Credential storage

How warehouse credentials are encrypted at rest.

Warehouse credentials (Postgres password, Snowflake account info, etc.) are encrypted at rest with AES-256-GCM before they ever touch the database.

How it works

  • 256-bit encryption key held only in our deployment environment. It never leaves.
  • Fresh random initialization vector generated per encryption using cryptographically secure primitives.
  • Authentication tag verified on every decrypt. Any tampering — even a single byte — causes decryption to fail closed.

When credentials are decrypted

Credentials are decrypted only on the request stack that needs them (running a query against your warehouse). They’re held in memory for the duration of the warehouse round-trip, then garbage-collected. They’re never logged — not in the audit log, not in metrics, not in error messages.