Core Concepts

Security

Litebase combines the simplicity of SQLite with enterprise-grade security, offering flexible authentication, fine-grained permissions, and built-in protections to keep your data safe.

At Litebase, security is built into every layer of the system. From authentication and authorization to encryption and real-time SQL-level checks, Litebase is designed to safeguard data with rigor to build confidence and trust.

Authentication

Litebase supports multiple authentication methods to ensure that only authorized users can access your databases.

Access Keys

A generated access key and secret are used to sign requests from a client. The credentials are securely stored and managed by Litebase, and the client never transmits the secret. (recommended)

Access keys are generated by the server and securely stored in the system database using AES-GCM encryption with key derivation via HKDF.
Access keys are used to sign requests using HMAC-SHA256. The secret is never transmitted over the network, ensuring that only the client and server can verify requests.
Access keys are assigned statements to define their permissions. This allows fine-grained control over what actions each key can perform.

This approach ensures that access key secrets remain confidential and protected against unauthorized access or tampering.

Tokens

Tokens are generated by the server and securely stored in the system database as bcrypt hashes. The raw token secret is never stored; only its bcrypt hash is saved, ensuring that even if the database is compromised, the original secret cannot be easily recovered.

Tokens are assigned statements to define their permissions. This allows fine-grained control over what actions each token can perform.
Tokens are sent in the Authorization header as a bearer token. The server authenticates requests by comparing the provided token secret against the stored bcrypt hash.

This approach ensures that token secrets remain confidential and protected against unauthorized access or tampering.

Basic Authentication

User-defined username and password combinations are used for HTTP basic authentication.

A root user is created when the cluster is initialized.
Passwords are securely stored in the system database as bcrypt hashes.
Additional users can be created using the CLI.

This approach ensures that user passwords remain confidential and protected against unauthorized access.

Authorization and Access Control

Litebase uses a robust authorization system to control access to databases and their objects.

Resource-Based Permissions

Permissions are defined using statements that specify the actions allowed or denied on specific resources. Resources can be defined at various levels of granularity:

plaintext

*
database:*
database:DATABASE_NAME:*
database:DATABASE_NAME:branch:*
database:DATABASE_NAME:branch:BRANCH_NAME:*

Statements

Allow or Deny permissions to resources.

json

{
  "Effect": "Allow",
  "Resource": "*",
  "Action": [
    "database:query",
    "database:create",
    "database:list",
    "database:show"
  ]
}

json

{
  "Effect": "Deny",
  "Resource": "database:*",
  "Action": ["database:delete"]
}

Security Best Practices

While Litebase provides a secure environment for your databases, it’s important to follow best practices.

Treat the url of your Litebase cluster as a secret.
Regularly rotate your access keys and tokens.
Use the principle of least privilege when assigning permissions to users and roles.

Private Networks

Use a Virtual Private Cloud (VPC) to isolate your Litebase instances from the public internet.

Encryption of data at rest

Use a network file system that supports encryption at rest.
Use object storage that supports encryption at rest.

Encryption of data in transit

Secure your cluster with TLS/SSL.
Connect to storage services using TLS/SSL.

Suggest an edit