<!-- CANARY: REQ=REQ-DOCS-001; FEATURE="Docs"; ASPECT=Documentation; STATUS=TESTED; OWNER=docs; UPDATED=2026-01-15 -->
<h2 id="security-features-and-architecture-in-geode" class="position-relative d-flex align-items-center group">
<span>Security Features and Architecture in Geode</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="security-features-and-architecture-in-geode"
aria-haspopup="dialog"
aria-label="Share link: Security Features and Architecture in Geode">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h2><div id="headingShareModal" class="heading-share-modal" role="dialog" aria-modal="true" aria-labelledby="headingShareTitle" hidden>
<div class="hsm-dialog" role="document">
<div class="hsm-header">
<h2 id="headingShareTitle" class="h6 mb-0 fw-bold">Share this section</h2>
<button type="button" class="hsm-close" aria-label="Close">
<i class="fa-solid fa-xmark"></i>
</button>
</div>
<div class="hsm-body">
<label for="headingShareInput" class="form-label small text-muted mb-1 text-uppercase fw-bold" style="font-size: 0.7rem; letter-spacing: 0.5px;">Permalink</label>
<div class="input-group mb-4 hsm-url-group">
<input id="headingShareInput" type="text" class="form-control font-monospace" readonly aria-readonly="true" style="font-size: 0.85rem;" />
<button class="btn btn-primary hsm-copy" type="button" aria-label="Copy" title="Copy">
<i class="fa-duotone fa-clipboard" aria-hidden="true"></i>
</button>
</div>
<div class="small fw-bold mb-2 text-muted text-uppercase" style="font-size: 0.7rem; letter-spacing: 0.5px;">Share via</div>
<div class="hsm-share-grid">
<a id="share-twitter" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-twitter me-2"></i>Twitter
</a>
<a id="share-linkedin" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-linkedin me-2"></i>LinkedIn
</a>
<a id="share-facebook" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-facebook me-2"></i>Facebook
</a>
</div>
</div>
</div>
</div>
<style>
.heading-share-modal {
position: fixed;
inset: 0;
display: flex;
justify-content: center;
align-items: center;
background: rgba(0, 0, 0, 0.6);
z-index: 1050;
padding: 1rem;
backdrop-filter: blur(4px);
-webkit-backdrop-filter: blur(4px);
}
.heading-share-modal[hidden] { display: none !important; }
.hsm-dialog {
max-width: 420px;
width: 100%;
background: var(--bs-body-bg, #fff);
color: var(--bs-body-color, #212529);
border: 1px solid var(--bs-border-color, rgba(0,0,0,0.1));
border-radius: 1rem;
box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.25);
overflow: hidden;
animation: hsm-fade-in 0.2s ease-out;
}
@keyframes hsm-fade-in {
from { opacity: 0; transform: scale(0.95); }
to { opacity: 1; transform: scale(1); }
}
[data-bs-theme="dark"] .hsm-dialog {
background: #1e293b;
border-color: rgba(255,255,255,0.1);
color: #f8f9fa;
}
.hsm-header {
display: flex;
justify-content: space-between;
align-items: center;
padding: 1rem 1.5rem;
border-bottom: 1px solid var(--bs-border-color, rgba(0,0,0,0.1));
background: rgba(0,0,0,0.02);
}
[data-bs-theme="dark"] .hsm-header {
background: rgba(255,255,255,0.02);
border-color: rgba(255,255,255,0.1);
}
.hsm-close {
background: transparent;
border: none;
color: inherit;
opacity: 0.5;
padding: 0.25rem 0.5rem;
border-radius: 0.25rem;
font-size: 1.2rem;
line-height: 1;
transition: opacity 0.2s;
}
.hsm-close:hover {
opacity: 1;
}
.hsm-body {
padding: 1.5rem;
}
.hsm-url-group {
display: flex !important;
align-items: stretch;
}
.hsm-url-group .form-control {
flex: 1;
min-width: 0;
margin: 0;
background: var(--bs-secondary-bg, #f8f9fa);
border-color: var(--bs-border-color, #dee2e6);
border-top-right-radius: 0;
border-bottom-right-radius: 0;
height: 42px;
}
.hsm-url-group .btn {
flex: 0 0 auto;
margin: 0;
margin-left: -1px;
border-top-left-radius: 0;
border-bottom-left-radius: 0;
height: 42px;
display: flex;
align-items: center;
justify-content: center;
padding: 0 1.25rem;
z-index: 2;
}
[data-bs-theme="dark"] .hsm-url-group .form-control {
background: #0f172a;
border-color: #334155;
color: #e2e8f0;
}
.hsm-share-grid {
display: flex;
flex-direction: column;
gap: 0.5rem;
}
.hsm-share-grid .btn {
display: flex;
align-items: center;
justify-content: center;
font-size: 0.9rem;
padding: 0.6rem;
border-color: var(--bs-border-color);
width: 100%;
}
[data-bs-theme="dark"] .hsm-share-grid .btn {
color: #e2e8f0;
border-color: #475569;
}
[data-bs-theme="dark"] .hsm-share-grid .btn:hover {
background: #334155;
border-color: #cbd5e1;
}
</style>
<script>
(function(){
const modal = document.getElementById('headingShareModal');
if(!modal) return;
const input = modal.querySelector('#headingShareInput');
const copyBtn = modal.querySelector('.hsm-copy');
const twitter = modal.querySelector('#share-twitter');
const linkedin = modal.querySelector('#share-linkedin');
const facebook = modal.querySelector('#share-facebook');
const closeBtn = modal.querySelector('.hsm-close');
let lastFocus=null;
let trapBound=false;
function buildUrl(id){ return window.location.origin + window.location.pathname + '#' + id; }
function isOpen(){ return !modal.hasAttribute('hidden'); }
function hydrate(id){
const url=buildUrl(id);
input.value=url;
const enc=encodeURIComponent(url);
const text=encodeURIComponent(document.title);
if(twitter) twitter.href=`https://twitter.com/intent/tweet?url=${enc}&text=${text}`;
if(linkedin) linkedin.href=`https://www.linkedin.com/sharing/share-offsite/?url=${enc}`;
if(facebook) facebook.href=`https://www.facebook.com/sharer/sharer.php?u=${enc}`;
}
function openModal(id){
lastFocus=document.activeElement;
hydrate(id);
if(!isOpen()){
modal.removeAttribute('hidden');
}
requestAnimationFrame(()=>{ input.focus(); });
trapFocus();
}
function closeModal(){
if(!isOpen()) return;
modal.setAttribute('hidden','');
if(lastFocus && typeof lastFocus.focus==='function') lastFocus.focus();
}
function copyCurrent(){
try{ navigator.clipboard.writeText(input.value).then(()=>feedback(true),()=>fallback()); }
catch(e){ fallback(); }
}
function fallback(){ input.select(); try{ document.execCommand('copy'); feedback(true);}catch(e){ feedback(false);} }
function feedback(ok){ if(!copyBtn) return; const icon=copyBtn.querySelector('i'); if(!icon) return; const prev=copyBtn.getAttribute('data-prev')||icon.className; if(!copyBtn.getAttribute('data-prev')) copyBtn.setAttribute('data-prev',prev); icon.className= ok ? 'fa-duotone fa-clipboard-check':'fa-duotone fa-circle-exclamation'; setTimeout(()=>{ icon.className=prev; },1800); }
function handleShareClick(e){ e.preventDefault(); const btn=e.currentTarget; const id=btn.getAttribute('data-share-target'); if(id) openModal(id); }
function bindShareButtons(){
document.querySelectorAll('.h-share').forEach(btn=>{
if(!btn.dataset.hShareBound){ btn.addEventListener('click', handleShareClick); btn.dataset.hShareBound='1'; }
});
}
bindShareButtons();
if(document.readyState==='loading'){
document.addEventListener('DOMContentLoaded', bindShareButtons);
} else {
requestAnimationFrame(bindShareButtons);
}
document.addEventListener('click', function(e){
const shareBtn=e.target.closest && e.target.closest('.h-share');
if(shareBtn && !shareBtn.dataset.hShareBound){ handleShareClick.call(shareBtn, e); }
}, true);
document.addEventListener('click', e=>{
if(e.target===modal) closeModal();
if(e.target.closest && e.target.closest('.hsm-close')){ e.preventDefault(); closeModal(); }
if(copyBtn && (e.target===copyBtn || (e.target.closest && e.target.closest('.hsm-copy')))) { e.preventDefault(); copyCurrent(); }
});
document.addEventListener('keydown', e=>{ if(e.key==='Escape' && isOpen()) closeModal(); });
function trapFocus(){
if(trapBound) return;
trapBound=true;
modal.addEventListener('keydown', f=>{ if(f.key==='Tab' && isOpen()){ const focusable=[...modal.querySelectorAll('a[href],button,input,textarea,select,[tabindex]:not([tabindex="-1"])')].filter(el=>!el.hasAttribute('disabled')); if(!focusable.length) return; const first=focusable[0]; const last=focusable[focusable.length-1]; if(f.shiftKey && document.activeElement===first){ f.preventDefault(); last.focus(); } else if(!f.shiftKey && document.activeElement===last){ f.preventDefault(); first.focus(); } } });
}
if(closeBtn) closeBtn.addEventListener('click', e=>{ e.preventDefault(); closeModal(); });
})();
</script><p>Security is foundational to Geode’s design, not an afterthought. Geode implements defense-in-depth security with multiple layers of protection, from mandatory network encryption to fine-grained data access controls. This zero-trust architecture makes Geode suitable for regulated industries including healthcare, finance, and government.</p>
<h3 id="introduction-to-database-security" class="position-relative d-flex align-items-center group">
<span>Introduction to Database Security</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="introduction-to-database-security"
aria-haspopup="dialog"
aria-label="Share link: Introduction to Database Security">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>Modern database security requires protection across multiple dimensions:</p>
<p><strong>Network Security</strong>: Encrypt data in transit, prevent eavesdropping
<strong>Authentication</strong>: Verify user identity before granting access
<strong>Authorization</strong>: Control what authenticated users can access
<strong>Data Encryption</strong>: Protect data at rest from unauthorized access
<strong>Audit Logging</strong>: Track access for compliance and forensics
<strong>Data Integrity</strong>: Prevent unauthorized modifications</p>
<p>Traditional databases often make security optional or add it as an afterthought. Geode makes security mandatory and deeply integrated.</p>
<h3 id="geodes-security-architecture" class="position-relative d-flex align-items-center group">
<span>Geode&rsquo;s Security Architecture</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="geodes-security-architecture"
aria-haspopup="dialog"
aria-label="Share link: Geodes Security Architecture">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="mandatory-tls-13-encryption" class="position-relative d-flex align-items-center group">
<span>Mandatory TLS 1.3 Encryption</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="mandatory-tls-13-encryption"
aria-haspopup="dialog"
aria-label="Share link: Mandatory TLS 1.3 Encryption">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Geode <strong>requires</strong> TLS 1.3 for all network connections with <strong>no plaintext fallback</strong>:</p>
<p><strong>Why TLS 1.3</strong>:</p>
<ul>
<li><strong>Strong cipher suites only</strong>: No legacy weak ciphers (AES-GCM, ChaCha20)</li>
<li><strong>Forward secrecy</strong>: Past sessions remain secure if keys are compromised</li>
<li><strong>Faster handshake</strong>: 0-RTT resumption for returning clients</li>
<li><strong>Simplified configuration</strong>: Removes insecure options</li>
</ul>
<p><strong>Server configuration</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Generate self-signed certificate (development)</span>
</span></span><span class="line"><span class="cl">openssl req -x509 -newkey rsa:4096 -nodes <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> -keyout server-key.pem -out server-cert.pem -days <span class="m">365</span> <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> -subj <span class="s2">"/CN=localhost"</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Start server with TLS</span>
</span></span><span class="line"><span class="cl">geode serve --listen 0.0.0.0:3141 <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --tls-cert<span class="o">=</span>server-cert.pem <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --tls-key<span class="o">=</span>server-key.pem
</span></span></code></pre></div><p><strong>Client connection (Python)</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">geode_client</span> <span class="kn">import</span> <span class="n">Client</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Production: Verify server certificate</span>
</span></span><span class="line"><span class="cl"><span class="n">client</span> <span class="o">=</span> <span class="n">Client</span><span class="p">(</span>
</span></span><span class="line"><span class="cl"> <span class="n">host</span><span class="o">=</span><span class="s2">"geodedb.example.com"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="n">port</span><span class="o">=</span><span class="mi">3141</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="n">ca_cert</span><span class="o">=</span><span class="s2">"/path/to/ca-bundle.crt"</span>
</span></span><span class="line"><span class="cl"><span class="p">)</span>
</span></span><span class="line"><span class="cl"><span class="k">async</span> <span class="k">with</span> <span class="n">client</span><span class="o">.</span><span class="n">connection</span><span class="p">()</span> <span class="k">as</span> <span class="n">conn</span><span class="p">:</span>
</span></span><span class="line"><span class="cl"> <span class="n">result</span><span class="p">,</span> <span class="n">_</span> <span class="o">=</span> <span class="k">await</span> <span class="n">conn</span><span class="o">.</span><span class="n">query</span><span class="p">(</span><span class="s2">"MATCH (n:User) RETURN count(n) AS total"</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Development: Self-signed certificate</span>
</span></span><span class="line"><span class="cl"><span class="n">client</span> <span class="o">=</span> <span class="n">Client</span><span class="p">(</span>
</span></span><span class="line"><span class="cl"> <span class="n">host</span><span class="o">=</span><span class="s2">"localhost"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="n">port</span><span class="o">=</span><span class="mi">3141</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="n">skip_verify</span><span class="o">=</span><span class="kc">True</span> <span class="c1"># Skip verification (dev only!)</span>
</span></span><span class="line"><span class="cl"><span class="p">)</span>
</span></span><span class="line"><span class="cl"><span class="k">async</span> <span class="k">with</span> <span class="n">client</span><span class="o">.</span><span class="n">connection</span><span class="p">()</span> <span class="k">as</span> <span class="n">conn</span><span class="p">:</span>
</span></span><span class="line"><span class="cl"> <span class="n">result</span><span class="p">,</span> <span class="n">_</span> <span class="o">=</span> <span class="k">await</span> <span class="n">conn</span><span class="o">.</span><span class="n">query</span><span class="p">(</span><span class="s2">"MATCH (n:User) RETURN count(n) AS total"</span><span class="p">)</span>
</span></span></code></pre></div><p><strong>Certificate management best practices</strong>:</p>
<ul>
<li>Use Let’s Encrypt for public-facing servers (free, automated)</li>
<li>Use internal CA for private networks</li>
<li>Rotate certificates before expiration (automate with certbot)</li>
<li>Store private keys securely (never in version control)</li>
</ul>
<h4 id="authentication" class="position-relative d-flex align-items-center group">
<span>Authentication</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="authentication"
aria-haspopup="dialog"
aria-label="Share link: Authentication">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Geode supports multiple authentication mechanisms:</p>
<p><strong>Built-in Username/Password</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">user</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">password</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">alice</span><span class="w"> </span><span class="py">PASSWORD</span><span class="w"> </span><span class="err">'</span><span class="py">secure_password_here</span><span class="err">'</span><span class="w"> </span><span class="py">REQUIRE</span><span class="w"> </span><span class="py">SECURE</span><span class="w"> </span><span class="py">TRANSPORT</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">User</span><span class="w"> </span><span class="py">connects</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">credentials</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="p">(</span><span class="py">Credentials</span><span class="w"> </span><span class="py">sent</span><span class="w"> </span><span class="py">over</span><span class="w"> </span><span class="py">TLS</span><span class="err">-</span><span class="py">encrypted</span><span class="w"> </span><span class="py">connection</span><span class="p">)</span><span class="w">
</span></span></span></code></pre></div><p><strong>Python client authentication</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">geode_client</span> <span class="kn">import</span> <span class="n">AuthClient</span><span class="p">,</span> <span class="n">Client</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="n">client</span> <span class="o">=</span> <span class="n">Client</span><span class="p">(</span><span class="n">host</span><span class="o">=</span><span class="s2">"localhost"</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="mi">3141</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"><span class="k">async</span> <span class="k">with</span> <span class="n">client</span><span class="o">.</span><span class="n">connection</span><span class="p">()</span> <span class="k">as</span> <span class="n">conn</span><span class="p">:</span>
</span></span><span class="line"><span class="cl"> <span class="n">auth</span> <span class="o">=</span> <span class="n">AuthClient</span><span class="p">(</span><span class="n">conn</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"> <span class="k">await</span> <span class="n">auth</span><span class="o">.</span><span class="n">login</span><span class="p">(</span><span class="s2">"alice"</span><span class="p">,</span> <span class="s2">"secure_password_here"</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"> <span class="n">result</span><span class="p">,</span> <span class="n">_</span> <span class="o">=</span> <span class="k">await</span> <span class="n">conn</span><span class="o">.</span><span class="n">query</span><span class="p">(</span><span class="s2">"MATCH (n:Node) RETURN n"</span><span class="p">)</span>
</span></span></code></pre></div><p><strong>Password hashing</strong> (server-side):</p>
<ul>
<li>Uses <strong>Argon2id</strong> (winner of Password Hashing Competition)</li>
<li>Configurable time cost, memory cost, parallelism</li>
<li>Resistant to GPU/ASIC attacks</li>
<li>Automatically salted</li>
</ul>
<p><strong>Certificate-Based Authentication</strong> (mTLS):</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Server requires client certificates</span>
</span></span><span class="line"><span class="cl">geode serve --listen 0.0.0.0:3141 <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --tls-cert<span class="o">=</span>server-cert.pem <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --tls-key<span class="o">=</span>server-key.pem <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --tls-client-auth<span class="o">=</span>required <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --tls-ca-file<span class="o">=</span>client-ca.pem
</span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="c1"># Client provides certificate</span>
</span></span><span class="line"><span class="cl"><span class="n">client</span> <span class="o">=</span> <span class="n">Client</span><span class="p">(</span>
</span></span><span class="line"><span class="cl"> <span class="n">host</span><span class="o">=</span><span class="s2">"localhost"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="n">port</span><span class="o">=</span><span class="mi">3141</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="n">ca_cert</span><span class="o">=</span><span class="s2">"/path/to/ca.pem"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="n">client_cert</span><span class="o">=</span><span class="s2">"/path/to/client-cert.pem"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="n">client_key</span><span class="o">=</span><span class="s2">"/path/to/client-key.pem"</span>
</span></span><span class="line"><span class="cl"><span class="p">)</span>
</span></span><span class="line"><span class="cl"><span class="k">async</span> <span class="k">with</span> <span class="n">client</span><span class="o">.</span><span class="n">connection</span><span class="p">()</span> <span class="k">as</span> <span class="n">conn</span><span class="p">:</span>
</span></span><span class="line"><span class="cl"> <span class="n">result</span><span class="p">,</span> <span class="n">_</span> <span class="o">=</span> <span class="k">await</span> <span class="n">conn</span><span class="o">.</span><span class="n">query</span><span class="p">(</span><span class="s2">"MATCH (n:Node) RETURN n"</span><span class="p">)</span>
</span></span></code></pre></div><p><strong>LDAP/Active Directory Integration</strong> (Enterprise):</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Configure LDAP authentication</span>
</span></span><span class="line"><span class="cl">geode serve --listen 0.0.0.0:3141 <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --auth-method<span class="o">=</span>ldap <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --ldap-url<span class="o">=</span><span class="s2">"ldaps://ldap.example.com:636"</span> <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --ldap-bind-dn<span class="o">=</span><span class="s2">"cn=geode,ou=services,dc=example,dc=com"</span> <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --ldap-bind-password<span class="o">=</span><span class="s2">"service_password"</span> <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --ldap-user-dn<span class="o">=</span><span class="s2">"ou=users,dc=example,dc=com"</span>
</span></span></code></pre></div>
<h4 id="authorization-and-access-control" class="position-relative d-flex align-items-center group">
<span>Authorization and Access Control</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="authorization-and-access-control"
aria-haspopup="dialog"
aria-label="Share link: Authorization and Access Control">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Geode implements fine-grained access control at multiple levels:</p>
<p><strong>Database-Level Permissions</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">database</span><span class="w"> </span><span class="py">access</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ACCESS</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">DATABASE</span><span class="w"> </span><span class="py">sales</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">alice</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Revoke</span><span class="w"> </span><span class="py">access</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">REVOKE</span><span class="w"> </span><span class="py">ACCESS</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">DATABASE</span><span class="w"> </span><span class="py">sales</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">alice</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div><p><strong>Label-Level Permissions</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">read</span><span class="w"> </span><span class="py">access</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">specific</span><span class="w"> </span><span class="py">node</span><span class="w"> </span><span class="py">labels</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">LABEL</span><span class="w"> </span><span class="py">User</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">alice</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">LABEL</span><span class="w"> </span><span class="py">Product</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">alice</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">write</span><span class="w"> </span><span class="py">access</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">INSERT</span><span class="p">,</span><span class="w"> </span><span class="py">UPDATE</span><span class="p">,</span><span class="w"> </span><span class="py">DELETE</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">LABEL</span><span class="w"> </span><span class="py">Order</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">alice</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Read</span><span class="err">-</span><span class="kd">on</span><span class="py">ly</span><span class="w"> </span><span class="py">user</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">ALL</span><span class="w"> </span><span class="py">LABELS</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">readonly_user</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div><p><strong>Property-Level Permissions</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">access</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">specific</span><span class="w"> </span><span class="py">properties</span><span class="w"> </span><span class="kd">on</span><span class="py">ly</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">User</span><span class="p">(</span><span class="py">id</span><span class="p">,</span><span class="w"> </span><span class="py">name</span><span class="p">,</span><span class="w"> </span><span class="py">email</span><span class="p">)</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">support_team</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">support_team</span><span class="w"> </span><span class="py">cannot</span><span class="w"> </span><span class="py">see</span><span class="w"> </span><span class="py">User</span><span class="err">.</span><span class="py">ssn</span><span class="w"> </span><span class="py">or</span><span class="w"> </span><span class="py">User</span><span class="err">.</span><span class="py">salary</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">update</span><span class="w"> </span><span class="kd">on</span><span class="w"> </span><span class="py">specific</span><span class="w"> </span><span class="py">properties</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">UPDATE</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">User</span><span class="p">(</span><span class="py">email</span><span class="p">,</span><span class="w"> </span><span class="py">phone</span><span class="p">)</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">profile_editor</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">profile_editor</span><span class="w"> </span><span class="py">can</span><span class="w"> </span><span class="py">modify</span><span class="w"> </span><span class="py">contact</span><span class="w"> </span><span class="py">info</span><span class="p">,</span><span class="w"> </span><span class="py">not</span><span class="w"> </span><span class="py">other</span><span class="w"> </span><span class="py">fields</span><span class="w">
</span></span></span></code></pre></div><p><strong>Row-Level Security (RLS)</strong>:</p>
<p>RLS policies filter query results based on user context:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">RLS</span><span class="w"> </span><span class="py">policy</span><span class="p">:</span><span class="w"> </span><span class="nc">Users</span><span class="w"> </span><span class="py">can</span><span class="w"> </span><span class="kd">on</span><span class="py">ly</span><span class="w"> </span><span class="py">see</span><span class="w"> </span><span class="py">their</span><span class="w"> </span><span class="py">own</span><span class="w"> </span><span class="py">data</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">user_isolation</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">User</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_id</span><span class="p">())</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">RLS</span><span class="w"> </span><span class="py">policy</span><span class="p">:</span><span class="w"> </span><span class="nc">Managers</span><span class="w"> </span><span class="py">can</span><span class="w"> </span><span class="py">see</span><span class="w"> </span><span class="py">their</span><span class="w"> </span><span class="py">team</span><span class="err">'</span><span class="py">s</span><span class="w"> </span><span class="py">data</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">team_visibility</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">Employee</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">EXISTS</span><span class="w"> </span><span class="p">{</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">e</span><span class="p">:</span><span class="nc">Employee</span><span class="p">)</span><span class="err">-</span><span class="p">[:</span><span class="nc">REPORTS_TO</span><span class="p">]</span><span class="err">-></span><span class="p">(</span><span class="py">manager</span><span class="p">:</span><span class="nc">Employee</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WHERE</span><span class="w"> </span><span class="py">manager</span><span class="err">.</span><span class="py">user_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_id</span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">}</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Enable</span><span class="w"> </span><span class="py">RLS</span><span class="w"> </span><span class="kd">on</span><span class="w"> </span><span class="py">table</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ALTER</span><span class="w"> </span><span class="py">LABEL</span><span class="w"> </span><span class="py">User</span><span class="w"> </span><span class="py">ENABLE</span><span class="w"> </span><span class="py">ROW</span><span class="w"> </span><span class="py">LEVEL</span><span class="w"> </span><span class="py">SECURITY</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ALTER</span><span class="w"> </span><span class="py">LABEL</span><span class="w"> </span><span class="py">Employee</span><span class="w"> </span><span class="py">ENABLE</span><span class="w"> </span><span class="py">ROW</span><span class="w"> </span><span class="py">LEVEL</span><span class="w"> </span><span class="py">SECURITY</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div><p><strong>Python usage with RLS</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">geode_client</span> <span class="kn">import</span> <span class="n">AuthClient</span><span class="p">,</span> <span class="n">Client</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># User alice logs in</span>
</span></span><span class="line"><span class="cl"><span class="n">client</span> <span class="o">=</span> <span class="n">Client</span><span class="p">(</span><span class="n">host</span><span class="o">=</span><span class="s2">"localhost"</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="mi">3141</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"><span class="k">async</span> <span class="k">with</span> <span class="n">client</span><span class="o">.</span><span class="n">connection</span><span class="p">()</span> <span class="k">as</span> <span class="n">conn</span><span class="p">:</span>
</span></span><span class="line"><span class="cl"> <span class="n">auth</span> <span class="o">=</span> <span class="n">AuthClient</span><span class="p">(</span><span class="n">conn</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"> <span class="k">await</span> <span class="n">auth</span><span class="o">.</span><span class="n">login</span><span class="p">(</span><span class="s2">"alice"</span><span class="p">,</span> <span class="s2">"alice_password"</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"> <span class="c1"># Query automatically filtered by RLS policy</span>
</span></span><span class="line"><span class="cl"> <span class="n">result</span><span class="p">,</span> <span class="n">_</span> <span class="o">=</span> <span class="k">await</span> <span class="n">conn</span><span class="o">.</span><span class="n">query</span><span class="p">(</span><span class="s2">"""
</span></span></span><span class="line"><span class="cl"><span class="s2"> MATCH (e:Employee)
</span></span></span><span class="line"><span class="cl"><span class="s2"> RETURN e.name, e.salary
</span></span></span><span class="line"><span class="cl"><span class="s2"> """</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"> <span class="c1"># Only returns employees alice manages (RLS policy applied)</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Different user sees different results</span>
</span></span><span class="line"><span class="cl"><span class="n">client</span> <span class="o">=</span> <span class="n">Client</span><span class="p">(</span><span class="n">host</span><span class="o">=</span><span class="s2">"localhost"</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="mi">3141</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"><span class="k">async</span> <span class="k">with</span> <span class="n">client</span><span class="o">.</span><span class="n">connection</span><span class="p">()</span> <span class="k">as</span> <span class="n">conn</span><span class="p">:</span>
</span></span><span class="line"><span class="cl"> <span class="n">auth</span> <span class="o">=</span> <span class="n">AuthClient</span><span class="p">(</span><span class="n">conn</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"> <span class="k">await</span> <span class="n">auth</span><span class="o">.</span><span class="n">login</span><span class="p">(</span><span class="s2">"bob"</span><span class="p">,</span> <span class="s2">"bob_password"</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"> <span class="n">result</span><span class="p">,</span> <span class="n">_</span> <span class="o">=</span> <span class="k">await</span> <span class="n">conn</span><span class="o">.</span><span class="n">query</span><span class="p">(</span><span class="s2">"""
</span></span></span><span class="line"><span class="cl"><span class="s2"> MATCH (e:Employee)
</span></span></span><span class="line"><span class="cl"><span class="s2"> RETURN e.name, e.salary
</span></span></span><span class="line"><span class="cl"><span class="s2"> """</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"> <span class="c1"># Only returns employees bob manages</span>
</span></span></code></pre></div><p><strong>RLS Policy Examples</strong>:</p>
<p>Multi-tenant isolation:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">tenant_isolation</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">ALL</span><span class="w"> </span><span class="py">LABELS</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FOR</span><span class="w"> </span><span class="py">ALL</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_tenant_id</span><span class="p">())</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div><p>Time-based access:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">business_hours</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">SensitiveData</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">extract_hour</span><span class="p">(</span><span class="py">current_timestamp</span><span class="p">())</span><span class="w"> </span><span class="py">BETWEEN</span><span class="w"> </span><span class="py">9</span><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">17</span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div><p>Role-based filtering:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">role_based_access</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">Document</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">security_level</span><span class="w"> </span><span class="err"><</span><span class="p">=</span><span class="w"> </span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">u</span><span class="p">:</span><span class="nc">User</span><span class="w"> </span><span class="p">{</span><span class="py">id</span><span class="p">:</span><span class="w"> </span><span class="nc">current_user_id</span><span class="p">()})</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">RETURN</span><span class="w"> </span><span class="py">u</span><span class="err">.</span><span class="py">clearance_level</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="data-encryption-at-rest" class="position-relative d-flex align-items-center group">
<span>Data Encryption at Rest</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="data-encryption-at-rest"
aria-haspopup="dialog"
aria-label="Share link: Data Encryption at Rest">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p><strong>Transparent Data Encryption (TDE)</strong>:</p>
<p>Geode encrypts database files automatically using AES-256-GCM:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Generate encryption key</span>
</span></span><span class="line"><span class="cl">openssl rand -hex <span class="m">32</span> > database-encryption-key.txt
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Start server with TDE</span>
</span></span><span class="line"><span class="cl">geode serve --listen 0.0.0.0:3141 <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --data-dir<span class="o">=</span>/var/lib/geode <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --encryption-enabled<span class="o">=</span><span class="nb">true</span> <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --encryption-key-file<span class="o">=</span>database-encryption-key.txt
</span></span></code></pre></div><p><strong>Key characteristics</strong>:</p>
<ul>
<li>AES-256-GCM (authenticated encryption)</li>
<li>Per-page encryption (16KB blocks)</li>
<li>Low overhead (~5% performance impact)</li>
<li>Protects against physical theft, backup leaks</li>
</ul>
<p><strong>Key Management Service (KMS) Integration</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Use AWS KMS for key management</span>
</span></span><span class="line"><span class="cl">geode serve --listen 0.0.0.0:3141 <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --encryption-enabled<span class="o">=</span><span class="nb">true</span> <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --encryption-kms<span class="o">=</span>aws <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --encryption-kms-key-id<span class="o">=</span>arn:aws:kms:us-east-1:123456789012:key/abc-def <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --encryption-kms-region<span class="o">=</span>us-east-1
</span></span></code></pre></div><p><strong>Field-Level Encryption (FLE)</strong>:</p>
<p>Encrypt specific sensitive fields in application:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">cryptography.fernet</span> <span class="kn">import</span> <span class="n">Fernet</span>
</span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">geode_client</span> <span class="kn">import</span> <span class="n">Client</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Application-managed encryption key</span>
</span></span><span class="line"><span class="cl"><span class="n">encryption_key</span> <span class="o">=</span> <span class="n">Fernet</span><span class="o">.</span><span class="n">generate_key</span><span class="p">()</span>
</span></span><span class="line"><span class="cl"><span class="n">cipher</span> <span class="o">=</span> <span class="n">Fernet</span><span class="p">(</span><span class="n">encryption_key</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="k">async</span> <span class="k">def</span> <span class="nf">create_user_with_encrypted_ssn</span><span class="p">(</span><span class="n">name</span><span class="p">,</span> <span class="n">ssn</span><span class="p">):</span>
</span></span><span class="line"><span class="cl"> <span class="c1"># Encrypt SSN before storing</span>
</span></span><span class="line"><span class="cl"> <span class="n">encrypted_ssn</span> <span class="o">=</span> <span class="n">cipher</span><span class="o">.</span><span class="n">encrypt</span><span class="p">(</span><span class="n">ssn</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span><span class="o">.</span><span class="n">decode</span><span class="p">()</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"> <span class="n">client</span> <span class="o">=</span> <span class="n">Client</span><span class="p">(</span><span class="n">host</span><span class="o">=</span><span class="s2">"localhost"</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="mi">3141</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"> <span class="k">async</span> <span class="k">with</span> <span class="n">client</span><span class="o">.</span><span class="n">connection</span><span class="p">()</span> <span class="k">as</span> <span class="n">conn</span><span class="p">:</span>
</span></span><span class="line"><span class="cl"> <span class="k">await</span> <span class="n">conn</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="s2">"""
</span></span></span><span class="line"><span class="cl"><span class="s2"> CREATE (u:User {
</span></span></span><span class="line"><span class="cl"><span class="s2"> name: $name,
</span></span></span><span class="line"><span class="cl"><span class="s2"> ssn_encrypted: $ssn_encrypted
</span></span></span><span class="line"><span class="cl"><span class="s2"> })
</span></span></span><span class="line"><span class="cl"><span class="s2"> """</span><span class="p">,</span> <span class="p">{</span><span class="s2">"name"</span><span class="p">:</span> <span class="n">name</span><span class="p">,</span> <span class="s2">"ssn_encrypted"</span><span class="p">:</span> <span class="n">encrypted_ssn</span><span class="p">})</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="k">async</span> <span class="k">def</span> <span class="nf">get_user_ssn</span><span class="p">(</span><span class="n">user_id</span><span class="p">):</span>
</span></span><span class="line"><span class="cl"> <span class="n">client</span> <span class="o">=</span> <span class="n">Client</span><span class="p">(</span><span class="n">host</span><span class="o">=</span><span class="s2">"localhost"</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="mi">3141</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"> <span class="k">async</span> <span class="k">with</span> <span class="n">client</span><span class="o">.</span><span class="n">connection</span><span class="p">()</span> <span class="k">as</span> <span class="n">conn</span><span class="p">:</span>
</span></span><span class="line"><span class="cl"> <span class="n">result</span><span class="p">,</span> <span class="n">_</span> <span class="o">=</span> <span class="k">await</span> <span class="n">conn</span><span class="o">.</span><span class="n">query</span><span class="p">(</span><span class="s2">"""
</span></span></span><span class="line"><span class="cl"><span class="s2"> MATCH (u:User {id: $id})
</span></span></span><span class="line"><span class="cl"><span class="s2"> RETURN u.ssn_encrypted
</span></span></span><span class="line"><span class="cl"><span class="s2"> """</span><span class="p">,</span> <span class="p">{</span><span class="s2">"id"</span><span class="p">:</span> <span class="n">user_id</span><span class="p">})</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"> <span class="n">encrypted_ssn</span> <span class="o">=</span> <span class="n">result</span><span class="o">.</span><span class="n">bindings</span><span class="p">[</span><span class="mi">0</span><span class="p">][</span><span class="s1">'ssn_encrypted'</span><span class="p">]</span>
</span></span><span class="line"><span class="cl"> <span class="c1"># Decrypt after retrieving</span>
</span></span><span class="line"><span class="cl"> <span class="n">ssn</span> <span class="o">=</span> <span class="n">cipher</span><span class="o">.</span><span class="n">decrypt</span><span class="p">(</span><span class="n">encrypted_ssn</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span><span class="o">.</span><span class="n">decode</span><span class="p">()</span>
</span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">ssn</span>
</span></span></code></pre></div><p><strong>FLE vs TDE</strong>:</p>
<ul>
<li><strong>TDE</strong>: Protects stored files, transparent to application, database can query</li>
<li><strong>FLE</strong>: Protects specific fields, application-managed, database sees ciphertext</li>
</ul>
<h4 id="audit-logging" class="position-relative d-flex align-items-center group">
<span>Audit Logging</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="audit-logging"
aria-haspopup="dialog"
aria-label="Share link: Audit Logging">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Comprehensive logging for compliance and forensics:</p>
<p><strong>Enable audit logging</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">geode serve --listen 0.0.0.0:3141 <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --audit-log-enabled<span class="o">=</span><span class="nb">true</span> <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --audit-log-file<span class="o">=</span>/var/log/geode/audit.jsonl <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --audit-log-level<span class="o">=</span>verbose
</span></span></code></pre></div><p><strong>Audit log format</strong> (JSON Lines):</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"timestamp"</span><span class="p">:</span> <span class="s2">"2026-01-24T14:32:45.123Z"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"event_type"</span><span class="p">:</span> <span class="s2">"authentication"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"username"</span><span class="p">:</span> <span class="s2">"alice"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"source_ip"</span><span class="p">:</span> <span class="s2">"192.168.1.100"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"status"</span><span class="p">:</span> <span class="s2">"success"</span>
</span></span><span class="line"><span class="cl"><span class="p">}</span>
</span></span><span class="line"><span class="cl"><span class="p">{</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"timestamp"</span><span class="p">:</span> <span class="s2">"2026-01-24T14:32:46.456Z"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"event_type"</span><span class="p">:</span> <span class="s2">"query"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"username"</span><span class="p">:</span> <span class="s2">"alice"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"database"</span><span class="p">:</span> <span class="s2">"production"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"query"</span><span class="p">:</span> <span class="s2">"MATCH (u:User {id: $id}) RETURN u"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"params"</span><span class="p">:</span> <span class="p">{</span><span class="nt">"id"</span><span class="p">:</span> <span class="mi">123</span><span class="p">},</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"rows_returned"</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"duration_ms"</span><span class="p">:</span> <span class="mf">2.4</span>
</span></span><span class="line"><span class="cl"><span class="p">}</span>
</span></span><span class="line"><span class="cl"><span class="p">{</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"timestamp"</span><span class="p">:</span> <span class="s2">"2026-01-24T14:32:50.789Z"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"event_type"</span><span class="p">:</span> <span class="s2">"authorization_failure"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"username"</span><span class="p">:</span> <span class="s2">"bob"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"database"</span><span class="p">:</span> <span class="s2">"production"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"attempted_action"</span><span class="p">:</span> <span class="s2">"DELETE"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"resource"</span><span class="p">:</span> <span class="s2">"User"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"reason"</span><span class="p">:</span> <span class="s2">"insufficient_privileges"</span>
</span></span><span class="line"><span class="cl"><span class="p">}</span>
</span></span></code></pre></div><p><strong>Audit log analysis</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">json</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">analyze_audit_log</span><span class="p">(</span><span class="n">log_file</span><span class="p">):</span>
</span></span><span class="line"><span class="cl"> <span class="n">failed_logins</span> <span class="o">=</span> <span class="p">{}</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"> <span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="n">log_file</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span>
</span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">line</span> <span class="ow">in</span> <span class="n">f</span><span class="p">:</span>
</span></span><span class="line"><span class="cl"> <span class="n">event</span> <span class="o">=</span> <span class="n">json</span><span class="o">.</span><span class="n">loads</span><span class="p">(</span><span class="n">line</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">event</span><span class="p">[</span><span class="s1">'event_type'</span><span class="p">]</span> <span class="o">==</span> <span class="s1">'authentication'</span> <span class="ow">and</span> <span class="n">event</span><span class="p">[</span><span class="s1">'status'</span><span class="p">]</span> <span class="o">==</span> <span class="s1">'failure'</span><span class="p">:</span>
</span></span><span class="line"><span class="cl"> <span class="n">username</span> <span class="o">=</span> <span class="n">event</span><span class="p">[</span><span class="s1">'username'</span><span class="p">]</span>
</span></span><span class="line"><span class="cl"> <span class="n">failed_logins</span><span class="p">[</span><span class="n">username</span><span class="p">]</span> <span class="o">=</span> <span class="n">failed_logins</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="n">username</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="o">+</span> <span class="mi">1</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"> <span class="c1"># Alert on brute force attempts</span>
</span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">username</span><span class="p">,</span> <span class="n">count</span> <span class="ow">in</span> <span class="n">failed_logins</span><span class="o">.</span><span class="n">items</span><span class="p">():</span>
</span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">count</span> <span class="o">></span> <span class="mi">10</span><span class="p">:</span>
</span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">"ALERT: </span><span class="si">{</span><span class="n">username</span><span class="si">}</span><span class="s2"> has </span><span class="si">{</span><span class="n">count</span><span class="si">}</span><span class="s2"> failed login attempts"</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="n">analyze_audit_log</span><span class="p">(</span><span class="s2">"/var/log/geode/audit.jsonl"</span><span class="p">)</span>
</span></span></code></pre></div>
<h3 id="security-best-practices" class="position-relative d-flex align-items-center group">
<span>Security Best Practices</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="security-best-practices"
aria-haspopup="dialog"
aria-label="Share link: Security Best Practices">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="principle-of-least-privilege" class="position-relative d-flex align-items-center group">
<span>Principle of Least Privilege</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="principle-of-least-privilege"
aria-haspopup="dialog"
aria-label="Share link: Principle of Least Privilege">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Grant minimum necessary permissions:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">BAD</span><span class="p">:</span><span class="w"> </span><span class="nc">Overly</span><span class="w"> </span><span class="py">permissive</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ALL</span><span class="w"> </span><span class="py">PRIVILEGES</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">ALL</span><span class="w"> </span><span class="py">LABELS</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">app_user</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">GOOD</span><span class="p">:</span><span class="w"> </span><span class="nc">Specific</span><span class="w"> </span><span class="py">permissions</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">User</span><span class="p">(</span><span class="py">id</span><span class="p">,</span><span class="w"> </span><span class="py">name</span><span class="p">,</span><span class="w"> </span><span class="py">email</span><span class="p">)</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">app_user</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">INSERT</span><span class="p">,</span><span class="w"> </span><span class="py">UPDATE</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">Order</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">app_user</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">Product</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">app_user</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="secure-credential-management" class="position-relative d-flex align-items-center group">
<span>Secure Credential Management</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="secure-credential-management"
aria-haspopup="dialog"
aria-label="Share link: Secure Credential Management">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p><strong>Never hardcode credentials</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="c1"># BAD: Hardcoded password</span>
</span></span><span class="line"><span class="cl"><span class="n">client</span> <span class="o">=</span> <span class="n">Client</span><span class="p">(</span><span class="s2">"localhost"</span><span class="p">,</span> <span class="mi">3141</span><span class="p">,</span> <span class="n">username</span><span class="o">=</span><span class="s2">"app"</span><span class="p">,</span> <span class="n">password</span><span class="o">=</span><span class="s2">"hardcoded_pass"</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># GOOD: Environment variables</span>
</span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">os</span>
</span></span><span class="line"><span class="cl"><span class="n">client</span> <span class="o">=</span> <span class="n">Client</span><span class="p">(</span>
</span></span><span class="line"><span class="cl"> <span class="s2">"localhost"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="mi">3141</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="n">username</span><span class="o">=</span><span class="n">os</span><span class="o">.</span><span class="n">getenv</span><span class="p">(</span><span class="s2">"GEODE_USERNAME"</span><span class="p">),</span>
</span></span><span class="line"><span class="cl"> <span class="n">password</span><span class="o">=</span><span class="n">os</span><span class="o">.</span><span class="n">getenv</span><span class="p">(</span><span class="s2">"GEODE_PASSWORD"</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"><span class="p">)</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># BETTER: Secrets management service</span>
</span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">boto3.session</span> <span class="kn">import</span> <span class="n">Session</span>
</span></span><span class="line"><span class="cl"><span class="n">secrets_client</span> <span class="o">=</span> <span class="n">Session</span><span class="p">()</span><span class="o">.</span><span class="n">client</span><span class="p">(</span><span class="s1">'secretsmanager'</span><span class="p">,</span> <span class="n">region_name</span><span class="o">=</span><span class="s1">'us-east-1'</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"><span class="n">secret</span> <span class="o">=</span> <span class="n">secrets_client</span><span class="o">.</span><span class="n">get_secret_value</span><span class="p">(</span><span class="n">SecretId</span><span class="o">=</span><span class="s1">'geode/prod/credentials'</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"><span class="n">credentials</span> <span class="o">=</span> <span class="n">json</span><span class="o">.</span><span class="n">loads</span><span class="p">(</span><span class="n">secret</span><span class="p">[</span><span class="s1">'SecretString'</span><span class="p">])</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="n">client</span> <span class="o">=</span> <span class="n">Client</span><span class="p">(</span>
</span></span><span class="line"><span class="cl"> <span class="s2">"localhost"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="mi">3141</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="n">username</span><span class="o">=</span><span class="n">credentials</span><span class="p">[</span><span class="s1">'username'</span><span class="p">],</span>
</span></span><span class="line"><span class="cl"> <span class="n">password</span><span class="o">=</span><span class="n">credentials</span><span class="p">[</span><span class="s1">'password'</span><span class="p">]</span>
</span></span><span class="line"><span class="cl"><span class="p">)</span>
</span></span></code></pre></div>
<h4 id="regular-security-audits" class="position-relative d-flex align-items-center group">
<span>Regular Security Audits</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="regular-security-audits"
aria-haspopup="dialog"
aria-label="Share link: Regular Security Audits">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="c1"># Automated security checks</span>
</span></span><span class="line"><span class="cl"><span class="k">async</span> <span class="k">def</span> <span class="nf">security_audit</span><span class="p">():</span>
</span></span><span class="line"><span class="cl"> <span class="n">client</span> <span class="o">=</span> <span class="n">Client</span><span class="p">(</span><span class="s2">"localhost"</span><span class="p">,</span> <span class="mi">3141</span><span class="p">,</span> <span class="n">username</span><span class="o">=</span><span class="s2">"admin"</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"> <span class="k">async</span> <span class="k">with</span> <span class="n">client</span><span class="o">.</span><span class="n">connection</span><span class="p">()</span> <span class="k">as</span> <span class="n">client</span><span class="p">:</span>
</span></span><span class="line"><span class="cl"> <span class="c1"># Check for users without passwords</span>
</span></span><span class="line"><span class="cl"> <span class="n">result</span><span class="p">,</span> <span class="n">_</span> <span class="o">=</span> <span class="k">await</span> <span class="n">client</span><span class="o">.</span><span class="n">query</span><span class="p">(</span><span class="s2">"""
</span></span></span><span class="line"><span class="cl"><span class="s2"> SHOW USERS WHERE password_set = false
</span></span></span><span class="line"><span class="cl"><span class="s2"> """</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">result</span><span class="o">.</span><span class="n">bindings</span><span class="p">:</span>
</span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">"WARNING: </span><span class="si">{</span><span class="nb">len</span><span class="p">(</span><span class="n">result</span><span class="o">.</span><span class="n">bindings</span><span class="p">)</span><span class="si">}</span><span class="s2"> users without passwords"</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"> <span class="c1"># Check for overly permissive grants</span>
</span></span><span class="line"><span class="cl"> <span class="n">result</span><span class="p">,</span> <span class="n">_</span> <span class="o">=</span> <span class="k">await</span> <span class="n">client</span><span class="o">.</span><span class="n">query</span><span class="p">(</span><span class="s2">"""
</span></span></span><span class="line"><span class="cl"><span class="s2"> SHOW GRANTS WHERE privilege = 'ALL' AND grantee NOT IN ('admin', 'root')
</span></span></span><span class="line"><span class="cl"><span class="s2"> """</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">result</span><span class="o">.</span><span class="n">bindings</span><span class="p">:</span>
</span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">"WARNING: </span><span class="si">{</span><span class="nb">len</span><span class="p">(</span><span class="n">result</span><span class="o">.</span><span class="n">bindings</span><span class="p">)</span><span class="si">}</span><span class="s2"> users with ALL privileges"</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"> <span class="c1"># Check TLS enforcement</span>
</span></span><span class="line"><span class="cl"> <span class="n">result</span><span class="p">,</span> <span class="n">_</span> <span class="o">=</span> <span class="k">await</span> <span class="n">client</span><span class="o">.</span><span class="n">query</span><span class="p">(</span><span class="s2">"SHOW VARIABLES LIKE 'require_secure_transport'"</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">result</span><span class="o">.</span><span class="n">bindings</span><span class="p">[</span><span class="mi">0</span><span class="p">][</span><span class="s1">'value'</span><span class="p">]</span> <span class="o">!=</span> <span class="s1">'ON'</span><span class="p">:</span>
</span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">"WARNING: TLS not enforced"</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="k">await</span> <span class="n">security_audit</span><span class="p">()</span>
</span></span></code></pre></div>
<h4 id="defense-in-depth" class="position-relative d-flex align-items-center group">
<span>Defense in Depth</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="defense-in-depth"
aria-haspopup="dialog"
aria-label="Share link: Defense in Depth">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Layer multiple security controls:</p>
<ol>
<li><strong>Network</strong>: Firewall rules, VPN, TLS</li>
<li><strong>Authentication</strong>: Strong passwords, MFA, certificate-based</li>
<li><strong>Authorization</strong>: RBAC, RLS policies</li>
<li><strong>Encryption</strong>: TDE for data at rest, TLS for data in transit</li>
<li><strong>Auditing</strong>: Comprehensive logging, monitoring, alerts</li>
<li><strong>Application</strong>: Input validation, parameterized queries, rate limiting</li>
</ol>
<h3 id="compliance-and-standards" class="position-relative d-flex align-items-center group">
<span>Compliance and Standards</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="compliance-and-standards"
aria-haspopup="dialog"
aria-label="Share link: Compliance and Standards">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>Geode’s security features support compliance with:</p>
<p><strong>GDPR</strong> (General Data Protection Regulation):</p>
<ul>
<li>RLS for data access control</li>
<li>Audit logging for data access tracking</li>
<li>Encryption at rest and in transit</li>
<li>Right to be forgotten (data deletion)</li>
</ul>
<p><strong>HIPAA</strong> (Health Insurance Portability and Accountability Act):</p>
<ul>
<li>Encryption of PHI (Protected Health Information)</li>
<li>Access controls and authentication</li>
<li>Audit trails for PHI access</li>
<li>Data integrity verification</li>
</ul>
<p><strong>PCI DSS</strong> (Payment Card Industry Data Security Standard):</p>
<ul>
<li>Strong access control measures</li>
<li>Network security (TLS 1.3)</li>
<li>Encryption of cardholder data</li>
<li>Logging and monitoring</li>
</ul>
<p><strong>SOC 2</strong> (Service Organization Control 2):</p>
<ul>
<li>Access controls and authentication</li>
<li>Encryption and secure data handling</li>
<li>Audit logging and monitoring</li>
<li>Incident response procedures</li>
</ul>
<h3 id="troubleshooting-security-issues" class="position-relative d-flex align-items-center group">
<span>Troubleshooting Security Issues</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="troubleshooting-security-issues"
aria-haspopup="dialog"
aria-label="Share link: Troubleshooting Security Issues">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="issue-tls-handshake-failures" class="position-relative d-flex align-items-center group">
<span>Issue: TLS Handshake Failures</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="issue-tls-handshake-failures"
aria-haspopup="dialog"
aria-label="Share link: Issue: TLS Handshake Failures">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p><strong>Symptoms</strong>: Connection refused or TLS errors</p>
<p><strong>Diagnosis</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Test TLS connection</span>
</span></span><span class="line"><span class="cl">openssl s_client -connect localhost:3141 -tls1_3
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Check certificate validity</span>
</span></span><span class="line"><span class="cl">openssl x509 -in server-cert.pem -text -noout
</span></span></code></pre></div><p><strong>Solutions</strong>:</p>
<ul>
<li>Verify certificate hasn’t expired</li>
<li>Ensure client trusts server certificate</li>
<li>Check TLS cipher suite compatibility</li>
</ul>
<h4 id="issue-authentication-failures" class="position-relative d-flex align-items-center group">
<span>Issue: Authentication Failures</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="issue-authentication-failures"
aria-haspopup="dialog"
aria-label="Share link: Issue: Authentication Failures">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p><strong>Symptoms</strong>: “Access denied” errors</p>
<p><strong>Diagnosis</strong>: Check audit logs:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">grep <span class="s2">"authentication.*failure"</span> /var/log/geode/audit.jsonl
</span></span></code></pre></div><p><strong>Solutions</strong>:</p>
<ul>
<li>Verify username/password are correct</li>
<li>Check account isn’t locked</li>
<li>Ensure user has database access</li>
</ul>
<h4 id="issue-permission-denied-errors" class="position-relative d-flex align-items-center group">
<span>Issue: Permission Denied Errors</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="issue-permission-denied-errors"
aria-haspopup="dialog"
aria-label="Share link: Issue: Permission Denied Errors">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p><strong>Symptoms</strong>: “Insufficient privileges” errors</p>
<p><strong>Diagnosis</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="py">SHOW</span><span class="w"> </span><span class="py">GRANTS</span><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">alice</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div><p><strong>Solutions</strong>:</p>
<ul>
<li>Grant necessary permissions</li>
<li>Check RLS policies aren’t overly restrictive</li>
<li>Verify user is accessing correct database</li>
</ul>
<h3 id="related-topics" class="position-relative d-flex align-items-center group">
<span>Related Topics</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="related-topics"
aria-haspopup="dialog"
aria-label="Share link: Related Topics">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><ul>
<li><strong><a
href="/tags/authentication/"
>Authentication</a>
</strong>: Authentication mechanisms in depth</li>
<li><strong><a
href="/tags/encryption/"
>Encryption</a>
</strong>: Encryption implementation details</li>
<li><strong><a
href="/tags/row-level-security/"
>Row-Level Security</a>
</strong>: RLS policies and patterns</li>
<li><strong><a
href="/tags/tde/"
>TDE</a>
</strong>: Transparent Data Encryption</li>
<li><strong><a
href="/tags/fle/"
>FLE</a>
</strong>: Field-Level Encryption</li>
<li><strong><a
href="/tags/compliance/"
>Compliance</a>
</strong>: Regulatory compliance</li>
<li><strong><a
href="/tags/audit-logging/"
>Audit Logging</a>
</strong>: Audit logging configuration</li>
</ul>
<h3 id="further-reading" class="position-relative d-flex align-items-center group">
<span>Further Reading</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="further-reading"
aria-haspopup="dialog"
aria-label="Share link: Further Reading">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><ul>
<li><strong>Security Overview</strong>: <code>/docs/security/overview/</code></li>
<li><strong>Authentication Guide</strong>: <code>/docs/security/authentication/</code></li>
<li><strong>Authorization and RBAC</strong>: <code>/docs/security/authorization/</code></li>
<li><strong>Encryption Best Practices</strong>: <code>/docs/security/encryption/</code></li>
<li><strong>Compliance Guide</strong>: <code>/docs/security/compliance/</code></li>
<li><strong>Security Hardening Checklist</strong>: <code>/docs/security/hardening/</code></li>
</ul>
Related Articles
Security and Compliance Guide
Configure Geode authentication and policies, enable row-level security, use TDE/FLE with KMS integration, and deploy tamper-evident audit logging
Authentication
Current Geode authentication surface: username/password, sessions, API keys, MFA, mTLS, offline auth integrity tooling, and planned LDAP/OIDC work
Authorization
Configure authorization and access control in Geode including RBAC, ABAC, Row-Level Security (RLS), and fine-grained permissions
Post-Quantum Readiness & Cryptography
Geode's cryptographic architecture designed for the Post-Quantum era, emphasizing forward secrecy, crypto-agility, and quantum-resistant …
Session Management Guide
Complete guide to Geode session management including session parameters, connection pooling, timeout configuration, lifecycle management, and best …
Production Deployment Guide
Complete guide to deploying Geode in production environments
Fraud Detection Guide
Detect fraudulent patterns and anomalies using Geode's graph analysis capabilities
Security
Enterprise security features including encryption, authentication, authorization, and compliance for Geode
Audit Logging and Compliance
Comprehensive audit logging system in Geode with tamper-evident hash chains, RFC 5424 syslog integration, and enterprise compliance for SOX, PCI-DSS, …
Password Hashing with Argon2id
Enterprise-grade password hashing in Geode using Argon2id algorithm with OWASP-compliant parameters for secure credential storage and authentication.