Standard Encryption

The credential protection layer applied automatically to every NeoSQL project. It works with no setup; if you need a stronger guarantee, layer Zero-Knowledge mode on top.

Security model overview

NeoSQL's security goal is "even operators cannot see your data."

AspectStandardZero-Knowledge
Encryption algorithmAES-256-GCMAES-256-GCM (same)
Encryption key protectionAWS KMS Envelope EncryptionUser secret key (Argon2id) — no KMS
Operator plaintext accessHidden from admin console; theoretically possible with code + KMS accessImpossible without the secret key
Recovery if key lostOperators can help via KMSNo recovery (intentional trade-off)
When appliedAuto-applied to all projectsPer-project explicit opt-in

Standard protection — applied to every project automatically

The moment you create a project, NeoSQL encrypts the following 15 credential fields with AES-256-GCM.

15 encrypted fields

  • Connection-level (shared by project members): host · port · URL · database · DB user · DB password · SSL client cert · SSL client key · SSL client key password
  • User-level (per member): SSH username · SSH password · SSH private key · SSH passphrase · proxy username · proxy password

AWS KMS Envelope Encryption

A unique DEK (Data Encryption Key) is issued per project and the DEK itself is wrapped by AWS KMS Customer Master Key. Even if the entire server database is leaked, no credential can be decrypted without the KMS key.

Plaintext credentials never appear in the UI

Connection lists, project screens, and ERDs never display passwords or certificates in plaintext. Only the edit modal handles them as masked input.

Standard protection — encryption flow

UserUser-enteredDB credentials (plaintext)AWS KMS CMKMaster key thatis never exposed(AWS-isolated)wrapDEK (per-project)AES-256-GCM key, 32 bytesStored KMS-wrapped in DBencrypt15 _enc fieldshost · port · url · passwordSSL cert · SSH key · ...AES-256-GCM ciphertextnv_connection / nv_connection_userOperatorCannot read plaintextfrom DB queries alone(KMS access required)❌ Blocked

User → KMS-DEK → AES-256-GCM → 15 fields. KMS CMK seals the DEK so even an operator without KMS access cannot reach credentials.

NeoSQL administrator access policy

The administrator console (CMS) shows operational data only — user ID, email, subscription status. It NEVER displays user DB credentials on any screen.

Under standard mode, an operator with both code access and KMS access could in theory decrypt credentials by querying the database directly through the KMS API. Zero-Knowledge mode closes this last gap by removing the operator's ability entirely.