Mounts boilstream server as a secure Remote Secrets Storage
Installing and Loading
INSTALL boilstream FROM community;
LOAD boilstream;
Example
INSTALL httpfs; LOAD httpfs; INSTALL boilstream FROM community; LOAD boilstream;
PRAGMA duckdb_secrets_boilstream_endpoint('https://localhost:443/secrets:ffe14a..71db4ef9fad837bc8');
SELECT * FROM duckdb_secrets(); -- Fetches secrets from remote host
About boilstream
This extension implements Secure Remote Secrets Storage on compatible REST API endpoints. It uses industrial grade security with Facebook's audited OPAQUE PAKE, along with OAuth2 based token management and HKDF-SHA256 key derivations and application level integrity protection and secrets encryption (e.g. AES GCM) from server to client. Thus, it provides even protection for mitm TLS attacks without breaking secrets confidentiality or message integrity. Bootstrapping is also anonymous with one-time bootstrap tokens vended from server. Full SECURITY_SPECIFICATION.md is provided with test vectors and proven interworking with two independent impelementations with Rust and C++. Required REST API on the server endpoint: https://github.com/dforsber/boilstream-extension/blob/main/src/README.md As an example with boilstream server provided REST API:
- Download and run boilstream server, go to https://your-server/, register user with MFA
- INSTALL httpfs; LOAD httpfs; INSTALL boilstream FROM community; LOAD boilstream;
- Vend web token and pass it along with the PRAGMA duckdb_secrets_boilstream_endpoint('https://your-server/secrets:TOKEN')
- FROM duckdb_secrets();
Added Functions
| function_name | function_type | description | comment | examples |
|---|---|---|---|---|
| duckdb_secrets_boilstream_endpoint | pragma | NULL | NULL |