Security
Firewall
EdgeSet requires only port 443 (HTTPS) for normal operation. During setup, port 80 (for web setup) or port 22 (for terminal setup) can be used. After setup, ports 22 and 80 can be blocked. Port 5432 is optional.
| Port | Protocol | Purpose |
|---|---|---|
| 22 | TCP | SSH: SSH interface (for setup) |
| 80 | TCP | HTTP: Setup web interface (required only during setup) |
| 443 | TCP | HTTPS: Web interface + Presto-compatible clients (required) |
| 5432 | TCP | PostgreSQL: PostgreSQL-compatible interface |
EdgeSet does not listen on any other TCP ports.
Data source credentials
EdgeSet stores all data source credentials (passwords, keys, etc.) encrypted on disk (in EdgeSet’s internal database). It uses the ChaCha20 cipher (the same cipher selected by Google for use in HTTP3). The credentials are also encrypted in EdgeSet backups. Once a data source is created, there is no way for a user or application to retrieve the data source credentials. When editing a data source, the credentials are not sent to the web interface.
EdgeSet decrypts the credentials when connecting to a data source. It also passes the credentials (in memory) to the query engine for executing queries.
User passwords
All user passwords are salted with a random salt and hashed with a memory-hard function (Argon2id). This protects user passwords from GPU cracking, rainbow tables, and side channel attacks.