Documentation

Security Overview

Absolute DB is secured at every layer: network, authentication, authorisation, storage, and audit. No external security libraries required.

Defence in Depth

Security is not a bolt-on module — it is woven into every subsystem. Absolute DB implements a multi-layer security model:

LayerProtection
NetworkNative TLS 1.3, post-quantum hybrid (X25519 + ML-KEM-768), SNI, ALPN
AuthenticationPassword (Argon2id), LDAP/Active Directory, OAuth2/OIDC JWT (Auth0, Okta, Keycloak, Azure AD)
AuthorisationRBAC, ABAC, Row-Level Security (RLS), dynamic data masking
Encryption at restAES-256-GCM column encryption, KMS-managed DEKs, per-tenant keys
Zero-trustmTLS + SPIFFE/SVID, per-peer ACLs, hot certificate rotation
AuditSHA-256 hash-chained audit log, WORM mode, Merkle tree validation
Memory safetyCompile-time bounds checking, secure memory zeroing, arena-based allocation
Post-quantumFIPS 203 (ML-KEM-768), FIPS 204 (ML-DSA-65), FIPS 205 (SLH-DSA)

Native TLS 1.3

Absolute DB implements TLS 1.3 (RFC 8446) from scratch in pure C11 — no OpenSSL, no libssl, no GnuTLS. This eliminates the most common database attack vector: outdated or misconfigured TLS libraries.

  • Key exchange: X25519 ECDHE
  • Ciphers: AES-256-GCM + ChaCha20-Poly1305
  • Key derivation: HKDF-SHA-256
  • SNI for virtual hosting, ALPN for protocol negotiation (h2, http/1.1, absdb/1)
  • Session tickets with 0-RTT and replay protection
  • PQC hybrid: X25519 || ML-KEM-768 combined secret for quantum-resistant handshake
  • Handshake latency: < 2 ms

Post-Quantum Cryptography

Absolute DB is quantum-ready with FIPS 203/204/205 implementations:

StandardAlgorithmUse Case
FIPS 203ML-KEM-768 (Kyber)Key encapsulation for TLS handshake
FIPS 204ML-DSA-65 (Dilithium)Node identity certs, audit log signing, WAL signing
FIPS 205SLH-DSA (SPHINCS+)CA root certificates, software release signing

All PQC implementations pass FIPS 140-3 Known Answer Tests (KAT). Run make pqc-kat to verify.

Zero-Trust Architecture

  • mTLS: every client connection requires a valid X.509 certificate verified against the CA
  • SPIFFE/SVID: each database node receives an X.509 SVID for identity verification
  • Per-peer ACLs: GRANT CONNECT FROM 'spiffe://cluster.local/...' TO ROLE readonly
  • Hot cert rotation: zero-downtime certificate rotation signed with ML-DSA-65

Audit Logging

Every security-relevant action is recorded in a tamper-evident audit log:

  • SHA-256 hash-chained entries — each record references the hash of the previous record
  • WORM mode — write-once, read-many; entries cannot be modified or deleted
  • Merkle tree validation — verify integrity of the entire audit trail in O(log n)
  • DM Data Vault — 4-state lock machine with secure_zero for sensitive data lifecycle

Related Documentation

Encryption Access Control Compliance

Ready to run Absolute DB?

~154 KB binary · zero external dependencies · 2,737 tests passing

Download Free → View Pricing