Skip to content
ParticleDB

TLS / Security

ParticleDB supports direct TLS on the PostgreSQL wire, gRPC, and Redis listeners. The built-in HTTP server is plain HTTP today, so if you expose /v1/*, /health*, or /metrics externally, terminate TLS in your reverse proxy or ingress.

TLS Configuration

Section titled “TLS Configuration”

Server-side TLS

Section titled “Server-side TLS”

  1. Generate or obtain certificates

    Terminal window
    openssl req -x509 -newkey rsa:4096 -sha256 -days 365 \
      -nodes -keyout server.key -out server.crt \
      -subj "/CN=particledb" \
      -addext "subjectAltName=DNS:localhost,IP:127.0.0.1"

  2. Set file permissions

    Terminal window
    chmod 600 server.key
    chmod 644 server.crt

  3. Start ParticleDB with TLS

    Terminal window
    particledb start \
      --tls-cert /path/to/server.crt \
      --tls-key /path/to/server.key

    In config files, the server reads TLS paths from the network section:

    [network]
    tls_cert_path = "/path/to/server.crt"
    tls_key_path = "/path/to/server.key"

Client Connections With TLS

Section titled “Client Connections With TLS”
Terminal window
psql "postgresql://localhost:5432/particledb?sslmode=require"
psql "postgresql://localhost:5432/particledb?sslmode=verify-full&sslrootcert=ca.crt"
import psycopg2


conn = psycopg2.connect(
    host="localhost",
    port=5432,
    dbname="particledb",
    sslmode="require",
    sslrootcert="/path/to/ca.crt",
)

Authentication

Section titled “Authentication”

ParticleDB supports three auth modes for PG wire and Redis:

MethodDescription
trustNo password required
passwordCleartext password exchange
md5MD5 challenge-response

Configure it with:

Terminal window
particledb start --auth-method password --pg-password mysecretpassword
particledb start --auth-method md5 --pg-password mysecretpassword

Per-Protocol Notes

Section titled “Per-Protocol Notes”

PostgreSQL Wire

Section titled “PostgreSQL Wire”
  • Direct TLS supported
  • Auth: trust, password, md5

gRPC

Section titled “gRPC”
  • Direct TLS supported
  • Auth header format when enabled:
Authorization: Bearer <username>:<password>

Example:

Terminal window
grpcurl \
  -cacert ca.crt \
  -H "authorization: Bearer admin:secret" \
  -import-path proto \
  -proto proto/particledb.proto \
  -d '{}' \
  localhost:26257 \
  particledb.v1.ParticleDB/Health

HTTP API

Section titled “HTTP API”
  • No built-in HTTPS listener today
  • No PG/gRPC-style request authentication on /v1/*
  • Recommended production pattern: terminate TLS and enforce auth in your reverse proxy / ingress

Example:

client -> https://db.example.com -> reverse proxy -> http://127.0.0.1:8080

Redis RESP

Section titled “Redis RESP”
  • Direct TLS supported
  • Auth via AUTH
Terminal window
redis-cli -p 6379 --tls --cacert ca.crt
AUTH mysecretpassword

Security Best Practices

Section titled “Security Best Practices”

  1. Enable TLS in production for PG wire, gRPC, and Redis.

  2. Do not use trust outside local development.

  3. Front the built-in HTTP server with your normal reverse proxy if you need HTTPS, auth, rate limiting, or WAF behavior.

  4. Bind listeners to specific interfaces when possible.

  5. Use Unix sockets for local PG connections when you want the lowest-overhead trusted path.

  6. Enable audit logging if you need an in-database activity trail:

    Terminal window
    particledb start --audit-log

Next Steps

Section titled “Next Steps”