Managing Master Password
Note: This feature is available in Community, Lite, Enterprise and Ultimate editions only.
Table of contents
Overview
The Master password feature strengthens the security of DBeaver by encrypting credentials and sensitive data using a secure storage system.
When you use the Master password feature:
- Isolated Security: Connection details cannot be shared with other users because credentials are securely stored in an encrypted, user-specific location.
- Individual Protection: Each set of credentials is safeguarded by the local user's own the Master password, ensuring personalized security.
- Project Specificity: Connections with passwords can't be shared across users in projects because of the secure, user-specific storage. For more details, see Project Security article.
Secure storage is designed with security prioritization, which has certain trade-offs:
- Non-Portability: The approach does not support the portability or sharing of configurations among a team of developers, which is mainly due to the OS-specific nature of password storage.
- User-Specific Encryption: The Master Password secures data by locking it to your specific device.
Tip: When you first attempt to save secure data (for example, accessing Cloud Explorer, performing Git operations, or configuring email profile settings), DBeaver will prompt you to set up a Master password if you haven't already established one.
Security provider options
DBeaver has three security provider options:
| Provider | Description |
|---|---|
Master Password (recommended)  | Choose this option to set up a new Master password. This is the preferred option for securing sensitive data. |
| Integrated security | Utilizes your operating system’s security system, with a password automatically stored in your local user’s secure storage. |
| Automation (console) | Enables password automation for tasks in the task scheduler, allowing uninterrupted task execution, such as sending emails, without continuous password prompts. Warning: This option is less secure, as local credentials can be decrypted by anyone with access to the machine. Only enable it on controlled machines where task execution is critical. Use DBEAVER_MASTER_PASSWORD in environment variables for an unencrypted password or DBEAVER_MASTER_PASSWORD_PATH for a password stored in a file. |
Note: Once you set up the Master Password, DBeaver will ask for the Master Password in the following situations:
- Connecting to databases: When you connect to a database with saved credentials.
- Editing connections: If you open a connection's settings and it includes credentials.
- Using Cloud Explorer or Cloud Storage: The Master Password is necessary for any cloud setup.
- Using Git: To secure your Git credentials with encryption.
- Setting up email profiles or editing email tasks: When setting up or changing email settings for tasks (like notifications), if those credentials are encrypted.
Important: The Master Password is required to use cloud setup and secure Git integrations.
Enabling secure password storage
To enable secure password storage:
- Navigate to Window -> Preferences -> General -> Security.
- In the Secure Storage section, check the Use secure passwords storage box and click Apply.
Changing the secure password provider
Once secure password storage is enabled, you can change the secure password provider based on your security needs.
- In the Secure Storage section, select your preferred provider from the dropdown menu.
- Click Apply and follow prompts to confirm and update your settings.
Note: Only one provider can be active at a time.
Tip: Selecting OS Integration options, like OS X Keystore Integration or Windows Integration, allows DBeaver to use your operating system's native security features. This method simplifies management as there's no need to remember a Master Password, but be aware it may offer less security if others have access to your OS user account.
Configuring Master Password
When the Master Password provider is selected, you have access to additional options for managing secure storage.
| Button | Description |
|---|---|
| Change password | If a Master password has not been set, this option initiates the process of creating one. If a Master password is already in place, it allows for changing to a new master password. |
| Recover password | Available after setting a Master password, this feature uses password hints and recovery questions to help recover a forgotten master password. |
| Delete password | Deletes the Master Password, clearing all stored credentials. DBeaver will need to be restarted for changes to take effect. |
Important: DBeaver does not store the Master Password. If both the password and password hints are forgotten, the Master Password cannot be recovered or reset.
Warning: Be aware that deleting the Master password will result in the loss of all saved credentials.
Setting a password hint
When creating a Master password, it is recommended to set up a password hint. This hint will assist you if you need to recover your password.
When prompted, select Yes to provide a password hint after creating a Master password.
Enter a hint that will help you remember the password without revealing it directly.
Changing the Master password
To change the Master password, follow these steps:
- Go to Window -> Preferences -> General -> Security.
- Click on the Change Password button and follow prompts to change the Master Password.
Important: When you change your Master password, the old one cannot be viewed or retrieved after recovery. Ensure you remember your new password or write it down in a secure place.
Recovering the Master Password
If you've forgotten your Master Password, you can attempt to recover it by following these steps:
- In the Secure settings, click Recover password.
- Answer the security questions that were set up during the hint setup (if available).
Note:
- The questions and answers are case-sensitive.
- Treat the answers as secondary passwords; they should be kept confidential and secure.
- After successfully answering the questions, you’ll see a confirmation message: "The 'master' password has been successfully recovered and is cached in memory.".
Once recovered, you can:
- Change the Master Password by selecting Change password.
- Delete the Master Password by selecting Delete password.
Tip: Use this recovery process as a secure backup if you forget your Master Password. However, if you didn’t set up security questions initially, password recovery won’t be available.
Administrator configuration of Master password policy
Administrators can customize various aspects of the Master password policy. This includes setting the minimum length of the password, the minimum count of letters, digits, and symbols required, and the enforcement of mixed case (uppercase and lowercase letters) in the Master password. For detailed instructions on configuring these settings, please refer to the Admin Preference Restrictions article.
Note: Currently, this functionality is limited to Windows users and is only accessible through the Windows Registry.
Advanced mode
Use Advanced mode to gain full control over secure storage settings, including encryption preferences and management of individual secured resources.
- Navigate to Window -> Preferences -> General -> Security.
- In the Secure Storage section, click the Advanced mode button.
In the opened window:
The Contents tab allows you to:
- Review the resources that are secured. This includes resources protected by the Master Password and those secured through integrated operating system (OS) security mechanisms.
- Delete entries if necessary to remove security constraints from the resources.
The Advanced tab allows you to set the encryption algorithm for new storages.