protects your database credentials

Overview

Conexor never stores database credentials in plaintext. All connection strings are encrypted at rest using AES-256-GCM with keys derived from machine-specific secrets.

Encryption Algorithm

We use the following cryptographic primitives:

  • AES-256-GCM for symmetric encryption
  • PBKDF2 with 100,000 iterations for key derivation
  • Random IV per encryption operation
  • Machine-specific key derivation using MachineName, UserName, and OS
csharp
// Key derivation
var machineSecret = $"{Environment.MachineName}:{Environment.UserName}:{RuntimeInformation.OSDescription}";
var key = new Rfc2898DeriveBytes(machineSecret, salt, 100000, HashAlgorithmName.SHA256).GetBytes(32);

// Encryption (AES-256-GCM)
var nonce = new byte[AesGcm.NonceByteSizes.MaxSize]; // 12 bytes
RandomNumberGenerator.Fill(nonce);
var tag = new byte[AesGcm.TagByteSizes.MaxSize];     // 16 bytes
var ciphertext = new byte[plaintext.Length];
using var aes = new AesGcm(key, AesGcm.TagByteSizes.MaxSize);
aes.Encrypt(nonce, plaintext, ciphertext, tag);

Agent Mode

When using the on-premise agent, credentials are encrypted locally on the machine where the agent runs. The encrypted credentials are stored in the agent's local configuration file.

INFOCredentials never leave your network. The cloud service never sees or stores your database connection strings.

Direct Connection Mode

For cloud-to-database connections, credentials are encrypted using a master key stored in environment variables. The encrypted credentials are stored in the PostgreSQL database.

bash
# Set the master key in your environment
export Encryption__MasterKey="your-256-bit-base64-encoded-key"
NOTEIn production, store the master key in a secrets manager like Azure Key Vault, AWS Secrets Manager, or HashiCorp Vault.

Key Rotation

Currently, key rotation requires manual re-encryption of credentials. We recommend:

  1. Generate a new master key
  2. Decrypt all credentials with the old key
  3. Re-encrypt with the new key
  4. Update the master key in your environment

Security Best Practices

  • Use the agent mode when possible - credentials stay on-premise
  • Never commit master keys to version control
  • Rotate encryption keys periodically (every 90 days recommended)
  • Use a secrets manager in production deployments
  • Restrict file system access to configuration files
Audit LoggingSELECT-only Enforcement
Relay

Quick questions

Relay

Quick questions