Managing Stored Credentials
QueryBox prioritizes security by storing your database credentials in your operating system’s native keyring, not in plain text files.How Credentials Are Stored
Three-Tier Storage System
QueryBox uses a three-tier fallback chain to ensure credentials are always available, even in environments where the OS keyring is unavailable:Tier 1: OS Keyring (Preferred)
Primary storage for all credentials
- macOS - Keychain Access (same as Safari, Mail, and system passwords)
- Windows - Credential Manager (Windows Vault)
- Linux - Secret Service API (GNOME Keyring, KWallet, or compatible)
Tier 2: SQLite Fallback
Used when keyring is unavailableIf the OS keyring is not accessible (e.g., on headless servers or CI environments), QueryBox falls back to a local SQLite database:
- Location:
~/Library/Application Support/querybox/credentials.db(macOS),%APPDATA%\querybox\credentials.db(Windows),~/.config/querybox/credentials.db(Linux) - Security: File is protected by filesystem permissions (readable only by your user account)
- Encryption: Credentials are not encrypted in the SQLite file
Tier 3: In-Memory (Ephemeral)
Last resort for temporary environmentsIf both keyring and SQLite fail (e.g., no write permissions), credentials are stored in memory:
- Lifespan: Cleared when QueryBox quits
- Use Case: Testing, sandboxed environments, or CI pipelines
- Security: Not persistent; safe for ephemeral workloads
Credential Keys
Each connection’s credential is stored under a unique key:connections.db database stores only this key reference, never the actual password or token.
Viewing Stored Credentials
QueryBox does not provide a UI to view raw credentials. To inspect what’s stored:macOS Keychain
Search for QueryBox Entries
In the search bar, type
querybox.All QueryBox credentials appear with the service name “querybox” and account names like connection:<uuid>.Windows Credential Manager
Linux Secret Service
Security Best Practices
What QueryBox Does Automatically
- Keyring Encryption - OS keyrings encrypt credentials at rest using your login password
- No Plain Text - Connection passwords never appear in
connections.db - Least Privilege - Only the QueryBox process can access its keyring entries
- Automatic Cleanup - Deleting a connection removes its credential from the keyring
What You Should Do
Avoid Shared Accounts - Each user should have their own database credentials; don’t share a single QueryBox installation with stored credentials.
Troubleshooting
Keyring Access Denied
Symptom: “Failed to store credential: keyring unavailable” Causes:- macOS: Keychain Access is locked or permission denied
- Windows: Credential Manager service is disabled
- Linux: No Secret Service daemon running (e.g., headless server)
- Verify your OS keyring is accessible:
- macOS: Open Keychain Access and unlock the “login” keychain
- Windows: Check that Credential Manager opens without errors
- Linux: Ensure
gnome-keyring-daemonorkwalletdis running
- If the keyring is unavailable, QueryBox automatically falls back to SQLite storage
- Check the Logs panel for detailed error messages
Credentials Not Found
Symptom: “No credential stored” when connecting Causes:- Connection was created before credential storage was implemented
- Credential was manually deleted from the keyring
- Keyring was reset or cleared
- Delete the connection from QueryBox
- Recreate it with the correct credentials
- Verify the new credential is stored by connecting successfully
Migration from Legacy Storage
Older versions of QueryBox (before v1.0) stored credentials in acredential_blob column. The current version automatically migrates these to the keyring:
Automatic Migration on Startup
When you launch QueryBox, it scans for connections with legacy
credential_blob data.Keyring Storage
For each legacy credential:
- A keyring entry is created with key
connection:<uuid> - The
credential_keycolumn is updated - The
credential_blobcolumn is cleared
Migration happens silently; you don’t need to take any action. Check the Logs panel for migration status messages.
Backup and Export
Backing Up Credentials
QueryBox does not provide a built-in credential export feature for security reasons. To back up credentials:- Document passwords separately - Use a password manager (1Password, LastPass, Bitwarden)
- OS Keyring Backup - Use your operating system’s built-in backup tools:
- macOS: Time Machine backs up Keychain automatically
- Windows: Windows Backup includes Credential Manager
- Linux: Back up
~/.local/share/keyrings/(or equivalent)
Moving to a New Machine
Copy Connection Metadata
Transfer the
connections.db file from the old machine to the new one.Old Machine Path:- macOS:
~/Library/Application Support/querybox/connections.db - Windows:
%APPDATA%\querybox\connections.db - Linux:
~/.config/querybox/connections.db
Recreate Credentials
On the new machine, open QueryBox and test each connection.If credentials are missing (likely, since the keyring is machine-specific), delete and recreate each connection.
Credential Lifecycle
Creation
When you save a new connection:- QueryBox generates a UUID (e.g.,
a1b2c3d4-...) - The credential JSON (passwords, tokens) is sent to
CredManager.Store("connection:<uuid>", json) CredManagerattempts to store in the OS keyring, then SQLite, then memory- The connection record is saved with
credential_key: "connection:<uuid>"
Retrieval
When you connect to a database:- QueryBox reads the
credential_keyfromconnections.db CredManager.Get("connection:<uuid>")fetches the credential from keyring → SQLite → memory- The credential JSON is passed to the database plugin
- The plugin uses it to establish a connection
Deletion
When you delete a connection:- QueryBox looks up the
credential_key CredManager.Delete("connection:<uuid>")removes the credential from all tiers (best-effort)- The connection record is removed from
connections.db
Credential deletion is best-effort: if the keyring is temporarily unavailable, the credential may persist. Manually remove it from the OS keyring if needed.
Advanced: Direct Database Access
Inspecting connections.db
Advanced users can query the SQLite database directly:| id | name | driver_type | credential_key |
|---|---|---|---|
| a1b2… | Production DB | pgsql | connection:a1b2… |
| c3d4… | Local MySQL | mysql | connection:c3d4… |
Inspecting credentials.db (Fallback)
If using SQLite fallback storage:value column - it contains sensitive passwords in plain text.
Security Audit
To verify credential security on your system:Check Storage Tier
Open QueryBox logs and search for “CredManager” messages. Look for:
- “stored in keyring” (Tier 1 - secure)
- “keyring unavailable, using sqlite” (Tier 2 - fallback)
- “using memory store” (Tier 3 - ephemeral)
Verify Keyring Access
- macOS: Open Keychain Access, search for “querybox”, confirm entries exist
- Windows: Open Credential Manager, verify “querybox” entries
- Linux: Check Secret Service with
secret-tool search service querybox
Review File Permissions
If using SQLite fallback:Ensure permissions are
-rw------- (600) or stricter.Tips
- Use OS Keyring When Possible - It’s the most secure tier; ensure your keyring daemon is running
- Rotate Passwords Regularly - Update database passwords and recreate connections in QueryBox
- Limit Connection Scope - Create read-only connections for browsing; use separate write-enabled connections for modifications
- Monitor Logs - The Logs panel shows credential storage events; watch for fallback warnings
- Backup Separately - Don’t rely on QueryBox alone; store credentials in a password manager as backup