Security Best Practices

API Key and Credentials Management

Critical: Never store API keys in application code or version control. LLM API keys (OpenAI, Cohere, etc.) grant access to paid services and should be treated as sensitive credentials.

Recommended: Use Database-Level Settings

Configure API keys at the database or role level, not in individual sessions or application code.

-- Database-level configuration (persists across sessions)
ALTER DATABASE mydb SET neurondb.llm_api_key = 'sk-...';
ALTER DATABASE mydb SET neurondb.llm_provider = 'openai';

-- Role-level configuration (applies to specific users)
ALTER ROLE app_user SET neurondb.llm_api_key = 'sk-...';

-- Verify settings without exposing the key
SELECT name, setting 
FROM pg_settings 
WHERE name = 'neurondb.llm_provider';

Best Practice: Environment Variables and Secrets Managers

For production deployments, use environment variables or secrets managers (AWS Secrets Manager, HashiCorp Vault, etc.).

-- In postgresql.conf or postgresql.auto.conf
neurondb.llm_api_key = '$OPENAI_API_KEY'
neurondb.llm_provider = 'openai'

-- Or use ALTER SYSTEM (requires superuser)
ALTER SYSTEM SET neurondb.llm_api_key = 'sk-...';
SELECT pg_reload_conf();

Security Tip: Rotate API Keys Regularly

• Rotate LLM API keys every 90 days or per organizational policy
• Use separate API keys for development, staging, and production
• Monitor API usage for anomalies (unexpected spikes, geographic locations)
• Revoke compromised keys immediately and update configuration

Access Control and Permissions

Principle of Least Privilege

Grant users only the permissions they need. Separate read-only and write roles for embedding functions and ML operations.

-- Read-only role for querying embeddings
CREATE ROLE reader_role;
GRANT SELECT ON documents TO reader_role;
GRANT EXECUTE ON FUNCTION neurondb_embed(text, text) TO reader_role;

-- Write role for inserting/updating embeddings
CREATE ROLE writer_role;
GRANT SELECT, INSERT, UPDATE ON documents TO writer_role;
GRANT EXECUTE ON FUNCTION neurondb_embed(text, text) TO writer_role;
GRANT EXECUTE ON FUNCTION neurondb_embed_batch(text[], text) TO writer_role;

-- Admin role for ML operations
CREATE ROLE admin_role;
GRANT ALL ON documents TO admin_role;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA neurondb TO admin_role;

Network Security

• Use SSL/TLS for all PostgreSQL connections
• Restrict network access using firewall rules
• Use VPN or private networks for production deployments
• Enable pg_hba.conf restrictions for remote access

Data Protection

NeuronDB provides comprehensive data protection features:

• Vector Encryption: AES-GCM encryption for vector data via OpenSSL
• Differential Privacy: Privacy-preserving embedding operations
• Row-Level Security (RLS): Integrated RLS policies via neurondb.rls_policies table for multi-tenant deployments
• Multi-Tenant Isolation: Tenant-aware indexes and quota management via neurondb.tenant_quotas
• HMAC-SHA256: Signed results for tamper detection
• Audit Logging: Comprehensive audit logging with tamper detection for sensitive operations
• Usage Metering: Track resource usage per tenant for governance
• GDPR Compliance: GDPR-compliant data handling and encryption
• Post-Quantum Encryption: Support for post-quantum cryptography via encrypt_postquantum()
• Confidential Compute: Enable confidential computing features via enable_confidential_compute()
• Regular Backups: Encrypted backups with point-in-time recovery

Multi-Tenancy Security

-- Create tenant quota limits
INSERT INTO neurondb.tenant_quotas (tenant_id, max_vectors, max_memory_mb, max_qps)
VALUES ('tenant_1', 1000000, 8192, 1000);

-- Create RLS policy
SELECT neurondb.create_policy(
  'documents',
  'tenant_isolation',
  'tenant_id = current_setting('app.current_tenant')'
);

-- Monitor tenant usage
SELECT * FROM neurondb.tenant_quota_usage WHERE warnings IS NOT NULL;

Next Steps

• Configuration Reference - Security-related GUC parameters
• Troubleshooting - Security-related issues