Security

<h2 id="security" class="position-relative d-flex align-items-center group"> Security <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="security" aria-haspopup="dialog" aria-label="Share link: Security"> Share link </button> </h2><div id="headingShareModal" class="heading-share-modal" role="dialog" aria-modal="true" aria-labelledby="headingShareTitle" hidden> <div class="hsm-dialog" role="document"> <div class="hsm-header"> <h2 id="headingShareTitle" class="h6 mb-0 fw-bold">Share this section</h2> <button type="button" class="hsm-close" aria-label="Close"> </button> </div> <div class="hsm-body"> <label for="headingShareInput" class="form-label small text-muted mb-1 text-uppercase fw-bold" style="font-size: 0.7rem; letter-spacing: 0.5px;">Permalink</label> <div class="input-group mb-4 hsm-url-group"> <input id="headingShareInput" type="text" class="form-control font-monospace" readonly aria-readonly="true" style="font-size: 0.85rem;" /> <button class="btn btn-primary hsm-copy" type="button" aria-label="Copy" title="Copy"> </button> </div> <div class="small fw-bold mb-2 text-muted text-uppercase" style="font-size: 0.7rem; letter-spacing: 0.5px;">Share via</div> <div class="hsm-share-grid"> <a id="share-twitter" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> Twitter </a> <a id="share-linkedin" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> LinkedIn </a> <a id="share-facebook" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> Facebook </a> </div> </div> </div> </div> <style> .heading-share-modal { position: fixed; inset: 0; display: flex; justify-content: center; align-items: center; background: rgba(0, 0, 0, 0.6); z-index: 1050; padding: 1rem; backdrop-filter: blur(4px); -webkit-backdrop-filter: blur(4px); } .heading-share-modal[hidden] { display: none !important; } .hsm-dialog { max-width: 420px; width: 100%; background: var(--bs-body-bg, #fff); color: var(--bs-body-color, #212529); border: 1px solid var(--bs-border-color, rgba(0,0,0,0.1)); border-radius: 1rem; box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.25); overflow: hidden; animation: hsm-fade-in 0.2s ease-out; } @keyframes hsm-fade-in { from { opacity: 0; transform: scale(0.95); } to { opacity: 1; transform: scale(1); } } [data-bs-theme="dark"] .hsm-dialog { background: #1e293b; border-color: rgba(255,255,255,0.1); color: #f8f9fa; } .hsm-header { display: flex; justify-content: space-between; align-items: center; padding: 1rem 1.5rem; border-bottom: 1px solid var(--bs-border-color, rgba(0,0,0,0.1)); background: rgba(0,0,0,0.02); } [data-bs-theme="dark"] .hsm-header { background: rgba(255,255,255,0.02); border-color: rgba(255,255,255,0.1); } .hsm-close { background: transparent; border: none; color: inherit; opacity: 0.5; padding: 0.25rem 0.5rem; border-radius: 0.25rem; font-size: 1.2rem; line-height: 1; transition: opacity 0.2s; } .hsm-close:hover { opacity: 1; } .hsm-body { padding: 1.5rem; } .hsm-url-group { display: flex !important; align-items: stretch; } .hsm-url-group .form-control { flex: 1; min-width: 0; margin: 0; background: var(--bs-secondary-bg, #f8f9fa); border-color: var(--bs-border-color, #dee2e6); border-top-right-radius: 0; border-bottom-right-radius: 0; height: 42px; } .hsm-url-group .btn { flex: 0 0 auto; margin: 0; margin-left: -1px; border-top-left-radius: 0; border-bottom-left-radius: 0; height: 42px; display: flex; align-items: center; justify-content: center; padding: 0 1.25rem; z-index: 2; } [data-bs-theme="dark"] .hsm-url-group .form-control { background: #0f172a; border-color: #334155; color: #e2e8f0; } .hsm-share-grid { display: flex; flex-direction: column; gap: 0.5rem; } .hsm-share-grid .btn { display: flex; align-items: center; justify-content: center; font-size: 0.9rem; padding: 0.6rem; border-color: var(--bs-border-color); width: 100%; } [data-bs-theme="dark"] .hsm-share-grid .btn { color: #e2e8f0; border-color: #475569; } [data-bs-theme="dark"] .hsm-share-grid .btn:hover { background: #334155; border-color: #cbd5e1; } </style> <script> (function(){ const modal = document.getElementById('headingShareModal'); if(!modal) return; const input = modal.querySelector('#headingShareInput'); const copyBtn = modal.querySelector('.hsm-copy'); const twitter = modal.querySelector('#share-twitter'); const linkedin = modal.querySelector('#share-linkedin'); const facebook = modal.querySelector('#share-facebook'); const closeBtn = modal.querySelector('.hsm-close'); let lastFocus=null; let trapBound=false; function buildUrl(id){ return window.location.origin + window.location.pathname + '#' + id; } function isOpen(){ return !modal.hasAttribute('hidden'); } function hydrate(id){ const url=buildUrl(id); input.value=url; const enc=encodeURIComponent(url); const text=encodeURIComponent(document.title); if(twitter) twitter.href=`https://twitter.com/intent/tweet?url=${enc}&text=${text}`; if(linkedin) linkedin.href=`https://www.linkedin.com/sharing/share-offsite/?url=${enc}`; if(facebook) facebook.href=`https://www.facebook.com/sharer/sharer.php?u=${enc}`; } function openModal(id){ lastFocus=document.activeElement; hydrate(id); if(!isOpen()){ modal.removeAttribute('hidden'); } requestAnimationFrame(()=>{ input.focus(); }); trapFocus(); } function closeModal(){ if(!isOpen()) return; modal.setAttribute('hidden',''); if(lastFocus && typeof lastFocus.focus==='function') lastFocus.focus(); } function copyCurrent(){ try{ navigator.clipboard.writeText(input.value).then(()=>feedback(true),()=>fallback()); } catch(e){ fallback(); } } function fallback(){ input.select(); try{ document.execCommand('copy'); feedback(true);}catch(e){ feedback(false);} } function feedback(ok){ if(!copyBtn) return; const icon=copyBtn.querySelector('i'); if(!icon) return; const prev=copyBtn.getAttribute('data-prev')||icon.className; if(!copyBtn.getAttribute('data-prev')) copyBtn.setAttribute('data-prev',prev); icon.className= ok ? 'fa-duotone fa-clipboard-check':'fa-duotone fa-circle-exclamation'; setTimeout(()=>{ icon.className=prev; },1800); } function handleShareClick(e){ e.preventDefault(); const btn=e.currentTarget; const id=btn.getAttribute('data-share-target'); if(id) openModal(id); } function bindShareButtons(){ document.querySelectorAll('.h-share').forEach(btn=>{ if(!btn.dataset.hShareBound){ btn.addEventListener('click', handleShareClick); btn.dataset.hShareBound='1'; } }); } bindShareButtons(); if(document.readyState==='loading'){ document.addEventListener('DOMContentLoaded', bindShareButtons); } else { requestAnimationFrame(bindShareButtons); } document.addEventListener('click', function(e){ const shareBtn=e.target.closest && e.target.closest('.h-share'); if(shareBtn && !shareBtn.dataset.hShareBound){ handleShareClick.call(shareBtn, e); } }, true); document.addEventListener('click', e=>{ if(e.target===modal) closeModal(); if(e.target.closest && e.target.closest('.hsm-close')){ e.preventDefault(); closeModal(); } if(copyBtn && (e.target===copyBtn || (e.target.closest && e.target.closest('.hsm-copy')))) { e.preventDefault(); copyCurrent(); } }); document.addEventListener('keydown', e=>{ if(e.key==='Escape' && isOpen()) closeModal(); }); function trapFocus(){ if(trapBound) return; trapBound=true; modal.addEventListener('keydown', f=>{ if(f.key==='Tab' && isOpen()){ const focusable=[...modal.querySelectorAll('a[href],button,input,textarea,select,[tabindex]:not([tabindex="-1"])')].filter(el=>!el.hasAttribute('disabled')); if(!focusable.length) return; const first=focusable[0]; const last=focusable[focusable.length-1]; if(f.shiftKey && document.activeElement===first){ f.preventDefault(); last.focus(); } else if(!f.shiftKey && document.activeElement===last){ f.preventDefault(); first.focus(); } } }); } if(closeBtn) closeBtn.addEventListener('click', e=>{ e.preventDefault(); closeModal(); }); })(); </script>Enterprise-grade security features for protecting your data at rest, in transit, and in use. Geode provides comprehensive security capabilities including encryption, authentication, authorization, and compliance features. <blockquote> Current implementation status (2026-03-30) <ul> <li>Implemented today: TDE, FLE, RBAC/ABAC/RLS, audit logging, username/password auth, sessions, API keys, MFA, and mTLS</li> <li>Planned, not implemented: LDAP/Active Directory and OAuth2/OIDC</li> <li>Current open auth/tooling gap: local CLI auth commands do not yet delegate to a running server</li> </ul> </blockquote> <h3 id="overview" class="position-relative d-flex align-items-center group"> Overview <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="overview" aria-haspopup="dialog" aria-label="Share link: Overview"> Share link </button> </h3>Security is built into every layer of Geode’s architecture. From mandatory TLS 1.3 for all network connections to Transparent Data Encryption (TDE) for data at rest, Row-Level Security (RLS) for fine-grained access control, and comprehensive audit logging for compliance, Geode provides the security features enterprises require. This section covers all security capabilities including encryption strategies, authentication mechanisms, authorization models, key management, password security, session management, and compliance features for GDPR, SOX, HIPAA, and PCI-DSS. <h3 id="security-architecture" class="position-relative d-flex align-items-center group"> Security Architecture <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="security-architecture" aria-haspopup="dialog" aria-label="Share link: Security Architecture"> Share link </button> </h3> <h4 id="defense-in-depth" class="position-relative d-flex align-items-center group"> Defense in Depth <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="defense-in-depth" aria-haspopup="dialog" aria-label="Share link: Defense in Depth"> Share link </button> </h4>Geode implements multiple layers of security: <ol> <li>Network Security: TLS 1.3 mandatory, no plaintext connections</li> <li>Authentication: Username/password, sessions, API keys, MFA, and mTLS</li> <li>Authorization: RBAC, ABAC, and RLS for access control</li> <li>Encryption at Rest: TDE with AES-256-GCM</li> <li>Field-Level Encryption: Searchable encryption for sensitive data</li> <li>Audit Logging: Comprehensive audit trail for compliance</li> <li>Key Management: Integration with HashiCorp Vault</li> </ol> <h4 id="zero-trust-model" class="position-relative d-flex align-items-center group"> Zero Trust Model <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="zero-trust-model" aria-haspopup="dialog" aria-label="Share link: Zero Trust Model"> Share link </button> </h4><ul> <li>Verify Explicitly: Authenticate and authorize every request</li> <li>Least Privilege: Grant minimum required permissions</li> <li>Assume Breach: Monitor, log, and detect anomalies</li> </ul> <h3 id="topics-in-this-section" class="position-relative d-flex align-items-center group"> Topics in This Section <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="topics-in-this-section" aria-haspopup="dialog" aria-label="Share link: Topics in This Section"> Share link </button> </h3><ul> <li><a href="/docs/security/overview/" >Security Overview</a> - Comprehensive security architecture overview including threat model, security controls, and best practices</li> <li><a href="/docs/security/field-level-encryption/" >Field-Level Encryption</a> - Searchable encryption for sensitive fields with key rotation and performance optimization</li> <li><a href="/docs/security/kms-integration/" >KMS Integration</a> - Key Management Service integration with HashiCorp Vault for secure key storage and rotation</li> <li><a href="/docs/security/password-hashing/" >Password Hashing</a> - Secure password storage with Argon2id, bcrypt, and PBKDF2 algorithms</li> <li><a href="/docs/security/post-quantum-readiness/" >Post-Quantum Readiness</a> - Cryptographic architecture for the Post-Quantum era including forward secrecy and algorithmic choices</li> <li><a href="/docs/security/session-management/" >Session Management</a> - Secure session handling including session tokens, timeout, and revocation</li> </ul> <h3 id="encryption" class="position-relative d-flex align-items-center group"> Encryption <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="encryption" aria-haspopup="dialog" aria-label="Share link: Encryption"> Share link </button> </h3> <h4 id="transparent-data-encryption-tde" class="position-relative d-flex align-items-center group"> Transparent Data Encryption (TDE) <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="transparent-data-encryption-tde" aria-haspopup="dialog" aria-label="Share link: Transparent Data Encryption (TDE)"> Share link </button> </h4>Encrypt all data at rest with AES-256-GCM: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"># geode.yaml security: tde: enabled: true key_hex: '<32-byte-hex-key>' # 256-bit key </code></pre></div>Features: <ul> <li>Algorithm: AES-256-GCM (authenticated encryption)</li> <li>Scope: All pages, indexes, and WAL segments</li> <li>Key Rotation: Supported with background re-encryption</li> </ul> See: <a href="/docs/security/overview/#transparent-data-encryption" >Security Overview</a> <h4 id="field-level-encryption-fle" class="position-relative d-flex align-items-center group"> Field-Level Encryption (FLE) <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="field-level-encryption-fle" aria-haspopup="dialog" aria-label="Share link: Field-Level Encryption (FLE)"> Share link </button> </h4>Encrypt specific sensitive fields: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql">-- Create field with encryption CREATE (:Person { name: 'Alice', ssn: encrypt('123-45-6789', 'ssn-key'), email: 'alice@example.com' }); -- Query encrypted field (searchable) MATCH (p:Person) WHERE decrypt(p.ssn, 'ssn-key') = '123-45-6789' RETURN p.name; </code></pre></div>Features: <ul> <li>Searchable Encryption: Query encrypted fields</li> <li>Deterministic Encryption: Same plaintext → same ciphertext (enables equality)</li> <li>Order-Preserving Encryption: Range queries on encrypted data</li> <li>Key Rotation: Re-encrypt data with new keys</li> </ul> See: <a href="/docs/security/field-level-encryption/" >Field-Level Encryption</a> <h4 id="encryption-in-transit" class="position-relative d-flex align-items-center group"> Encryption in Transit <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="encryption-in-transit" aria-haspopup="dialog" aria-label="Share link: Encryption in Transit"> Share link </button> </h4>All network communication encrypted with TLS 1.3: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Server with TLS certificates geode serve \ --cert /etc/geode/certs/server-cert.pem \ --key /etc/geode/certs/server-key.pem </code></pre></div>Features: <ul> <li>TLS 1.3 Only: No fallback to older versions</li> <li>Strong Cipher Suites: AES-256-GCM, ChaCha20-Poly1305</li> <li>Perfect Forward Secrecy: ECDHE key exchange</li> <li>Certificate Validation: Mutual TLS supported</li> </ul> <h3 id="authentication" class="position-relative d-flex align-items-center group"> Authentication <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="authentication" aria-haspopup="dialog" aria-label="Share link: Authentication"> Share link </button> </h3> <h4 id="authentication-methods" class="position-relative d-flex align-items-center group"> Authentication Methods <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="authentication-methods" aria-haspopup="dialog" aria-label="Share link: Authentication Methods"> Share link </button> </h4>Username/Password: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Connect with credentials geode shell --username geode --password secret </code></pre></div>Multi-Factor Authentication (MFA): <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: mfa: enabled: true totp: issuer: "Geode" digits: 6 period: 30 </code></pre></div>API Keys: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Generate API key geode apikey create --user alice --name prod-app --scope query:execute # Use API key export GEODE_API_KEY="gsk_..." geode shell </code></pre></div>LDAP/Active Directory / OAuth2/OIDC: These remain roadmap items, not currently implemented server features. See <a href="/docs/security/authentication/" >Authentication</a> for the current-state matrix and gap references. See: <a href="/docs/security/overview/#authentication" >Security Overview</a> <h4 id="password-security" class="position-relative d-flex align-items-center group"> Password Security <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="password-security" aria-haspopup="dialog" aria-label="Share link: Password Security"> Share link </button> </h4>Secure password storage with Argon2id: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: password_hashing: algorithm: "argon2id" argon2: memory: 65536 # 64 MB iterations: 3 parallelism: 4 </code></pre></div>Supported Algorithms: <ul> <li>Argon2id (recommended): Resistant to GPU/ASIC attacks</li> <li>bcrypt: Industry standard, slower but secure</li> <li>PBKDF2: NIST approved, configurable iterations</li> </ul> See: <a href="/docs/security/password-hashing/" >Password Hashing</a> <h3 id="authorization" class="position-relative d-flex align-items-center group"> Authorization <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="authorization" aria-haspopup="dialog" aria-label="Share link: Authorization"> Share link </button> </h3> <h4 id="role-based-access-control-rbac" class="position-relative d-flex align-items-center group"> Role-Based Access Control (RBAC) <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="role-based-access-control-rbac" aria-haspopup="dialog" aria-label="Share link: Role-Based Access Control (RBAC)"> Share link </button> </h4>Define roles with specific permissions: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql">-- Create role CREATE ROLE analyst; -- Grant permissions GRANT SELECT ON GRAPH SocialNetwork TO analyst; GRANT EXECUTE ON PROCEDURE analytics.* TO analyst; -- Assign role to user GRANT ROLE analyst TO alice; </code></pre></div> <h4 id="attribute-based-access-control-abac" class="position-relative d-flex align-items-center group"> Attribute-Based Access Control (ABAC) <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="attribute-based-access-control-abac" aria-haspopup="dialog" aria-label="Share link: Attribute-Based Access Control (ABAC)"> Share link </button> </h4>Fine-grained policies based on attributes: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql">-- Create ABAC policy CREATE POLICY data_scientist_policy FOR SELECT ON :Person WHEN user.department = 'Data Science' AND user.clearance_level >= 3; </code></pre></div> <h4 id="row-level-security-rls" class="position-relative d-flex align-items-center group"> Row-Level Security (RLS) <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="row-level-security-rls" aria-haspopup="dialog" aria-label="Share link: Row-Level Security (RLS)"> Share link </button> </h4>Restrict access at the row level: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql">-- Create RLS policy CREATE POLICY customer_isolation FOR SELECT ON :Order WHEN current_user.customer_id = order.customer_id; -- Enable policy ENABLE POLICY customer_isolation; </code></pre></div>Features: <ul> <li>Transparent: Policies applied automatically to queries</li> <li>Performance: Optimized policy evaluation</li> <li>Composable: Multiple policies combine with AND logic</li> <li>Audit: Policy evaluations logged</li> </ul> See: <a href="/docs/security/overview/#row-level-security" >Security Overview</a> <h3 id="key-management" class="position-relative d-flex align-items-center group"> Key Management <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="key-management" aria-haspopup="dialog" aria-label="Share link: Key Management"> Share link </button> </h3> <h4 id="hashicorp-vault-integration" class="position-relative d-flex align-items-center group"> HashiCorp Vault Integration <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="hashicorp-vault-integration" aria-haspopup="dialog" aria-label="Share link: HashiCorp Vault Integration"> Share link </button> </h4>Centralized key management with Vault: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: kms: provider: "vault" vault: address: "https://vault.example.com:8200" token: "${VAULT_TOKEN}" mount_path: "secret/geode" key_path: "tde-master-key" </code></pre></div>Features: <ul> <li>Centralized Keys: All encryption keys in Vault</li> <li>Key Rotation: Automated key rotation</li> <li>Audit: All key access logged</li> <li>High Availability: Vault’s HA capabilities</li> </ul> See: <a href="/docs/security/kms-integration/" >KMS Integration</a> <h4 id="key-rotation" class="position-relative d-flex align-items-center group"> Key Rotation <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="key-rotation" aria-haspopup="dialog" aria-label="Share link: Key Rotation"> Share link </button> </h4>Rotate encryption keys without downtime: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Rotate TDE key geode admin rotate-tde-key \ --old-key-id master-key-v1 \ --new-key-id master-key-v2 # Background re-encryption # Monitor progress: geode admin rotation-status </code></pre></div> <h3 id="session-management" class="position-relative d-flex align-items-center group"> Session Management <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="session-management" aria-haspopup="dialog" aria-label="Share link: Session Management"> Share link </button> </h3>Secure session handling: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: sessions: timeout: 3600 # 1 hour absolute_timeout: 28800 # 8 hours cookie_secure: true cookie_httponly: true cookie_samesite: "strict" </code></pre></div>Features: <ul> <li>Session Tokens: Cryptographically secure tokens</li> <li>Timeout: Idle and absolute timeout</li> <li>Revocation: Immediate session termination</li> <li>Single Sign-On: Integration with SSO providers</li> </ul> See: <a href="/docs/security/session-management/" >Session Management</a> <h3 id="compliance" class="position-relative d-flex align-items-center group"> Compliance <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="compliance" aria-haspopup="dialog" aria-label="Share link: Compliance"> Share link </button> </h3> <h4 id="audit-logging" class="position-relative d-flex align-items-center group"> Audit Logging <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="audit-logging" aria-haspopup="dialog" aria-label="Share link: Audit Logging"> Share link </button> </h4>Comprehensive audit trail: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: audit: enabled: true log_path: "/var/log/geode/audit.log" events: - authentication - authorization - data_access - schema_changes - admin_actions </code></pre></div>Audit Events: <ul> <li>Authentication: Login, logout, MFA challenges</li> <li>Authorization: Permission checks, policy evaluations</li> <li>Data Access: All query executions with user context</li> <li>Schema Changes: DDL operations</li> <li>Administrative Actions: User management, policy changes</li> </ul> See: <a href="/docs/ops/audit-logging/" >Audit Logging</a> <h4 id="compliance-features" class="position-relative d-flex align-items-center group"> Compliance Features <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="compliance-features" aria-haspopup="dialog" aria-label="Share link: Compliance Features"> Share link </button> </h4>GDPR Compliance: <ul> <li>Data access logging</li> <li>Right to erasure (DELETE operations)</li> <li>Data portability (export features)</li> <li>Consent tracking</li> </ul> SOX Compliance: <ul> <li>Access controls for financial data</li> <li>Audit trail of all data modifications</li> <li>Separation of duties with RBAC</li> <li>Change management tracking</li> </ul> HIPAA Compliance: <ul> <li>Encryption at rest and in transit</li> <li>Access controls for PHI</li> <li>Audit logging of all PHI access</li> <li>Breach notification support</li> </ul> PCI-DSS Compliance: <ul> <li>Strong access controls</li> <li>Encryption of cardholder data</li> <li>Audit trails</li> <li>Network segmentation support</li> </ul> <h3 id="best-practices" class="position-relative d-flex align-items-center group"> Best Practices <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="best-practices" aria-haspopup="dialog" aria-label="Share link: Best Practices"> Share link </button> </h3> <h4 id="encryption-1" class="position-relative d-flex align-items-center group"> Encryption <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="encryption-1" aria-haspopup="dialog" aria-label="Share link: Encryption"> Share link </button> </h4><ul> <li>Enable TDE: Encrypt all data at rest</li> <li>Use TLS 1.3: No plaintext connections</li> <li>Rotate Keys: Regular key rotation schedule</li> <li>Secure Key Storage: Use KMS (Vault) for keys</li> <li>Field-Level Encryption: For highly sensitive data</li> </ul> <h4 id="authentication-1" class="position-relative d-flex align-items-center group"> Authentication <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="authentication-1" aria-haspopup="dialog" aria-label="Share link: Authentication"> Share link </button> </h4><ul> <li>Enforce Strong Passwords: Minimum length, complexity requirements</li> <li>Enable MFA: Require MFA for administrative access</li> <li>Use API Keys: For service accounts and automation</li> <li>Integrate with LDAP/AD: Centralized user management</li> <li>Monitor Failed Logins: Alert on suspicious activity</li> </ul> <h4 id="authorization-1" class="position-relative d-flex align-items-center group"> Authorization <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="authorization-1" aria-haspopup="dialog" aria-label="Share link: Authorization"> Share link </button> </h4><ul> <li>Principle of Least Privilege: Grant minimum required permissions</li> <li>Use RBAC: Role-based permissions instead of user-specific</li> <li>Implement RLS: Row-level isolation for multi-tenant systems</li> <li>Regular Access Reviews: Audit and revoke unnecessary permissions</li> <li>Separate Duties: No single user with all privileges</li> </ul> <h4 id="monitoring" class="position-relative d-flex align-items-center group"> Monitoring <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="monitoring" aria-haspopup="dialog" aria-label="Share link: Monitoring"> Share link </button> </h4><ul> <li>Enable Audit Logging: Log all security events</li> <li>Monitor Anomalies: Alert on unusual access patterns</li> <li>Track Failed Auth: Multiple failed attempts → alert</li> <li>Review Logs: Regular security log analysis</li> <li>Compliance Reports: Generate compliance reports</li> </ul> <h3 id="threat-model" class="position-relative d-flex align-items-center group"> Threat Model <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="threat-model" aria-haspopup="dialog" aria-label="Share link: Threat Model"> Share link </button> </h3> <h4 id="threats-addressed" class="position-relative d-flex align-items-center group"> Threats Addressed <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="threats-addressed" aria-haspopup="dialog" aria-label="Share link: Threats Addressed"> Share link </button> </h4>Network Attacks: <ul> <li>✅ Man-in-the-middle: TLS 1.3</li> <li>✅ Eavesdropping: Encryption in transit</li> <li>✅ Replay attacks: Nonce-based authentication</li> </ul> Data Attacks: <ul> <li>✅ Data theft: TDE, FLE</li> <li>✅ Unauthorized access: RBAC, RLS</li> <li>✅ SQL injection: Parameterized queries</li> </ul> Authentication Attacks: <ul> <li>✅ Brute force: Rate limiting, account lockout</li> <li>✅ Credential stuffing: MFA, password policies</li> <li>✅ Session hijacking: Secure session tokens</li> </ul> Insider Threats: <ul> <li>✅ Privilege abuse: Audit logging, RLS</li> <li>✅ Data exfiltration: Access controls, monitoring</li> <li>✅ Unauthorized changes: Audit trail, RBAC</li> </ul> <h4 id="security-controls" class="position-relative d-flex align-items-center group"> Security Controls <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="security-controls" aria-haspopup="dialog" aria-label="Share link: Security Controls"> Share link </button> </h4>Preventive Controls: <ul> <li>TLS 1.3 for all connections</li> <li>Strong authentication with MFA</li> <li>RBAC and RLS for authorization</li> <li>Encryption at rest (TDE, FLE)</li> </ul> Detective Controls: <ul> <li>Comprehensive audit logging</li> <li>Anomaly detection</li> <li>Failed authentication monitoring</li> <li>Access pattern analysis</li> </ul> Corrective Controls: <ul> <li>Session revocation</li> <li>Account lockout</li> <li>Policy enforcement</li> <li>Incident response procedures</li> </ul> <h3 id="learn-more" class="position-relative d-flex align-items-center group"> Learn More <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="learn-more" aria-haspopup="dialog" aria-label="Share link: Learn More"> Share link </button> </h3><ul> <li><a href="/docs/ops/deployment/" >Deployment Guide</a> - Secure production deployment</li> <li><a href="/docs/ops/audit-logging/" >Audit Logging</a> - Compliance and audit trails</li> <li><a href="/docs/configuration/" >Configuration Reference</a> - Security configuration</li> <li><a href="/docs/guides/troubleshooting/" >Troubleshooting</a> - Security issue resolution</li> </ul> <h3 id="security-resources" class="position-relative d-flex align-items-center group"> Security Resources <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="security-resources" aria-haspopup="dialog" aria-label="Share link: Security Resources"> Share link </button> </h3><ul> <li>Security Advisories: Monitor for security updates</li> <li>Best Practices Guide: <a href="/docs/security/overview/" >Security Overview</a> </li> <li>Compliance Documentation: Regulation-specific guides</li> <li>Security Checklist: Pre-deployment security review</li> </ul> <h3 id="reporting-security-issues" class="position-relative d-flex align-items-center group"> Reporting Security Issues <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="reporting-security-issues" aria-haspopup="dialog" aria-label="Share link: Reporting Security Issues"> Share link </button> </h3>Found a security vulnerability? <ul> <li>Email: <a href="mailto:[email protected]" >[email protected]</a> </li> <li>PGP Key: Available on website</li> <li>Response Time: Within 48 hours</li> <li>Disclosure: Coordinated disclosure process</li> </ul> Do NOT report security issues on public issue trackers.

Popular

Pages

Security and Compliance Guide

Authentication

Authorization

Post-Quantum Readiness & Cryptography

Field-Level Encryption Guide

Session Management Guide

Key Management System (KMS) Integration

Password Hashing with Argon2id