PgNative logoPgNative
← All posts

Storing Database Credentials Safely in a Desktop SQL Client

How desktop database tools should protect saved passwords, TLS, and local disk encryption for developer machines.

7 min readSecurityCredentialsDesktop

Saved connections are convenient and risky. A SQL client that remembers production passwords on a laptop must assume the disk can be lost, imaged, or accessed by malware. Security is not only TLS to the server; it is how secrets rest on your machine.

Threat model for developer laptops

  • Device theft or unattended unlocked screen
  • Malware with user-level file read access
  • Shared screen recordings showing passwords
  • Backups (Time Machine, corporate endpoint backup) copying local stores

What good clients do

Passwords should never sit in plain JSON. At minimum, use OS keychains (macOS Keychain, Windows Credential Manager). Stronger designs encrypt a local vault with AES-256-GCM using keys derived per device. PgNative encrypts saved connection passwords with AES-256-GCM so a copied config file is not instantly readable.

Transport security still matters

Encrypting local files does not help if you send credentials over the internet in cleartext. Cloud Postgres requires TLS. Verify certificates in production; do not accept disable verify permanently. Use read-only users for exploratory connections when the provider supports role separation.

Practices for teams

  1. Separate connections per environment; never reuse prod passwords in staging.
  2. Prefer SSO or short-lived tokens where your provider supports them.
  3. Rotate credentials after contractors leave or laptops are reimaged.
  4. Document which machines have prod access; use VPN plus IP allowlists.
  5. Enable full-disk encryption on macOS FileVault and Windows BitLocker.

What PgNative does not solve

A desktop app cannot enforce your organization's MFA policy on the database itself. It will not stop you from screenshotting results with customer emails. Combine the client with database roles, audit logging, and data masking for sensitive columns.

Checklist before saving prod

  • Is this connection read-only?
  • Is SSL required and verified?
  • Will backups include the encrypted store?
  • Can I use a bastion instead of public 5432?

Convenience and security can coexist when encryption and TLS are defaults, not premium add-ons. Choose tools that treat both as foundational. Pair this with connecting to cloud Postgres over SSL so credentials never travel in plaintext.

Try PgNative on your databases

Native PostgreSQL client for Mac and Windows. Free to start — Pro unlocks export, tabs, and advanced filters.

Buy Pro — $49Download Free