Documentation Index
Fetch the complete documentation index at: https://mintlify.com/felixdotgo/querybox/llms.txt
Use this file to discover all available pages before exploring further.
Managing Stored Credentials
QueryBox prioritizes security by storing your database credentials in your operating system’s native keyring, not in plain text files.How Credentials Are Stored
Three-Tier Storage System
QueryBox uses a three-tier fallback chain to ensure credentials are always available, even in environments where the OS keyring is unavailable:Tier 1: OS Keyring (Preferred)
Primary storage for all credentials
- macOS - Keychain Access (same as Safari, Mail, and system passwords)
- Windows - Credential Manager (Windows Vault)
- Linux - Secret Service API (GNOME Keyring, KWallet, or compatible)
Tier 2: SQLite Fallback
Used when keyring is unavailableIf the OS keyring is not accessible (e.g., on headless servers or CI environments), QueryBox falls back to a local SQLite database:
- Location:
~/Library/Application Support/querybox/credentials.db(macOS),%APPDATA%\querybox\credentials.db(Windows),~/.config/querybox/credentials.db(Linux) - Security: File is protected by filesystem permissions (readable only by your user account)
- Encryption: Credentials are not encrypted in the SQLite file
Tier 3: In-Memory (Ephemeral)
Last resort for temporary environmentsIf both keyring and SQLite fail (e.g., no write permissions), credentials are stored in memory:
- Lifespan: Cleared when QueryBox quits
- Use Case: Testing, sandboxed environments, or CI pipelines
- Security: Not persistent; safe for ephemeral workloads
Credential Keys
Each connection’s credential is stored under a unique key:connections.db database stores only this key reference, never the actual password or token.
Viewing Stored Credentials
QueryBox does not provide a UI to view raw credentials. To inspect what’s stored:macOS Keychain
Search for QueryBox Entries
In the search bar, type
querybox.All QueryBox credentials appear with the service name “querybox” and account names like connection:<uuid>.Windows Credential Manager
Linux Secret Service
Security Best Practices
What QueryBox Does Automatically
- Keyring Encryption - OS keyrings encrypt credentials at rest using your login password
- No Plain Text - Connection passwords never appear in
connections.db - Least Privilege - Only the QueryBox process can access its keyring entries
- Automatic Cleanup - Deleting a connection removes its credential from the keyring
What You Should Do
Avoid Shared Accounts - Each user should have their own database credentials; don’t share a single QueryBox installation with stored credentials.
Troubleshooting
Keyring Access Denied
Symptom: “Failed to store credential: keyring unavailable” Causes:- macOS: Keychain Access is locked or permission denied
- Windows: Credential Manager service is disabled
- Linux: No Secret Service daemon running (e.g., headless server)
- Verify your OS keyring is accessible:
- macOS: Open Keychain Access and unlock the “login” keychain
- Windows: Check that Credential Manager opens without errors
- Linux: Ensure
gnome-keyring-daemonorkwalletdis running
- If the keyring is unavailable, QueryBox automatically falls back to SQLite storage
- Check the Logs panel for detailed error messages
Credentials Not Found
Symptom: “No credential stored” when connecting Causes:- Connection was created before credential storage was implemented
- Credential was manually deleted from the keyring
- Keyring was reset or cleared
- Delete the connection from QueryBox
- Recreate it with the correct credentials
- Verify the new credential is stored by connecting successfully
Migration from Legacy Storage
Older versions of QueryBox (before v1.0) stored credentials in acredential_blob column. The current version automatically migrates these to the keyring:
Automatic Migration on Startup
When you launch QueryBox, it scans for connections with legacy
credential_blob data.Keyring Storage
For each legacy credential:
- A keyring entry is created with key
connection:<uuid> - The
credential_keycolumn is updated - The
credential_blobcolumn is cleared
Migration happens silently; you don’t need to take any action. Check the Logs panel for migration status messages.
Backup and Export
Backing Up Credentials
QueryBox does not provide a built-in credential export feature for security reasons. To back up credentials:- Document passwords separately - Use a password manager (1Password, LastPass, Bitwarden)
- OS Keyring Backup - Use your operating system’s built-in backup tools:
- macOS: Time Machine backs up Keychain automatically
- Windows: Windows Backup includes Credential Manager
- Linux: Back up
~/.local/share/keyrings/(or equivalent)
Moving to a New Machine
Copy Connection Metadata
Transfer the
connections.db file from the old machine to the new one.Old Machine Path:- macOS:
~/Library/Application Support/querybox/connections.db - Windows:
%APPDATA%\querybox\connections.db - Linux:
~/.config/querybox/connections.db
Recreate Credentials
On the new machine, open QueryBox and test each connection.If credentials are missing (likely, since the keyring is machine-specific), delete and recreate each connection.
Credential Lifecycle
Creation
When you save a new connection:- QueryBox generates a UUID (e.g.,
a1b2c3d4-...) - The credential JSON (passwords, tokens) is sent to
CredManager.Store("connection:<uuid>", json) CredManagerattempts to store in the OS keyring, then SQLite, then memory- The connection record is saved with
credential_key: "connection:<uuid>"
Retrieval
When you connect to a database:- QueryBox reads the
credential_keyfromconnections.db CredManager.Get("connection:<uuid>")fetches the credential from keyring → SQLite → memory- The credential JSON is passed to the database plugin
- The plugin uses it to establish a connection
Deletion
When you delete a connection:- QueryBox looks up the
credential_key CredManager.Delete("connection:<uuid>")removes the credential from all tiers (best-effort)- The connection record is removed from
connections.db
Credential deletion is best-effort: if the keyring is temporarily unavailable, the credential may persist. Manually remove it from the OS keyring if needed.
Advanced: Direct Database Access
Inspecting connections.db
Advanced users can query the SQLite database directly:| id | name | driver_type | credential_key |
|---|---|---|---|
| a1b2… | Production DB | pgsql | connection:a1b2… |
| c3d4… | Local MySQL | mysql | connection:c3d4… |
Inspecting credentials.db (Fallback)
If using SQLite fallback storage:value column - it contains sensitive passwords in plain text.
Security Audit
To verify credential security on your system:Check Storage Tier
Open QueryBox logs and search for “CredManager” messages. Look for:
- “stored in keyring” (Tier 1 - secure)
- “keyring unavailable, using sqlite” (Tier 2 - fallback)
- “using memory store” (Tier 3 - ephemeral)
Verify Keyring Access
- macOS: Open Keychain Access, search for “querybox”, confirm entries exist
- Windows: Open Credential Manager, verify “querybox” entries
- Linux: Check Secret Service with
secret-tool search service querybox
Review File Permissions
If using SQLite fallback:Ensure permissions are
-rw------- (600) or stricter.Tips
- Use OS Keyring When Possible - It’s the most secure tier; ensure your keyring daemon is running
- Rotate Passwords Regularly - Update database passwords and recreate connections in QueryBox
- Limit Connection Scope - Create read-only connections for browsing; use separate write-enabled connections for modifications
- Monitor Logs - The Logs panel shows credential storage events; watch for fallback warnings
- Backup Separately - Don’t rely on QueryBox alone; store credentials in a password manager as backup