DBeaver Documentation

DOWNLOAD pdf

Managing Master Password

Note: This feature is available in Community, Lite, Enterprise and Ultimate editions only.

Overview

The Master password feature strengthens the security of DBeaver by encrypting credentials and sensitive data using a secure storage system.

When you use the Master password feature:

  • Isolated Security: Connection details cannot be shared with other users because credentials are securely stored in an encrypted, user-specific location.
  • Individual Protection: Each set of credentials is safeguarded by the local user's own the Master password, ensuring personalized security.
  • Project Specificity: Connections with passwords can't be shared across users in projects because of the secure, user-specific storage. For more details, see Project Security article.

Secure storage is designed with security prioritization, which has certain trade-offs:

  • Non-Portability: The approach does not support the portability or sharing of configurations among a team of developers, which is mainly due to the OS-specific nature of password storage.
  • User-Specific Encryption: The integration of the Master password further emphasizes individual security by tying the encrypted data to the user's local environment.

Tip: When you first attempt to save secure data (for example, accessing Cloud Explorer, performing Git operations, or configuring email profile settings), DBeaver will prompt you to set up a Master password if you haven't already established one.

Security provider options

DBeaver has three security provider options:

  • DBeaver Master Password (recommended) : Choose this to create a new Master password. This is the preferred option for securing sensitive data.
  • Integrated security: Utilize your OS' security system, involving a password automatically stored in your local user's secure storage. For more information, refer to the Managing Master password section.
  • Automation (console) : Enable this option for the task scheduler. This setting allows for uninterrupted task performance, such as sending emails, without continuous password prompts. However, it is less secure as local credentials can be decrypted by anyone with access to the machine. Only enable this on machines where task execution is critical and security can be controlled. To use a custom password, set DBEAVER_MASTER_PASSWORD in your environment variables for an unencrypted password or DBEAVER_MASTER_PASSWORD_PATH for a password stored in a file.

Enabling secure password storage

To enable the Master password functionality, follow these steps:

  1. Navigate to Window -> Preferences -> General -> Security.
  2. Select the Use secure password storage option.

For further configuration, proceed to the Window -> Preferences -> General -> Security -> Secure Storage.

Changing the secure password provider

You can switch between different secure password providers by selecting the checkbox next to the provider's name.

If you have configured one of the secure password providers and want to switch to another, select the new provider's option, click Apply, and follow the prompts to update your settings.

Tip: Multiple providers can be enabled simultaneously, except for Automation (console). Any other enabled security setting will override it.

Important: If Automation (console) is chosen, this mode should be the only active option, as any other enabled security setting will override it.

Administrator configuration of Master password policy

Administrators can customize various aspects of the Master password policy. This includes setting the minimum length of the password, the minimum count of letters, digits, and symbols required, and the enforcement of mixed case (uppercase and lowercase letters) in the Master password. For detailed instructions on configuring these settings, please refer to the Admin Preference Restrictions article.

Note: Currently, this functionality is limited to Windows users and is only accessible through the Windows Registry.

Configuring Master password

Under the Secure Storage section, accessible via the path Window -> Preferences -> General -> Security -> Secure Storage, in the Passwords tab, you have the following options:

Field Description
Clear passwords Clears the password cache, requiring re-entry of passwords upon next access to confidential information. This action prevents unauthorized use of stored credentials.
Choose a Master password provider Select from various providers. For more information on providers, see Security provider options. Options include:
DBeaver Master Password provider (default). When using the DBeaver Master Password provider, you will be prompted to specify a master password.
OS X Keystore Integration for macOS users.
Windows Integration for Windows users.
Automation (console). Used primarily with the task scheduler.
Change Passwords If a Master password has not been set, this option initiates the process of creating one. If a Master password is already in place, it allows for changing to a new master password.
Recover password Available after setting a Master password, this feature uses password hints and recovery questions to help recover a forgotten master password.

Important: DBeaver does not store the Master Password. If both the password and password hints are forgotten, the Master Password cannot be recovered or reset.

Tip: Choosing OS Integration options, like OS X Keystore Integration or Windows Integration, allows DBeaver to utilize your operating system's native security features. This process involves using a password that is automatically generated and stored in your local user's secure storage, as seen in Windows environments. This method simplifies the process as there's no need to remember a Master password, but be aware it may offer less security if others have access to your OS user account.

Changing the Master password

Important: When you change your Master password, the old one cannot be viewed or retrieved after recovery. Ensure you remember your new password or write it down in a secure place.

To change the Master password, follow these steps:

  1. Go to Window -> Preferences -> General -> Security -> Secure Storage
  2. Click on the Change Password button.

    1. The Step 1: Old Password window will appear. Enter your current Master password and click Next.
    2. The Step 2: New Password window will prompt you to enter a new Master password and confirm it. Fill in the fields and click Next.
  3. After setting your new password, you will be asked to provide a password hint. You may skip this step and press Finish to conclude the process.

Password recovery setup

To set up password recovery:

  1. Go to Window -> Preferences -> General -> Security -> Secure Storage -> Password Recovery.
  2. Specify security questions and provide answers for them. This step is essential for recovering a lost Master password.

Note:

  • The questions and answers are case-sensitive.
  • Treat the answers as secondary passwords; they should be kept confidential and secure.

Setting a password hint

When you create a Master password in DBeaver's Secure Storage, it is recommended to set up a password hint. This hint will assist you if you need to recover your password.

  1. When prompted, select Yes to provide a password hint after creating a Master password.

  2. Enter a hint that will help you remember the password without revealing it directly.

Deleting the Master password

To remove the Master password, follow these steps:

  1. Navigate to Window -> Preferences -> General -> Security -> Secure Storage.
  2. Click on the Contents tab.
  3. Locate and select [Default Secure Storage] -> org.eclipse.equinox.secure.storage.
  4. Click on the Delete button.

Warning: Be aware that deleting the Master password will result in the loss of all saved credentials.

Viewing secured resources

Under the Secure Storage section, accessible via the path Window -> Preferences -> General -> Security -> Secure Storage, in the Contents tab, you may:

  • Review the resources that are secured. This includes resources protected by the Master Password and those secured through integrated operating system (OS) security mechanisms.
  • Delete entries if necessary to remove security constraints from the resources.

Advanced encryption settings

In the Advanced tab, located within the Secure Storage section, which can be found by navigating through Window -> Preferences -> General -> Security -> Secure Storage, you have the option to set the encryption algorithm to use for new storages to maintain data integrity and confidentiality.