DocumentationNeurondB Documentation

Security Best Practices

API Key and Credentials Management

Critical: Never store API keys in application code or version control. LLM API keys (OpenAI, Cohere, etc.) grant access to paid services and should be treated as sensitive credentials.

Recommended: Use Database-Level Settings

Configure API keys at the database or role level, not in individual sessions or application code.

Database-level configuration

-- Database-level configuration (persists across sessions)
ALTER DATABASE mydb SET neurondb.llm_api_key = 'sk-...';
ALTER DATABASE mydb SET neurondb.llm_provider = 'openai';

-- Role-level configuration (applies to specific users)
ALTER ROLE app_user SET neurondb.llm_api_key = 'sk-...';

-- Verify settings without exposing the key
SELECT name, setting 
FROM pg_settings 
WHERE name = 'neurondb.llm_provider';

Best Practice: Environment Variables and Secrets Managers

For production deployments, use environment variables or secrets managers (AWS Secrets Manager, HashiCorp Vault, etc.).

Environment variables

-- In postgresql.conf or postgresql.auto.conf
neurondb.llm_api_key = '$OPENAI_API_KEY'
neurondb.llm_provider = 'openai'

-- Or use ALTER SYSTEM (requires superuser)
ALTER SYSTEM SET neurondb.llm_api_key = 'sk-...';
SELECT pg_reload_conf();

Security Tip: Rotate API Keys Regularly

Rotate LLM API keys every 90 days or per organizational policy
Use separate API keys for development, staging, and production
Monitor API usage for anomalies (unexpected spikes, geographic locations)
Revoke compromised keys immediately and update configuration

Access Control and Permissions

Principle of Least Privilege

Grant users only the permissions they need. Separate read-only and write roles for embedding functions and ML operations.

Role-based access

-- Read-only role for querying embeddings
CREATE ROLE reader_role;
GRANT SELECT ON documents TO reader_role;
GRANT EXECUTE ON FUNCTION neurondb_embed(text, text) TO reader_role;

-- Write role for inserting/updating embeddings
CREATE ROLE writer_role;
GRANT SELECT, INSERT, UPDATE ON documents TO writer_role;
GRANT EXECUTE ON FUNCTION neurondb_embed(text, text) TO writer_role;
GRANT EXECUTE ON FUNCTION neurondb_embed_batch(text[], text) TO writer_role;

-- Admin role for ML operations
CREATE ROLE admin_role;
GRANT ALL ON documents TO admin_role;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA neurondb TO admin_role;

Network Security

Use SSL/TLS for all PostgreSQL connections
Restrict network access using firewall rules
Use VPN or private networks for production deployments
Enable pg_hba.conf restrictions for remote access

Data Protection

Encrypt sensitive data at rest using PostgreSQL encryption
Use row-level security (RLS) for multi-tenant deployments
Implement audit logging for sensitive operations
Regular backups with encryption

Next Steps

Configuration Reference - Security-related GUC parameters
Troubleshooting - Security-related issues

PreviousPerformance