Managing Master Password

Note: This feature is available in Lite, Enterprise, Ultimate and Team editions only.

The Master password feature strengthens the security of DBeaver by encrypting credentials and sensitive data using a secure storage system.

When you use the Master password feature:

• Isolated Security: Connection details cannot be shared with other users because credentials are securely stored in an encrypted, user-specific location.
• Individual Protection: Each set of credentials is safeguarded by the local user's own the Master password, ensuring personalized security.
• Project Specificity: Connections with passwords can't be shared across users in projects because of the secure, user-specific storage. For more details, see Project Security article.

Secure storage is designed with security prioritization, which has certain trade-offs:

• Non-Portability: The approach does not support the portability or sharing of configurations among a team of developers, which is mainly due to the OS-specific nature of password storage.
• User-Specific Encryption: The integration of the Master password further emphasizes individual security by tying the encrypted data to the user's local environment.

Tip: When you first attempt to save secure data (for example, accessing Cloud Explorer, performing Git operations, or configuring email profile settings), DBeaver will prompt you to set up a Master password if you haven't already established one. You will have two options:

• Set up a Master password (recommended): Choose this to create a new Master password. This is the preferred option for securing sensitive data.
• Use integrated security: Utilize your OS' security system, involving a password automatically stored in your local user's secure storage. For more information, refer to the section.

To enable the Master password functionality, follow these steps:

1. Navigate to Window -> Preferences -> General -> Security.
2. Select the Use secure password storage option.

For further configuration, proceed to the Window -> Preferences -> General -> Security -> Secure Storage.

Administrators can customize various aspects of the Master password policy. This includes setting the minimum length of the password, the minimum count of letters, digits, and symbols required, and the enforcement of mixed case (uppercase and lowercase letters) in the Master password. For detailed instructions on configuring these settings, please refer to the Admin Preference Restrictions article.

Note: Currently, this functionality is limited to Windows users and is only accessible through the Windows Registry.

Under the Secure Storage section, accessible via the path Window -> Preferences -> General -> Security -> Secure Storage, in the Passwords tab, you have the following options:

Important: DBeaver does not store the Master Password. If both the password and are forgotten, the Master Password cannot be recovered or reset.

Tip: Choosing OS Integration options, like OS X Keystore Integration or Windows Integration, allows DBeaver to utilize your operating system's native security features. This process involves using a password that is automatically generated and stored in your local user's secure storage, as seen in Windows environments. This method simplifies the process as there's no need to remember a Master password, but be aware it may offer less security if others have access to your OS user account.

Important: When you change your Master password, the old one cannot be viewed or retrieved after recovery. Ensure you remember your new password or write it down in a secure place.

To change the Master password, follow these steps:

1. Go to Window -> Preferences -> General -> Security -> Secure Storage

2. Click on the Change Password button.

   1. The Step 1: Old Password window will appear. Enter your current Master password and click Next.
   2. The Step 2: New Password window will prompt you to enter a new Master password and confirm it. Fill in the fields and click Next.

3. After setting your new password, you will be asked to provide a . You may skip this step and press Finish to conclude the process.

To set up password recovery:

1. Go to Window -> Preferences -> General -> Security -> Secure Storage -> Password Recovery.
2. Specify security questions and provide answers for them. This step is essential for recovering a lost Master password.

Note:

• The questions and answers are case-sensitive.
• Treat the answers as secondary passwords; they should be kept confidential and secure.

When you create a Master password in DBeaver's , it is recommended to set up a password hint. This hint will assist you if you need to recover your password.

1. When prompted, select Yes to provide a password hint after creating a Master password.

   

2. Enter a hint that will help you remember the password without revealing it directly.

   

To remove the Master password, follow these steps:

1. Navigate to Window -> Preferences -> General -> Security -> Secure Storage.
2. Click on the Contents tab.
3. Locate and select [Default Secure Storage] -> org.eclipse.equinox.secure.storage.
4. Click on the Delete button.

Warning: Be aware that deleting the Master password will result in the loss of all saved credentials.

Under the Secure Storage section, accessible via the path Window -> Preferences -> General -> Security -> Secure Storage, in the Contents tab, you may:

• Review the resources that are secured. This includes resources protected by the Master Password and those secured through integrated operating system (OS) security mechanisms.

• Delete entries if necessary to remove security constraints from the resources.

In the Advanced tab, located within the Secure Storage section, which can be found by navigating through Window -> Preferences -> General -> Security -> Secure Storage, you have the option to set the encryption algorithm to use for new storages to maintain data integrity and confidentiality.