Security built into the engine.
GalaxDB encrypts every byte before it hits storage, verifies every block on read, and supports any key management system via a pluggable trait. No vendor lock-in.
Encryption at rest
AES-256-GCM on every PAX block and WAL record before it hits storage. AEGIS-256 also supported for 6.6 GB/s throughput. Keys managed via pluggable KeyProvider trait.
Pluggable key management
Local file, environment variable, AWS KMS, Google Cloud KMS, Azure Key Vault, HashiCorp Vault Transit, or any shell command. No vendor lock-in.
Crash safety
WAL with XXH3-64 checksums on every record. Replay stops at first corruption. 7 chaos scenarios pass in under 11 seconds. Zero data loss on kill mid-flush.
Checksum verification
XXH3-64 checksum verified on every block read. Corrupt blocks are rejected immediately, never returned to callers.
Responsible disclosure
Found a vulnerability? Email security@galaxdb.com with reproduction steps. We acknowledge within 48 hours.
Key management providers
Set GALAXDB_KEY_PROVIDER at startup. The external-process provider means any KMS with a CLI works without code changes.
GALAXDB_KEY_PROVIDER=local:/path/to/key.binGALAXDB_KEY_PROVIDER=env:GALAXDB_MASTER_KEYGALAXDB_KEY_PROVIDER=command:aws kms decrypt ...GALAXDB_KEY_PROVIDER=vault:transit/galaxdb-prodGALAXDB_KEY_PROVIDER=command:your-custom-kms-cliFound a vulnerability?
Email security@galaxdb.com with reproduction steps. We acknowledge within 48 hours and ship fixes fast.
View security policy on GitHub