Credential storage
How warehouse credentials are encrypted at rest.
Warehouse credentials (Postgres password, Snowflake account info, etc.) are encrypted at rest with AES-256-GCM before they ever touch the database.
How it works
- 256-bit encryption key held only in our deployment environment. It never leaves.
- Fresh random initialization vector generated per encryption using cryptographically secure primitives.
- Authentication tag verified on every decrypt. Any tampering — even a single byte — causes decryption to fail closed.
When credentials are decrypted
Credentials are decrypted only on the request stack that needs them (running a query against your warehouse). They’re held in memory for the duration of the warehouse round-trip, then garbage-collected. They’re never logged — not in the audit log, not in metrics, not in error messages.