Skip to content

Secret Manager

The secret manager protects sensitive provider credentials inside DBModeler with a master-password-based encrypted vault.

The vault is meant for secrets such as:

  • GitHub and GitLab Personal Access Tokens
  • GitLab OAuth profiles
  • cloud-provider refresh tokens

This keeps long-lived credentials out of plain browser state.

DBModeler derives an encryption key from your master password using Argon2id, then stores the encrypted vault with AES-GCM.

Important practical behavior:

  • secrets are only readable while the vault is unlocked
  • vault metadata and encrypted payload are stored separately
  • PATs can still remain memory-only when you choose not to persist them

When a secure action needs access to the vault, the UI requests the master password through the app’s prompt bus.

This avoids coupling provider flows directly to password-entry UI logic.

The secret manager is what makes browser-only integrations practical without treating browser persistence as fully trusted.

It is especially important when you use:

  • cloud providers with refresh tokens
  • multiple GitLab OAuth profiles
  • longer-lived repository credentials
  • If the vault is locked, persisted secrets are unavailable until unlocked.
  • If the master password is lost, the vault cannot be recovered through the app.
  • The vault is local to your browser environment unless you deliberately move or recreate that state elsewhere.

Next: Supported Databases