Skip to content

Password Security

DaRT Reader handles database passwords securely. This guide explains how passwords are managed and best practices.

How DaRT Reader Handles Passwords

No Storage

DaRT Reader never saves passwords to disk. Passwords are:

  • Kept in memory only during the session
  • Never written to configuration files
  • Never written to log files (explicit protection in place)
  • Cleared from memory when the connection closes

CLI Password Entry

When using the CLI with the -p flag, passwords are entered securely:

beye save --config config.json -u myuser -p

You'll be prompted:

Enter password for JDBC connection:
  • The password is not echoed to the terminal
  • The password is immediately used and not persisted

GUI Password Entry

When exporting to a database via the GUI:

  1. Enter your password in the password field (characters are masked)
  2. Click Start to begin the export
  3. The password is used only for that connection
  4. It's not saved when you close the window

Security Measures

Configuration File Security

Never put passwords in config files.

Bad (DON'T DO THIS):

{
  "databaseConnection": {
    "userName": "myuser",
    "password": "mypassword123"
  }
}

Good (DO THIS):

{
  "databaseConnection": {
    "userName": "myuser"
  }
}

Then provide the password interactively:

beye save --config config.json -p

You can save the password in an environment variable and reference it in the config file.

{
  "databaseConnection": {
    "userName": "myuser",
    "password": "${DB_PASS}"
  }
}

Database security

Database security is your responsibility. DaRT Reader securely handles password transmission, but securing the database itself is outside the application's scope. You must ensure proper security measures for your database infrastructure, including:

  • Access controls: Configure user permissions, roles, and privileges according to the principle of least privilege
  • Encryption in transit: Use TLS/SSL connections (e.g., PostgreSQL with SSL mode, MySQL with encrypted connections) to protect data transmitted between DaRT Reader and the database
  • Encryption at rest: Enable database encryption features to protect stored data on disk
  • Network security: Use firewalls, VPNs, or private networks to restrict database access to authorized systems only
  • Authentication: Implement strong authentication mechanisms and credential rotation policies
  • Auditing and monitoring: Enable database audit logs to track access and identify suspicious activity

Consult your database vendor's security documentation for specific configuration guidance.

Best Practices

  1. Use Interactive Password Entry
  2. Always use the -p flag (CLI) or password field (GUI)

  3. Never put passwords in config files or scripts

  4. Use Database Authentication

  5. Prefer connection pooling with limited credentials
  6. Use database roles with minimal required permissions

  7. Consider using certificate-based auth where supported

  8. Protect Log Files

  9. Log files are in $APPDIR/../logging/
  10. Ensure this directory has appropriate file permissions

  11. Review logs before sharing them for support

  12. Environment Variables

  13. Store credentials in environment variables
  14. Reference them in scripts without hardcoding
export DB_USER="appuser"
export DB_PASS="secret"
beye save --config config.json -u "$DB_USER" -p

Copyright © Taxforge

Legal | Data privacy policy
Made with Material for MkDocs