Security

Security is fundamental to how Supabyoi operates. Your infrastructure credentials and data are protected at every layer.

SSH Key Encryption

Private SSH keys are encrypted at rest using Supabase Vault, which uses AES-256 encryption via pgsodium. Keys are never stored in plaintext in the application database. The encryption key itself is managed by pgsodium and never exposed to the application layer.

AES-256 via pgsodium — Supabase Vault leverages libsodium under the hood, providing authenticated encryption that detects tampering alongside the confidentiality guarantee.

Automatic VM Hardening

When you add a VM, Supabyoi automatically applies security hardening. You do not need to configure these manually.

  • Dedicated user

    A supabyoi system user is created with limited privileges. Root access is not required for day-to-day operations after the initial setup.

  • Randomized SSH port

    SSH is moved from the default port 22 to a random port between 10,000 and 60,000, significantly reducing exposure to automated scanning and brute-force bots targeting the standard port.

  • Firewall (UFW)

    Only the ports necessary for operation are allowed inbound: the randomized SSH port, HTTP (80), and HTTPS (443). All other ports are blocked by default.

  • Fail2ban

    Brute-force SSH protection is enabled via Fail2ban. Repeated failed login attempts result in automatic IP banning.

  • Automatic updates

    Unattended security updates are enabled so that OS-level security patches are applied automatically without manual intervention.

Instance Credentials

PostgreSQL passwords, JWT secrets, and API keys are generated uniquely per instance and stored in Supabase Vault. After storage in the vault, credential values are nulled from the application database — they exist only in encrypted vault storage.

Credentials are retrieved from the vault only when needed (for example, during deployment) and are never written to application logs.

PostgreSQL

Unique password per instance, stored encrypted

JWT Secrets

Per-instance signing secrets, vault-only storage

API Keys

Anon and service keys generated fresh per instance

TLS Everywhere

All traffic to Supabyoi-managed instances is encrypted in transit.

  • Cloudflare Origin CA wildcard certificate (*.supabyoi.com) covers all instances with a 15-year validity period

  • HTTPS enforced on all endpoints — no unencrypted access to instance APIs

  • Cloudflare proxy provides DDoS mitigation and absorbs volumetric attacks before they reach your VM

  • HTTP requests are automatically redirected to HTTPS via nginx configuration

Row-Level Security

All database queries in the Supabyoi application are scoped to the authenticated user. Users can only access their own VMs and instances. This isolation is enforced at the database level via Supabase RLS policies — not just application-layer filtering.

Even if there were a bug in the application code, the database would reject any query attempting to access another user's data. RLS policies provide a second line of defense independent of the application logic.

Example RLS policy

CREATE POLICY "Users can only access their own VMs"
  ON vms FOR ALL
  USING (auth.uid() = user_id);

Studio Authentication

Access to Supabase Studio is protected by an nginx auth_request directive that validates user ownership before granting access. Only the instance owner can access their Studio dashboard.

When a request arrives for the Studio interface, nginx forwards authentication details to the Supabyoi application, which verifies that the requesting user owns the instance. If the check fails, nginx returns a 401 response and the Studio interface is never reached.

nginx auth_request flow

Browser request nginx auth_request Ownership check Studio (200) or 401

Config File Security

Deployment configuration files containing credentials are written with 0600 permissions (owner-read-only) and deleted from the VM immediately after use.

Config files are uploaded to /tmp/ with a unique deployment ID in the filename, making accidental access by other processes unlikely even in the brief window between write and delete.

Permissions

chmod 0600 /tmp/deploy-<id>.json

Lifecycle

Written immediately before deployment, deleted immediately after

Log Security

A secret masking utility strips credential values from all log output, preventing accidental exposure in deployment logs or error messages.

All sensitive values — database passwords, JWT secrets, API keys — are registered with the masker before any operation begins. If a credential value appears anywhere in a log line (stdout, stderr, or structured log fields), it is replaced with [REDACTED] before the line is written to storage or displayed in the UI.

Example masked output

Setting up postgres user... password=[REDACTED]
JWT_SECRET=[REDACTED]
ANON_KEY=[REDACTED]
Service role key=[REDACTED]