Documentation

Getting Started Connecting to a Database Projects Query Editor Results & Data Grid Inline Editing Charts & Visualization Schema Diagrams EXPLAIN Plans Export & Share SSH Tunneling Query History Security & Credentials Keisen AI Keyboard Shortcuts Troubleshooting Database Guides

Security & Credentials

Keisen encrypts all sensitive credentials at rest using AES-256-GCM. Nothing is stored in plain text.

Encrypted storage

All secrets — database passwords, SSL certificates, SSH keys, and authentication tokens — are encrypted with AES-256-GCM before being saved locally.

What gets encrypted

Database passwords
SSL certificates (CA, client cert, client key)
SSH passwords, private keys, and passphrases
Authentication tokens

Connection metadata

Non-sensitive connection details (host, port, database name, username, engine type) are stored separately. This data is needed to display projects in the sidebar.

Encrypted connection sharing

When you share a connection via link, the data is encrypted with AES-256-GCM using a password you choose. The encrypted payload is encoded in the URL — no data passes through any server.

Read-only mode

Enable read-only mode on a project to prevent accidental data modification. In read-only mode, inline editing is disabled and write queries are blocked.