Module bonsaidb_local::source ·
Encryption and secret management.
BonsaiDb’s vault is the core of encryption and secret management. To offer
this security, BonsaiDb relies on external
VaultKeyStorage to provide
the key needed to decrypt the master keys. After the master keys have been
decrypted, the vault is able to function without
design ensures that if a copy of a database was stolen, the data that is
stored at-rest cannot be decrypted without gaining access to
At-rest encryption only ensures that if the database files are stolen that an attacker cannot access the data without the encryption key. BonsaiDb will regularly decrypt data to process it, and while the data is in-memory, it is subject to the security of the machine running it. If using BonsaiDb over a network, the network transport layer’s encryption is what ensures your data’s safety.
Security Best Practices
Vault Key Storage
In most situations, do not use
LocalVaultKeyStorage in a production
environment. If you store the vault keys on the same disk as the database,
it’s similar to hiding a key to your house under your doormat. It might stop
the casual person from entering your house, but give any attacker a few
minutes, and they’ll find the key.
Instead, you should use a storage location that provides authentication and
encryption. Our recommendation for production enviroments is to find an
Amazon S3-compatible storage service and use
Eventually, other BonsaiDb servers will be able to operate as key storage
for each other.
Encryption Algorithms Used
BonsaiDb uses the
hpke crate to
provide Hybrid Public Key Encryption (HPKE) when public key encryption is
being used. This is currently only utilized for encrypting the master keys
with the vault key. Our HPKE uses
Long term, we plan to offer public key encryption APIs on top of these same
For at-rest data encryption, the
XChaCha20Poly1305 implementation is
used directly. This variant of
ChaCha20Poly1305 extends the nonce from 12
bytes to 24 bytes, which allows for random nonces to be used.
VaultKeyStoragetrait that wraps the Error type before returning. This type is used to allow the Vault to operate without any generic parameters. This trait is auto-implemented for all