Skip to main content
EventDBX favors passwordless, token-based access and built-in encryption so you can secure the write path without bolt-ons. Use this page as the security playbook across domains.

Identity and authorization

  • Mint Ed25519-signed tokens per role and rotate them regularly. Tokens carry group/user claims and can cap time-to-live and write counts.
  • Keep domains isolated: switch with dbx checkout <domain> and mint domain-scoped tokens so experiments never touch production.
  • Revoke quickly when secrets leak.

Encryption at rest

  • Set a data-encryption key once per host: payloads, snapshots, and tokens.json encrypt transparently; metadata (aggregate ids, Merkle roots) stays readable for plugins and integrity checks.
  • Store DEKs in your secret manager; never bake them into images.

Encryption in transit

  • All control-socket traffic uses Noise handshakes by default. Keep the daemon on a private network; layer TLS/SSH/WireGuard only when policy demands it.
  • Plugins inherit the same transport protections when configured with remotes (--remote <host[:port]> --token <token> on dbx checkout).

Immutability and tamper evidence

  • Writes are append-only; there is no in-place update path.
  • Per-aggregate Merkle roots make tampering obvious. Verify regularly and export proofs when sharing data.
If you need per-event proof paths, fetch them from the server API or a downstream verifier service that exposes Merkle branch exports.

Secure plugin posture

  • Scope payloads down: choose the smallest --payload <mode> that fits (event-only for webhooks, state-only for caches, schema-only for registries, event-and-schema for validators, extensions-only when you only need metadata extensions).
  • Treat plugin credentials like any other secret—rotate them, prefer short-lived tokens for outbound calls, and sign outbound requests when supported.
  • Log plugins are for audit trails; avoid shipping sensitive payload fields there unless they are encrypted or redacted downstream.
Example selector and payload scoping:

Hardening checklist

  • Run with --restrict strict in production; use permissive/default only while schemas evolve.
  • Set a DEK via dbx config --dek ...; keep backups of the key in a vault.
  • Issue short-lived, least-privilege tokens per service and domain.
  • Keep control sockets off the public internet; require Noise/TLS tunnels across zones.
  • Verify Merkle roots (dbx aggregate verify ...) on a schedule and keep proofs with regulated exports.