<!-- CANARY: REQ=REQ-DOCS-001; FEATURE="Docs"; ASPECT=Documentation; STATUS=TESTED; OWNER=docs; UPDATED=2026-01-28 -->
<p>Forward Secrecy, also known as Perfect Forward Secrecy (PFS), is a critical security property that Geode enforces through mandatory TLS 1.3. This cryptographic feature ensures that even if an attacker compromises your server’s long-term private key in the future, they cannot decrypt previously recorded encrypted sessions. Geode’s implementation of forward secrecy protects your graph data against “store now, decrypt later” attacks, making it essential for long-term data confidentiality.</p>
<h3 id="understanding-forward-secrecy" class="position-relative d-flex align-items-center group">
<span>Understanding Forward Secrecy</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="understanding-forward-secrecy"
aria-haspopup="dialog"
aria-label="Share link: Understanding Forward Secrecy">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><div id="headingShareModal" class="heading-share-modal" role="dialog" aria-modal="true" aria-labelledby="headingShareTitle" hidden>
<div class="hsm-dialog" role="document">
<div class="hsm-header">
<h2 id="headingShareTitle" class="h6 mb-0 fw-bold">Share this section</h2>
<button type="button" class="hsm-close" aria-label="Close">
<i class="fa-solid fa-xmark"></i>
</button>
</div>
<div class="hsm-body">
<label for="headingShareInput" class="form-label small text-muted mb-1 text-uppercase fw-bold" style="font-size: 0.7rem; letter-spacing: 0.5px;">Permalink</label>
<div class="input-group mb-4 hsm-url-group">
<input id="headingShareInput" type="text" class="form-control font-monospace" readonly aria-readonly="true" style="font-size: 0.85rem;" />
<button class="btn btn-primary hsm-copy" type="button" aria-label="Copy" title="Copy">
<i class="fa-duotone fa-clipboard" aria-hidden="true"></i>
</button>
</div>
<div class="small fw-bold mb-2 text-muted text-uppercase" style="font-size: 0.7rem; letter-spacing: 0.5px;">Share via</div>
<div class="hsm-share-grid">
<a id="share-twitter" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-twitter me-2"></i>Twitter
</a>
<a id="share-linkedin" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-linkedin me-2"></i>LinkedIn
</a>
<a id="share-facebook" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-facebook me-2"></i>Facebook
</a>
</div>
</div>
</div>
</div>
<style>
.heading-share-modal {
position: fixed;
inset: 0;
display: flex;
justify-content: center;
align-items: center;
background: rgba(0, 0, 0, 0.6);
z-index: 1050;
padding: 1rem;
backdrop-filter: blur(4px);
-webkit-backdrop-filter: blur(4px);
}
.heading-share-modal[hidden] { display: none !important; }
.hsm-dialog {
max-width: 420px;
width: 100%;
background: var(--bs-body-bg, #fff);
color: var(--bs-body-color, #212529);
border: 1px solid var(--bs-border-color, rgba(0,0,0,0.1));
border-radius: 1rem;
box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.25);
overflow: hidden;
animation: hsm-fade-in 0.2s ease-out;
}
@keyframes hsm-fade-in {
from { opacity: 0; transform: scale(0.95); }
to { opacity: 1; transform: scale(1); }
}
[data-bs-theme="dark"] .hsm-dialog {
background: #1e293b;
border-color: rgba(255,255,255,0.1);
color: #f8f9fa;
}
.hsm-header {
display: flex;
justify-content: space-between;
align-items: center;
padding: 1rem 1.5rem;
border-bottom: 1px solid var(--bs-border-color, rgba(0,0,0,0.1));
background: rgba(0,0,0,0.02);
}
[data-bs-theme="dark"] .hsm-header {
background: rgba(255,255,255,0.02);
border-color: rgba(255,255,255,0.1);
}
.hsm-close {
background: transparent;
border: none;
color: inherit;
opacity: 0.5;
padding: 0.25rem 0.5rem;
border-radius: 0.25rem;
font-size: 1.2rem;
line-height: 1;
transition: opacity 0.2s;
}
.hsm-close:hover {
opacity: 1;
}
.hsm-body {
padding: 1.5rem;
}
.hsm-url-group {
display: flex !important;
align-items: stretch;
}
.hsm-url-group .form-control {
flex: 1;
min-width: 0;
margin: 0;
background: var(--bs-secondary-bg, #f8f9fa);
border-color: var(--bs-border-color, #dee2e6);
border-top-right-radius: 0;
border-bottom-right-radius: 0;
height: 42px;
}
.hsm-url-group .btn {
flex: 0 0 auto;
margin: 0;
margin-left: -1px;
border-top-left-radius: 0;
border-bottom-left-radius: 0;
height: 42px;
display: flex;
align-items: center;
justify-content: center;
padding: 0 1.25rem;
z-index: 2;
}
[data-bs-theme="dark"] .hsm-url-group .form-control {
background: #0f172a;
border-color: #334155;
color: #e2e8f0;
}
.hsm-share-grid {
display: flex;
flex-direction: column;
gap: 0.5rem;
}
.hsm-share-grid .btn {
display: flex;
align-items: center;
justify-content: center;
font-size: 0.9rem;
padding: 0.6rem;
border-color: var(--bs-border-color);
width: 100%;
}
[data-bs-theme="dark"] .hsm-share-grid .btn {
color: #e2e8f0;
border-color: #475569;
}
[data-bs-theme="dark"] .hsm-share-grid .btn:hover {
background: #334155;
border-color: #cbd5e1;
}
</style>
<script>
(function(){
const modal = document.getElementById('headingShareModal');
if(!modal) return;
const input = modal.querySelector('#headingShareInput');
const copyBtn = modal.querySelector('.hsm-copy');
const twitter = modal.querySelector('#share-twitter');
const linkedin = modal.querySelector('#share-linkedin');
const facebook = modal.querySelector('#share-facebook');
const closeBtn = modal.querySelector('.hsm-close');
let lastFocus=null;
let trapBound=false;
function buildUrl(id){ return window.location.origin + window.location.pathname + '#' + id; }
function isOpen(){ return !modal.hasAttribute('hidden'); }
function hydrate(id){
const url=buildUrl(id);
input.value=url;
const enc=encodeURIComponent(url);
const text=encodeURIComponent(document.title);
if(twitter) twitter.href=`https://twitter.com/intent/tweet?url=${enc}&text=${text}`;
if(linkedin) linkedin.href=`https://www.linkedin.com/sharing/share-offsite/?url=${enc}`;
if(facebook) facebook.href=`https://www.facebook.com/sharer/sharer.php?u=${enc}`;
}
function openModal(id){
lastFocus=document.activeElement;
hydrate(id);
if(!isOpen()){
modal.removeAttribute('hidden');
}
requestAnimationFrame(()=>{ input.focus(); });
trapFocus();
}
function closeModal(){
if(!isOpen()) return;
modal.setAttribute('hidden','');
if(lastFocus && typeof lastFocus.focus==='function') lastFocus.focus();
}
function copyCurrent(){
try{ navigator.clipboard.writeText(input.value).then(()=>feedback(true),()=>fallback()); }
catch(e){ fallback(); }
}
function fallback(){ input.select(); try{ document.execCommand('copy'); feedback(true);}catch(e){ feedback(false);} }
function feedback(ok){ if(!copyBtn) return; const icon=copyBtn.querySelector('i'); if(!icon) return; const prev=copyBtn.getAttribute('data-prev')||icon.className; if(!copyBtn.getAttribute('data-prev')) copyBtn.setAttribute('data-prev',prev); icon.className= ok ? 'fa-duotone fa-clipboard-check':'fa-duotone fa-circle-exclamation'; setTimeout(()=>{ icon.className=prev; },1800); }
function handleShareClick(e){ e.preventDefault(); const btn=e.currentTarget; const id=btn.getAttribute('data-share-target'); if(id) openModal(id); }
function bindShareButtons(){
document.querySelectorAll('.h-share').forEach(btn=>{
if(!btn.dataset.hShareBound){ btn.addEventListener('click', handleShareClick); btn.dataset.hShareBound='1'; }
});
}
bindShareButtons();
if(document.readyState==='loading'){
document.addEventListener('DOMContentLoaded', bindShareButtons);
} else {
requestAnimationFrame(bindShareButtons);
}
document.addEventListener('click', function(e){
const shareBtn=e.target.closest && e.target.closest('.h-share');
if(shareBtn && !shareBtn.dataset.hShareBound){ handleShareClick.call(shareBtn, e); }
}, true);
document.addEventListener('click', e=>{
if(e.target===modal) closeModal();
if(e.target.closest && e.target.closest('.hsm-close')){ e.preventDefault(); closeModal(); }
if(copyBtn && (e.target===copyBtn || (e.target.closest && e.target.closest('.hsm-copy')))) { e.preventDefault(); copyCurrent(); }
});
document.addEventListener('keydown', e=>{ if(e.key==='Escape' && isOpen()) closeModal(); });
function trapFocus(){
if(trapBound) return;
trapBound=true;
modal.addEventListener('keydown', f=>{ if(f.key==='Tab' && isOpen()){ const focusable=[...modal.querySelectorAll('a[href],button,input,textarea,select,[tabindex]:not([tabindex="-1"])')].filter(el=>!el.hasAttribute('disabled')); if(!focusable.length) return; const first=focusable[0]; const last=focusable[focusable.length-1]; if(f.shiftKey && document.activeElement===first){ f.preventDefault(); last.focus(); } else if(!f.shiftKey && document.activeElement===last){ f.preventDefault(); first.focus(); } } });
}
if(closeBtn) closeBtn.addEventListener('click', e=>{ e.preventDefault(); closeModal(); });
})();
</script><p>Forward secrecy addresses a fundamental vulnerability in traditional public key cryptography: if an attacker records encrypted traffic today and later obtains the server’s private key (through theft, legal compulsion, or cryptographic advances), they could decrypt all historical communications.</p>
<h4 id="the-problem-without-forward-secrecy" class="position-relative d-flex align-items-center group">
<span>The Problem Without Forward Secrecy</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="the-problem-without-forward-secrecy"
aria-haspopup="dialog"
aria-label="Share link: The Problem Without Forward Secrecy">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Without forward secrecy, a single key compromise can be catastrophic:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">Time T1: Attacker records encrypted traffic
</span></span><span class="line"><span class="cl"> Client <------ Encrypted Session ------> Server
</span></span><span class="line"><span class="cl"> (Recorded by attacker)
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl">Time T2: Server's private key compromised
</span></span><span class="line"><span class="cl"> Attacker obtains server private key
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl">Time T3: Historical decryption possible
</span></span><span class="line"><span class="cl"> Attacker decrypts ALL recorded sessions
</span></span></code></pre></div><p>This vulnerability is particularly concerning because:</p>
<ul>
<li><strong>Nation-state adversaries</strong> may record encrypted traffic at scale</li>
<li><strong>Storage costs</strong> continue to decrease, making bulk storage feasible</li>
<li><strong>Quantum computers</strong> may eventually break current asymmetric cryptography</li>
<li><strong>Key theft</strong> through breaches or insider threats is always possible</li>
</ul>
<h4 id="how-forward-secrecy-protects-data" class="position-relative d-flex align-items-center group">
<span>How Forward Secrecy Protects Data</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="how-forward-secrecy-protects-data"
aria-haspopup="dialog"
aria-label="Share link: How Forward Secrecy Protects Data">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>With forward secrecy, each session uses unique ephemeral keys:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">Session 1:
</span></span><span class="line"><span class="cl"> Client generates ephemeral key pair K1
</span></span><span class="line"><span class="cl"> Server generates ephemeral key pair K1'
</span></span><span class="line"><span class="cl"> Session key derived from K1 and K1'
</span></span><span class="line"><span class="cl"> K1 and K1' deleted after session
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl">Result: Compromising server's long-term key
</span></span><span class="line"><span class="cl"> reveals NOTHING about past sessions
</span></span></code></pre></div>
<h3 id="tls-13-and-forward-secrecy" class="position-relative d-flex align-items-center group">
<span>TLS 1.3 and Forward Secrecy</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="tls-13-and-forward-secrecy"
aria-haspopup="dialog"
aria-label="Share link: TLS 1.3 and Forward Secrecy">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>Geode exclusively uses TLS 1.3, which mandates forward secrecy for all connections. Unlike earlier TLS versions where forward secrecy was optional, TLS 1.3 removed all non-forward-secret cipher suites.</p>
<h4 id="tls-13-key-exchange" class="position-relative d-flex align-items-center group">
<span>TLS 1.3 Key Exchange</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="tls-13-key-exchange"
aria-haspopup="dialog"
aria-label="Share link: TLS 1.3 Key Exchange">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><table>
<thead>
<tr>
<th>Algorithm</th>
<th>Description</th>
<th>Performance</th>
<th>Security Level</th>
</tr>
</thead>
<tbody>
<tr>
<td>X25519</td>
<td>Curve25519 ECDHE</td>
<td>Fastest</td>
<td>128-bit equivalent</td>
</tr>
<tr>
<td>secp384r1</td>
<td>P-384 ECDHE</td>
<td>Fast</td>
<td>192-bit equivalent</td>
</tr>
</tbody>
</table>
<h4 id="the-tls-13-handshake" class="position-relative d-flex align-items-center group">
<span>The TLS 1.3 Handshake</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="the-tls-13-handshake"
aria-haspopup="dialog"
aria-label="Share link: The TLS 1.3 Handshake">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">Client Server
</span></span><span class="line"><span class="cl"> |---- ClientHello + Key Share (X25519) ------->|
</span></span><span class="line"><span class="cl"> |<--- ServerHello + Key Share (X25519) --------|
</span></span><span class="line"><span class="cl"> |<--- {EncryptedExtensions, Certificate} ------|
</span></span><span class="line"><span class="cl"> |<--- {CertificateVerify, Finished} -----------|
</span></span><span class="line"><span class="cl"> |--- {Finished} ------------------------------>|
</span></span><span class="line"><span class="cl"> |<========= Application Data (Encrypted) =====>|
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl">Key Points:
</span></span><span class="line"><span class="cl">- Both parties contribute ephemeral keys
</span></span><span class="line"><span class="cl">- Session keys derived from ephemeral exchange
</span></span><span class="line"><span class="cl">- Long-term keys only used for authentication
</span></span><span class="line"><span class="cl">- Ephemeral keys discarded after handshake
</span></span></code></pre></div>
<h3 id="geode-configuration" class="position-relative d-flex align-items-center group">
<span>Geode Configuration</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="geode-configuration"
aria-haspopup="dialog"
aria-label="Share link: Geode Configuration">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="default-configuration" class="position-relative d-flex align-items-center group">
<span>Default Configuration</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="default-configuration"
aria-haspopup="dialog"
aria-label="Share link: Default Configuration">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Geode enables forward secrecy by default with optimal settings:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Forward secrecy is automatic with TLS 1.3</span>
</span></span><span class="line"><span class="cl">geode serve --tls-cert<span class="o">=</span>/etc/geode/certs/server.crt <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --tls-key<span class="o">=</span>/etc/geode/certs/server.key
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Check forward secrecy status</span>
</span></span><span class="line"><span class="cl">geode tls-status --verbose
</span></span><span class="line"><span class="cl"><span class="c1"># TLS Version: 1.3</span>
</span></span><span class="line"><span class="cl"><span class="c1"># Key Exchange: X25519 (ECDHE)</span>
</span></span><span class="line"><span class="cl"><span class="c1"># Forward Secrecy: Enabled</span>
</span></span></code></pre></div>
<h4 id="configuration-file" class="position-relative d-flex align-items-center group">
<span>Configuration File</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="configuration-file"
aria-haspopup="dialog"
aria-label="Share link: Configuration File">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># geode.yaml</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">server</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">listen</span><span class="p">:</span><span class="w"> </span><span class="s2">"0.0.0.0:3141"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tls</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cert_file</span><span class="p">:</span><span class="w"> </span><span class="s2">"/etc/geode/certs/server.crt"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key_file</span><span class="p">:</span><span class="w"> </span><span class="s2">"/etc/geode/certs/server.key"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">min_version</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.3"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">max_version</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.3"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key_exchange_preferences</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">X25519 </span><span class="w"> </span><span class="c"># Fastest, recommended</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">secp384r1 </span><span class="w"> </span><span class="c"># Higher security level</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cipher_suites</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">TLS_AES_256_GCM_SHA384</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">TLS_CHACHA20_POLY1305_SHA256</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="verifying-forward-secrecy" class="position-relative d-flex align-items-center group">
<span>Verifying Forward Secrecy</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="verifying-forward-secrecy"
aria-haspopup="dialog"
aria-label="Share link: Verifying Forward Secrecy">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Test with OpenSSL</span>
</span></span><span class="line"><span class="cl">openssl s_client -connect geode.example.com:3141 -tls1_3 2><span class="p">&</span><span class="m">1</span> <span class="p">|</span> <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> grep -E <span class="s2">"(Protocol|Cipher|Server Temp Key)"</span>
</span></span><span class="line"><span class="cl"><span class="c1"># Protocol : TLSv1.3</span>
</span></span><span class="line"><span class="cl"><span class="c1"># Cipher : TLS_AES_256_GCM_SHA384</span>
</span></span><span class="line"><span class="cl"><span class="c1"># Server Temp Key: X25519, 253 bits</span>
</span></span></code></pre></div>
<h3 id="client-library-configuration" class="position-relative d-flex align-items-center group">
<span>Client Library Configuration</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="client-library-configuration"
aria-haspopup="dialog"
aria-label="Share link: Client Library Configuration">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p><strong>Go Client</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-go" data-lang="go"><span class="line"><span class="cl"><span class="nx">config</span> <span class="o">:=</span> <span class="o">&</span><span class="nx">geode</span><span class="p">.</span><span class="nx">Config</span><span class="p">{</span>
</span></span><span class="line"><span class="cl"> <span class="nx">Host</span><span class="p">:</span> <span class="s">"geode.example.com:3141"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nx">TLS</span><span class="p">:</span> <span class="o">&</span><span class="nx">geode</span><span class="p">.</span><span class="nx">TLSConfig</span><span class="p">{</span>
</span></span><span class="line"><span class="cl"> <span class="nx">MinVersion</span><span class="p">:</span> <span class="nx">tls</span><span class="p">.</span><span class="nx">VersionTLS13</span><span class="p">,</span> <span class="c1">// Enforces forward secrecy
</span></span></span><span class="line"><span class="cl"><span class="c1"></span> <span class="nx">CurvePreferences</span><span class="p">:</span> <span class="p">[]</span><span class="nx">tls</span><span class="p">.</span><span class="nx">CurveID</span><span class="p">{</span><span class="nx">tls</span><span class="p">.</span><span class="nx">X25519</span><span class="p">,</span> <span class="nx">tls</span><span class="p">.</span><span class="nx">CurveP384</span><span class="p">},</span>
</span></span><span class="line"><span class="cl"> <span class="p">},</span>
</span></span><span class="line"><span class="cl"><span class="p">}</span>
</span></span><span class="line"><span class="cl"><span class="nx">client</span><span class="p">,</span> <span class="nx">err</span> <span class="o">:=</span> <span class="nx">geode</span><span class="p">.</span><span class="nf">NewClient</span><span class="p">(</span><span class="nx">config</span><span class="p">)</span>
</span></span></code></pre></div><p><strong>Python Client</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="n">tls_config</span> <span class="o">=</span> <span class="n">TLSConfig</span><span class="p">(</span>
</span></span><span class="line"><span class="cl"> <span class="n">ca_file</span><span class="o">=</span><span class="s2">"/path/to/ca.crt"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="n">min_version</span><span class="o">=</span><span class="s2">"TLSv1.3"</span><span class="p">,</span> <span class="c1"># Enforces forward secrecy</span>
</span></span><span class="line"><span class="cl"><span class="p">)</span>
</span></span><span class="line"><span class="cl"><span class="k">async</span> <span class="k">with</span> <span class="n">Client</span><span class="p">(</span><span class="n">host</span><span class="o">=</span><span class="s2">"geode.example.com"</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="mi">3141</span><span class="p">,</span> <span class="n">tls</span><span class="o">=</span><span class="n">tls_config</span><span class="p">)</span> <span class="k">as</span> <span class="n">client</span><span class="p">:</span>
</span></span><span class="line"><span class="cl"> <span class="n">result</span> <span class="o">=</span> <span class="k">await</span> <span class="n">client</span><span class="o">.</span><span class="n">query</span><span class="p">(</span><span class="s2">"MATCH (n:Sensitive) RETURN n"</span><span class="p">)</span>
</span></span></code></pre></div><p><strong>Rust Client</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-rust" data-lang="rust"><span class="line"><span class="cl"><span class="kd">let</span><span class="w"> </span><span class="n">tls_config</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">TlsConfig</span>::<span class="n">new</span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">.</span><span class="n">with_ca</span><span class="p">(</span><span class="n">PathBuf</span>::<span class="n">from</span><span class="p">(</span><span class="s">"ca.crt"</span><span class="p">))</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">.</span><span class="n">with_min_version</span><span class="p">(</span><span class="n">TlsVersion</span>::<span class="n">Tls13</span><span class="p">);</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="kd">let</span><span class="w"> </span><span class="n">client</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Client</span>::<span class="n">builder</span><span class="p">().</span><span class="n">host</span><span class="p">(</span><span class="s">"geode.example.com"</span><span class="p">).</span><span class="n">tls</span><span class="p">(</span><span class="n">tls_config</span><span class="p">).</span><span class="n">build</span><span class="p">().</span><span class="k">await</span><span class="o">?</span><span class="p">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="ephemeral-key-management" class="position-relative d-flex align-items-center group">
<span>Ephemeral Key Management</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="ephemeral-key-management"
aria-haspopup="dialog"
aria-label="Share link: Ephemeral Key Management">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>Geode handles ephemeral key management automatically with secure memory handling:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># geode.yaml</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">security</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secure_key_memory</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="c"># Secure memory allocation for keys</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">lock_key_memory</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="c"># Prevent keys from being swapped to disk</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secure_erase</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="c"># Zero memory before deallocation</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="session-resumption" class="position-relative d-flex align-items-center group">
<span>Session Resumption</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="session-resumption"
aria-haspopup="dialog"
aria-label="Share link: Session Resumption">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>TLS 1.3 session resumption maintains forward secrecy through careful design:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># geode.yaml</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">tls</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">session_resumption</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ticket_lifetime</span><span class="p">:</span><span class="w"> </span><span class="m">86400</span><span class="w"> </span><span class="c"># 24 hours</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ticket_rotation</span><span class="p">:</span><span class="w"> </span><span class="m">3600</span><span class="w"> </span><span class="c"># Rotate keys hourly</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">allow_0rtt</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="c"># Disable for maximum security</span><span class="w">
</span></span></span></code></pre></div><table>
<thead>
<tr>
<th>Mode</th>
<th>Forward Secrecy</th>
<th>Latency</th>
<th>Use Case</th>
</tr>
</thead>
<tbody>
<tr>
<td>Full Handshake</td>
<td>Full</td>
<td>1-RTT</td>
<td>First connection</td>
</tr>
<tr>
<td>1-RTT Resumption</td>
<td>Full</td>
<td>1-RTT</td>
<td>Subsequent connections</td>
</tr>
<tr>
<td>0-RTT Resumption</td>
<td>Partial</td>
<td>0-RTT</td>
<td>Performance-critical reads</td>
</tr>
</tbody>
</table>
<h3 id="quantum-computing-preparedness" class="position-relative d-flex align-items-center group">
<span>Quantum Computing Preparedness</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="quantum-computing-preparedness"
aria-haspopup="dialog"
aria-label="Share link: Quantum Computing Preparedness">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>Forward secrecy is especially important for quantum computing threats:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">With Forward Secrecy:
</span></span><span class="line"><span class="cl">- Even if future quantum computer breaks server key
</span></span><span class="line"><span class="cl">- Past session keys remain protected
</span></span><span class="line"><span class="cl">- Each session used unique ephemeral keys
</span></span><span class="line"><span class="cl">- Historical traffic stays encrypted (AES-256 quantum-resistant)
</span></span></code></pre></div>
<h3 id="monitoring-and-verification" class="position-relative d-flex align-items-center group">
<span>Monitoring and Verification</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="monitoring-and-verification"
aria-haspopup="dialog"
aria-label="Share link: Monitoring and Verification">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="tls-metrics" class="position-relative d-flex align-items-center group">
<span>TLS Metrics</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="tls-metrics"
aria-haspopup="dialog"
aria-label="Share link: TLS Metrics">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">geode metrics <span class="p">|</span> grep -E <span class="s2">"(tls_|forward_secrecy)"</span>
</span></span><span class="line"><span class="cl"><span class="c1"># tls_handshakes_total{key_exchange="X25519"} 15234</span>
</span></span><span class="line"><span class="cl"><span class="c1"># tls_forward_secrecy_enabled 1</span>
</span></span></code></pre></div>
<h4 id="audit-logging" class="position-relative d-flex align-items-center group">
<span>Audit Logging</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="audit-logging"
aria-haspopup="dialog"
aria-label="Share link: Audit Logging">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">audit</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">log_tls_parameters</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">include</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">tls_version, cipher_suite, key_exchange, forward_secrecy_status]</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="troubleshooting" class="position-relative d-flex align-items-center group">
<span>Troubleshooting</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="troubleshooting"
aria-haspopup="dialog"
aria-label="Share link: Troubleshooting">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Check if forward secrecy is active</span>
</span></span><span class="line"><span class="cl">geode tls-verify --host<span class="o">=</span>geode.example.com:3141
</span></span><span class="line"><span class="cl"><span class="c1"># TLS 1.3: Yes</span>
</span></span><span class="line"><span class="cl"><span class="c1"># Forward Secrecy: Enabled</span>
</span></span><span class="line"><span class="cl"><span class="c1"># Key Exchange: X25519</span>
</span></span></code></pre></div><p><strong>Common Issues</strong>:</p>
<ul>
<li><strong>TLS 1.2 connections rejected</strong>: Update client to support TLS 1.3</li>
<li><strong>Key exchange mismatch</strong>: Ensure client and server share common algorithms</li>
<li><strong>Protocol downgrade</strong>: Verify min_version is set to “1.3”</li>
</ul>
<h3 id="related-topics" class="position-relative d-flex align-items-center group">
<span>Related Topics</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="related-topics"
aria-haspopup="dialog"
aria-label="Share link: Related Topics">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><ul>
<li><a
href="/tags/tls/"
>TLS Encryption</a>
- Transport security configuration</li>
<li><a
href="/tags/post-quantum/"
>Post-Quantum Cryptography</a>
- Future-proofing security</li>
<li><a
href="/tags/encryption/"
>Encryption</a>
- Data encryption at rest</li>
<li><a
href="/tags/security/"
>Security</a>
- Security overview</li>
<li><a
href="/tags/authentication/"
>Authentication</a>
- Identity verification</li>
<li><a
href="/tags/compliance/"
>Compliance</a>
- Regulatory requirements</li>
</ul>
<h3 id="further-reading" class="position-relative d-flex align-items-center group">
<span>Further Reading</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="further-reading"
aria-haspopup="dialog"
aria-label="Share link: Further Reading">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><ul>
<li><a
href="/docs/architecture/security-architecture/"
>Security Architecture</a>
- Security design</li>
<li><a
href="/docs/ops/deployment/"
>Deployment Guide</a>
- Production deployment</li>
<li><a
href="/docs/security/session-management/"
>Session Management</a>
- Session security</li>
<li>RFC 8446 - TLS 1.3 Specification</li>
<li>NIST SP 800-52 Rev. 2 - TLS Implementation Guidelines</li>
</ul>
Tag
1 article
Forward Secrecy and Ephemeral Key Exchange
Complete guide to Perfect Forward Secrecy (PFS) in Geode. Learn how TLS 1.3 ephemeral key exchange protects past sessions from future key compromise, with configuration examples and security best practices.