Credential Management
How dbtrail secures MySQL passwords, SSH keys, and API keys
dbtrail follows a strict policy: credentials are never stored as plaintext. All sensitive values (MySQL passwords, SSH keys) are stored as vault references.
How vault references work
When you register a server and provide a MySQL password:
- The password is sent over TLS in the API request body
- dbtrail generates a vault reference (e.g.,
vault:secret/mysql/production-main) - Only the vault reference is stored in the
mysql_pass_vault_refcolumn - The plaintext password is never persisted in the database
When the agent needs to connect to MySQL, it retrieves the password from the vault using the stored reference.
Credential columns
Any database column that holds a credential reference uses the _vault_ref suffix convention:
| Column | Description |
|---|---|
mysql_pass_vault_ref | MySQL password for server connections |
private_key_vault_ref | SSH private key for tunnel connections |
This naming convention makes it easy to identify which columns hold sensitive data and ensures they are never accidentally exposed in API responses.
API key security
API keys follow similar security principles:
- Keys are never stored in plaintext — only the SHA-256 hash is persisted
- The full key is shown to the user exactly once at creation time
- Only the key prefix (e.g.,
bt_live_a1b) is stored for display purposes - If the database is compromised, attackers get hashes — not usable tokens
See API Keys for details on key management.
Best practices
Dedicated MySQL user
Create a dedicated MySQL user for dbtrail with only the required privileges (REPLICATION SLAVE, REPLICATION CLIENT, SELECT). Never use the root account.
Rotate credentials
Periodically rotate MySQL passwords and API keys. When you update server credentials, the old vault reference is replaced — no plaintext is ever retained.
SSH keys
When using SSH tunnels, the private key is stored as a vault reference. Never commit SSH private keys to version control or include them in API requests as plaintext beyond the initial setup.