Compression and Security
TaiDB can compress values with zstd and encrypt records with XChaCha20-Poly1305. These features are optional and should be selected per workload.
Compression modes
Section titled “Compression modes”The CLI exposes common modes:
taidb --compression zstd-fast put ./app.taidb key valuetaidb --compression zstd put ./app.taidb key valuetaidb --compression zstd-dense put ./app.taidb key valuetaidb --compression zstd-max put ./app.taidb key valueThe Rust API exposes explicit settings:
use taidb::{Compression, EngineConfig, Options};
let options = Options { compression: Compression::Zstd { level: 3, min_bytes: 256, }, ..Options::default()};
let db = EngineConfig::new("./compressed.taidb") .options(options) .open()?;Choosing a compression mode
Section titled “Choosing a compression mode”| Mode | Best for | Tradeoff |
|---|---|---|
| none | tiny values or already-compressed data | largest files |
| zstd-fast | default practical compression | small CPU cost |
| zstd | custom level tuning | requires measurement |
| zstd-dense | archival or local caches with large values | slower writes |
| zstd-max | one-time repack or archival workflows | highest CPU cost |
Use stats to inspect savings:
taidb stats ./app.taidb --jsonEncryption
Section titled “Encryption”Generate a key:
taidb keygen ./taidb.keyWrite encrypted records:
taidb --key-file ./taidb.key put ./secure.taidb secret:1 "private value"Read encrypted records:
taidb --key-file ./taidb.key get ./secure.taidb secret:1Key handling
Section titled “Key handling”Do not commit key files. The repository ignore rules already exclude common key and environment file patterns, but application repositories should also enforce their own secret policy.
Recommended practices:
- Store local keys outside the project directory.
- Use OS keychain or secret manager integration in production apps.
- Keep database backups and key backups under separate access controls.
- Rotate keys by exporting/importing or rewriting data into a new encrypted database when application policy requires it.
Integrity checks
Section titled “Integrity checks”Run:
taidb verify ./secure.taidb --key-file ./taidb.keyFor encrypted databases, verification checks that encrypted records can be authenticated and decoded with the provided key.