Skip to content
Vaylix logo Vaylix logo Vaylix Docs

Security Model

Authentication

Section titled “Authentication”

Authentication is enabled by default.

Development defaults:

  • username: vaylix
  • password: vaylix

Those defaults are for local development only. Production deployments should override them.

--disable-auth exists for trusted local tests. When auth is disabled on the server, commands execute without an AUTH handshake and RBAC checks are bypassed.

Password Policy and Auth Lockouts

Section titled “Password Policy and Auth Lockouts”

Current password policy for create user and alter user ... password ...:

  • minimum length 12
  • at least one ASCII letter
  • at least one ASCII digit

Current auth throttling controls:

  • --auth-failure-window-seconds
  • --auth-failure-limit
  • --auth-lockout-seconds

Lockouts are tracked per (username, peer) tuple. Successful authentication clears the failure window for that tuple.

RBAC

Section titled “RBAC”

RBAC is implemented in the server layer, not the engine.

Current permissions:

  • read
  • write
  • admin
  • backup
  • restore
  • metrics
  • snapshot
  • clear
  • user_admin
  • role_admin

Permission grants are pattern-scoped over keys. For example:

grant permission read on app:* to readonly

The admin permission bypasses pattern checks.

TLS and mTLS

Section titled “TLS and mTLS”

TLS is supported and disabled by default.

Server-side inputs:

  • --ssl
  • --tls-cert
  • --tls-key
  • --tls-client-ca

Client-side inputs:

  • --ssl
  • --tls-ca-cert
  • --tls-client-cert
  • --tls-client-key
  • ?ssl=true in URL form

mTLS is additive to application authentication. When the server is started with --tls-client-ca, the TLS handshake requires a client certificate chaining to that CA. Username/password auth still runs after the TLS handshake unless auth was explicitly disabled for trusted testing.

Operational behavior:

  • TLS startup fails if the certificate is already expired or the certificate/key pair cannot be loaded together
  • certificate expiry metadata is exposed through INFO
  • on Unix, SIGHUP reloads the configured TLS certificate, key, and client CA

At-Rest Encryption

Section titled “At-Rest Encryption”

Snapshots, WAL segments, manifests, and keyring files are encrypted or integrity-protected at rest using a server-managed keyring.

Important property:

  • storage encryption is separate from auth credentials

That keeps persistence-key management separate from authentication configuration.

Current persisted storage format:

  • storage format version 3
  • MessagePack-based engine serialization inside encrypted persistence files

Audit Logging

Section titled “Audit Logging”

Audit logging records command-level accountability without storing secrets.

Stored fields include:

  • audit sequence
  • previous hash
  • current hash
  • timestamp
  • connection ID
  • peer
  • authenticated username
  • request ID
  • opcode
  • response status
  • error code when present
  • latency
  • semantic event type
  • sanitized details map

Passwords and raw value payloads are not recorded.

The audit log is hash-chained with SHA-256 and verified on startup. This makes local tampering detectable, but it is not non-repudiation without an external anchor.

Compression

Section titled “Compression”

Default-on zstd frame compression improves transport efficiency. It does not provide confidentiality and should not be treated as a substitute for TLS.

Current Security Boundary

Section titled “Current Security Boundary”

What Vaylix currently does not provide:

  • mandatory TLS
  • TLS certificate automation or rotation workflow
  • external auth integration
  • distributed trust boundaries for replicas or shards
  • externally anchored or signed audit pipelines