Data Protection
Encryption and security practices for your data. KubeMate is completely self-hosted on your infrastructure, meaning all data remains on your servers and under your complete control.
What It Does
Data protection is to absolute minimum you need to keep your data secure:
Encrypt all sensitive data at rest
Never expose credentials in logs or responses
Self-hosted infrastructure, data on your servers
Complete control over your data and infrastructure
that's it!
Kubeconfig Encryption
AES-128 + HMAC Encryption
Kubeconfigs are encrypted using Fernet encryption with AES-128 cipher and HMAC for authentication. This industry-standard approach ensures your cluster credentials cannot be read even with database access.
Encrypted at Rest
Kubeconfigs are encrypted before being stored in PostgreSQL database. Only decrypted in memory when needed to connect to clusters. Credentials never touch disk in unencrypted form.
Decryption on Use
Kubeconfigs are only decrypted in temporary memory when establishing cluster connections. After the connection is made, decrypted data is immediately cleared from memory. Credentials are never logged or persisted unencrypted.
API Key Protection
Same Encryption as Kubeconfigs
OpenRouter API keys are encrypted at rest using the same Fernet (AES-128 + HMAC) encryption as kubeconfigs. Both types of credentials are protected with the same high-security standard.
Never Logged or Exposed
API keys are never logged in plain text, never shown in debug output, and never included in API responses. All encryption/decryption happens entirely in memory.
Admin-Only Access
Only users with admin role can manage API keys. Regular users can use AI features but cannot view or modify sensitive credentials.
Database Security
Production-Grade PostgreSQL
PostgreSQL database stores all application data including users, clusters, API keys, and activity logs. Known for reliability and security in production environments.
SQL Injection Protection
All database queries use parameterized statements, completely eliminating SQL injection risks. User input is never directly concatenated into SQL queries.
Regular Backups
Configure regular PostgreSQL backups for your production deployment. This protects against data loss and ensures business continuity.
Encrypted Data Storage
All sensitive data in database is encrypted at rest using PostgreSQL's built-in encryption. Even with database backups, your data remains protected.
Network Security
CORS Configuration
Properly configured CORS headers restrict API access to authorized origins only. This prevents cross-origin attacks where malicious websites could exploit your KubeMate instance.
HTTPS Required
Always use HTTPS in production to encrypt data in transit between your browser and server. HTTP connections expose your data to network eavesdropping.
Secure Environment Variables
Never commit sensitive credentials to version control or expose them in logs. Use environment variables or secret management tools for production deployments.
Why Users Love It
Data on your servers - All data stored on your own infrastructure under your control
No third-party data centers - Your credentials never leave your servers
Complete data sovereignty - Own your data completely
Enterprise-grade encryption - AES-128 + HMAC protects your credentials
Configuration Details
To make things even easier, all security features are enabled by default and require no configuration. KubeMate is completely self-hosted on your infrastructure, meaning all data remains on your servers and under your complete control.
So you don't need to do anything more to keep your data secure right now, however take your time reading the information below to get a deeper understanding about how these concepts work.