Security¶

Keeping your vector data safe is a top priority. Quiver provides several security features to protect your data from prying eyes and unauthorized access. Let's lock things down! 🔒

Encryption at Rest¶

How Encryption Works¶

Quiver can encrypt all data stored on disk, ensuring that even if someone gets access to your storage, they can't read your vectors or metadata.

Encryption uses AES-GCM, a strong authenticated encryption algorithm:

Each file is encrypted with a unique nonce
The encryption key is derived from your provided key
Both the data and its integrity are protected

Enabling Encryption¶

To enable encryption, set the appropriate configuration options:

config := quiver.Config{
    // ... other settings ...
    EncryptionEnabled: true,
    EncryptionKey:     "your-secret-key-at-least-32-bytes-long",
}

Key Management

Keep your encryption key safe! If you lose it, you won't be able to recover your data.

What Gets Encrypted¶

When encryption is enabled, Quiver encrypts:

Vector data files
HNSW graph structure
Metadata exports
Backup files

The DuckDB database is also encrypted as part of the process.

Key Requirements¶

The encryption key must be:

At least 32 bytes long (for AES-256)
Kept secure and backed up
Rotated periodically for best security

If the key is longer than 32 bytes, it will be truncated.

API Security¶

TLS/SSL¶

When using Quiver's HTTP API, you can enable TLS to encrypt data in transit:

// Create the server
server := api.NewServer(api.ServerOptions{
    Port:    "8080",
    Prefork: false,
}, idx, logger)

// Start with TLS
server.StartTLS("server.crt", "server.key")

This ensures that all communication between clients and the server is encrypted.

Authentication¶

Quiver's API server supports basic authentication:

// Create the server with authentication
server := api.NewServer(api.ServerOptions{
    Port:    "8080",
    Prefork: false,
    Auth: api.AuthOptions{
        Enabled:  true,
        Username: "admin",
        Password: "secure-password",
    },
}, idx, logger)

For more advanced authentication, you can implement custom middleware:

// Add JWT authentication middleware
app := server.GetApp()
app.Use(jwtMiddleware())

Authorization¶

You can implement role-based access control using middleware:

// Add RBAC middleware
app := server.GetApp()
app.Use(rbacMiddleware())

// Define routes with specific permissions
app.Post("/admin/backup", adminOnly(), backupHandler())

Network Security¶

Binding Address¶

Control which network interfaces Quiver listens on:

// Only listen on localhost
server := api.NewServer(api.ServerOptions{
    Host: "127.0.0.1",
    Port: "8080",
}, idx, logger)

Firewall Configuration¶

It's recommended to use a firewall to restrict access to Quiver:

# Allow only specific IPs to access Quiver
sudo ufw allow from 192.168.1.0/24 to any port 8080

Operational Security¶

Logging¶

Quiver uses structured logging that can be integrated with security monitoring systems:

// Create a production logger with specific log level
logger, _ := zap.NewProduction(zap.IncreaseLevel(zap.InfoLevel))

Sensitive information is never logged.

Metrics and Monitoring¶

Monitor security-related metrics:

// Get metrics
metrics := idx.CollectMetrics()

// Check security metrics
fmt.Printf("Encryption enabled: %v\n", metrics["encryption_enabled"])
fmt.Printf("Authentication failures: %v\n", metrics["auth_failures"])

Secure Configuration¶

Keep your configuration secure:

Don't hardcode encryption keys or credentials
Use environment variables or a secure vault
Restrict access to configuration files

// Load encryption key from environment
config := quiver.Config{
    // ... other settings ...
    EncryptionEnabled: true,
    EncryptionKey:     os.Getenv("QUIVER_ENCRYPTION_KEY"),
}

Security Best Practices¶

Defense in Depth¶

Implement multiple layers of security:

Network security (firewalls, VPNs)
Transport security (TLS)
Authentication and authorization
Encryption at rest
Secure operations and monitoring

Regular Updates¶

Keep Quiver and its dependencies up to date:

go get -u github.com/TFMV/quiver

Security Audits¶

Regularly audit your Quiver deployment:

Check access logs for suspicious activity
Verify encryption is working correctly
Test authentication and authorization
Review network security

Example Secure Configuration¶

// Secure production configuration
config := quiver.Config{
    // ... core settings ...

    // Security
    EncryptionEnabled: true,
    EncryptionKey:     os.Getenv("QUIVER_ENCRYPTION_KEY"),
}

// Secure API server
server := api.NewServer(api.ServerOptions{
    Host:    "0.0.0.0",  // Listen on all interfaces
    Port:    "8443",     // HTTPS port
    Prefork: false,

    // Authentication
    Auth: api.AuthOptions{
        Enabled:  true,
        Username: os.Getenv("QUIVER_API_USER"),
        Password: os.Getenv("QUIVER_API_PASSWORD"),
    },

    // Rate limiting
    RateLimit: api.RateLimitOptions{
        Enabled:    true,
        MaxRequests: 100,
        TimeWindow:  time.Minute,
    },
}, idx, logger)

// Start with TLS
server.StartTLS("/etc/certs/server.crt", "/etc/certs/server.key")

Next Steps¶

Now that you've secured your Quiver deployment, check out:

HTTP API - Use Quiver as a service
Performance Tuning - Optimize Quiver for your needs
Benchmarking - Measure Quiver's performance