QueryDen
v1.0.11 GitHub Download
Security & encryption

A database manager you can trust with production credentials.

Three rules: credentials never leave your machine, nothing phones home, and every claim on this page can be verified from the source. What follows is how that's actually built.

01 · Principles

What we won't do.

01

Credentials never leave your machine

No cloud sync. No "log in to QueryDen". The vault file is encrypted on disk, the encryption key never leaves your computer, and the file is useless if copied to another laptop.

02

No telemetry, no analytics, no auto-update pings

The app does not phone home. Not on launch, not when you connect, not when you crash. The OS network monitor will confirm: zero outbound calls except the database server you chose to connect to.

03

You can audit every line

The source is on GitHub under MIT. The encryption code is ~300 lines of Rust in `src-tauri/src/storage.rs`. The CI pipeline that builds the binaries is in the same repo. There is no closed-source layer.

02 · The vault

Six layers, all visible in the source.

The encrypted file at ~/.local/share/com.queryden.app/vault.json is protected by the layers below. Remove any one and it stops working — that's the test.

▲  Input · plaintext credentials
host=db.acme.dev
port=5432
user=alice
password=correct-horse-battery-staple
database=analytics
ssh=bastion.acme.dev:22
5 fields · UTF-8 · human-readable
▲  Disk · vault.json bytes
magic salt · 16 B nonce · 12 B ciphertext tag · 16 B

Illustrative bytes from a vault file. Field layout reflects the real format in storage.rs: magic header, Argon2id salt, GCM nonce, encrypted payload, authentication tag. Every byte after the header looks like noise — because it is.

The six layers, one by one
01
AES-256-GCM
Authenticated encryption for every connection, every saved query, every vault entry. Tampering invalidates the MAC; the file refuses to decrypt.
02
Argon2id (memory-hard KDF)
Master password → encryption key. Memory-hard by design, making brute-force orders of magnitude slower than a GPU farm.
03
Machine fingerprint
Linux: /etc/machine-id. macOS: IOPlatformUUID. Windows: Win32_ComputerSystemProduct.UUID. Mixed into the KDF — change machines, the vault refuses to load.
04
OS keychain master key
macOS Keychain (Secure Enclave-bound) · Windows Credential Manager (DPAPI) · libsecret on Linux. Falls back to a file-based key only if the OS keyring is unavailable.
05
Brute-force lockout
5 failed unlocks → exponential backoff. Implemented in atomic counters in-process; the lock persists across app restarts via the encrypted state file.
06
CSP locked to self
Tauri's default-src policy disables remote script loading. The renderer cannot fetch arbitrary code from the internet, even if you find an XSS vector.

Source: src-tauri/src/storage.rs

03 · Threat model

What we defend against — and what we don't.

Someone copies your QueryDen vault file off your laptop
The vault is encrypted with a key derived from your master password + a machine fingerprint. Without the original machine, the file does not decrypt — even with the correct password.
Malware on your laptop tries to brute-force the vault
After 5 failed unlock attempts the vault locks for an exponentially increasing duration. Argon2id key derivation makes each attempt slow on purpose.
You lose the laptop
The vault file is encrypted at rest. The master key in your OS keychain is hardware-bound (Secure Enclave on macOS, DPAPI on Windows, libsecret on Linux). A wiped login means the vault becomes permanently unreadable.
A QueryDen update ships a backdoor
Every release is built by GitHub Actions from a public tag. The SHA-256 of each installer is published. Reproduce the build yourself from the same commit and compare — the hash must match.
You connect to a malicious database server
QueryDen is the client. The server can return malicious result rows, but the result grid renders them as text. We do not eval, we do not exec, we do not auto-run a follow-up query based on a result.
What we do not defend against
  • A rooted/compromised OS. If an attacker controls your kernel they control your memory; no userland app can recover from this.
  • A keylogger that captures your master password at the keyboard.
  • A network attacker between you and a database that lacks TLS. Use SSL/TLS or our SSH tunnel — that's what they're for.
  • You sharing a connection string in Slack. We can't fix that.
04 · Verify everything

Don't trust this page. Trust the code.

Source
Read the encryption code
~300 lines of Rust. AES-GCM, Argon2id, machine fingerprint. No closed-source layer.
Build
Read the release pipeline
Every installer is built by GitHub Actions from a public tag. Reproduce the build, compare hashes.
Hashes
Verify your download
SHA-256 published next to every installer. The one-liner per OS is on the download page.
Report
Disclose a vulnerability
GitHub Security Advisories. Private until fixed; public once a patch ships.