How Maree-DB Protects Your Data

Written in plain English. No technical jargon. If you can understand a bank vault, you can understand Maree-DB security.

On this page

  1. Your data is scrambled
  2. Your keys — explained with a bank vault
  3. What SupportCALL can and cannot see
  4. What happens if…
  5. Sovereignty — zero phone-home
  6. Ransomware and intrusion detection
  7. Air-gapped and SCIF environments

1. Your Data Is Scrambled

Every piece of data stored in Maree-DB is encrypted — scrambled into unreadable nonsense — before it is written to disk. Military-grade encryption protects every row, every document, every key-value pair.

Even if someone physically steals your server — walks out the door with the whole machine — they see only scrambled gibberish. Without your Master Key, they cannot read a single byte.

Think of it like this: Imagine printing your entire database onto paper — then shredding every page into 10,000 random strips and mixing them all together. That is what encryption does to your data. Reassembling the strips requires the Master Key. Without it, the thief has confetti.

The Master Key is never stored on the server. It lives on a USB drive in your physical safe. The server holds a locked copy of a smaller key (the Data Key), which is locked by the Master Key. Everything chains back to something only you physically control.

2. Your Keys — Explained with a Bank Vault

Maree-DB uses several layers of keys, each protecting the one below it. Here is what each key does, in plain English:

Master Key

The single most important key. It unlocks everything else. Store it on a USB drive in a physical safe — not on any computer, not in the cloud. When you start Maree-DB, you supply the Master Key once. After that, you can remove the USB. The server never stores it permanently.

Data Key

This key actually scrambles your data rows. It lives on the server, but it is locked with the Master Key — meaning it is useless without the Master Key to unlock it first. Your data is scrambled with the Data Key; the Data Key itself is scrambled with the Master Key.

Rotation Key

Periodically you should replace the Data Key (called "key rotation"). The Rotation Key ensures your old backups remain readable after a rotation — it bridges the gap between old and new. Think of it as a "translation layer" between key generations.

Audit Stamp Key

Maree-DB keeps a tamper-evident audit trail of every significant event. The Audit Stamp Key signs each entry. If anyone modifies the audit log — even a single character — the signature breaks instantly, proving tampering occurred.

Emergency Key (Break-Glass)

If you lose the Master Key USB, you are not locked out forever. The Emergency Key is split into 5 pieces, held by 5 different trusted people in your organisation. Any 3 of the 5 pieces can reconstruct the Emergency Key and recover your vault. No single person can do it alone — security by design.

Bank vault analogy: Your Master Key is the vault combination. Your Data Key is the cash inside the vault. Your Rotation Key lets you repackage the cash when you change the combination. Your Audit Stamp is the bank's security camera record. Your Emergency Key is held in escrow by 5 trusted directors — any 3 can open it, but 2 cannot.

3. What SupportCALL Can and Cannot See

SupportCALL ICT Solutions created Maree-DB. We issue your licence key (like stamping a certificate of authenticity). Here is exactly what we can and cannot access:

What we CAN do

  • Issue and sign your licence key
  • Verify your Hardware ID during online activation (one-time, optional)
  • Answer support questions you send to us
  • Ship software updates

❌ What we CANNOT do

  • See your data — ever
  • Access your Master Key
  • Access your Data Key or vault keys
  • Connect to your running database
  • Receive any telemetry or usage metrics
  • Audit your deployment without your explicit invitation

Once activated, your Maree-DB instance runs completely independently of SupportCALL. There is no hidden agent, no telemetry process, no "call home" timer. The software verifies your licence locally — it compares a cryptographic signature against a public key baked into the binary. No network request is needed, ever.

Your data is yours. Period. We cannot see it. We do not want to see it. We designed the system so that it is impossible for us to see it.

4. What Happens If…

Someone steals my server

Your data is scrambled. The thief has a box full of unreadable noise. Without your Master Key USB (which is in your physical safe, not on the server), they cannot read a single row, document, or key-value pair. Maree-DB's autonomous lockdown will also trigger if it detects unauthorised access patterns before the physical theft — further protecting the encrypted storage.

I lose my Master Key USB

Use the Emergency Key recovery procedure. Contact the 5 designated key custodians in your organisation. Any 3 of them can provide their share of the Emergency Key. Combine 3 shares to reconstruct the Emergency Key, then use it to recover your vault. No custodian acting alone can recover the key — it requires a quorum of 3.

A hacker gets into my network

Maree-DB's Autonomous Threat Detection monitors every query, connection, and access pattern in real time. Ransomware-style behaviour (mass reads, rapid encryption attempts, unusual bulk operations) is detected in under 10 milliseconds and triggers an autonomous lockdown — blocking all writes, alerting your team, and preserving the integrity of your data. The system can also autonomously self-recover once the threat is cleared, without requiring human intervention.

SupportCALL goes out of business

Your database keeps running. The licence is verified locally by the software itself — no network connection to SupportCALL is ever required after activation. Your keys are in your physical safe. Your data is yours. Under BSL 1.1, the source code converts to Apache 2.0 four years after each release — meaning the community can maintain and build on the software independently. You are never locked in.

A Maree-DB employee goes rogue

We do not have your keys. We cannot access your data. A rogue employee at SupportCALL has no path to your database — the architecture makes it impossible. The same is true of SupportCALL's directors, shareholders, and parent companies. Your vault keys were generated on your hardware, by you, and they never left your network.

A government subpoenas SupportCALL for my data

We cannot comply — because we do not have your data. We can hand over our own business records (who holds a licence, billing information), but we have no access to your database contents, vault keys, or Master Key. A subpoena to SupportCALL does not unlock your data. Only you can do that.

5. Sovereignty — Zero Phone-Home

"Sovereign" means Maree-DB operates entirely within your control. The binary never contacts any external server during normal operation.

The only external network contact Maree-DB ever makes is:

  • Licence activation (one-time, optional): Sends only your Hardware ID — a fingerprint of your server's identity. No data, no queries, no schema, no telemetry. This step can also be done by phone or via USB if you prefer no network contact at all.
  • Software updates (opt-in only): Update checks are disabled by default. You choose when to download updates, from our distribution server.

After activation, zero external connections are made. Zero. No heartbeat. No telemetry. No usage reporting. No "improvement programme". Nothing.

SCIF-Ready · Air-Gap Deployable · Zero Telemetry · Made in Australia

6. Ransomware and Intrusion Detection

Traditional databases are passive — they process whatever queries arrive, whether from your application or from malware. Maree-DB is different.

Autonomous Threat Detection

Maree-DB's Autonomous Threat Detection watches every connection, query pattern, and data access in real time. It recognises the behavioural signatures of:

  • Ransomware — mass reads followed by external transmission attempts
  • Data exfiltration — unusual bulk SELECT patterns outside normal hours
  • Privilege escalation — connections attempting to access tables beyond their role
  • Credential stuffing — rapid authentication failures across many usernames
  • Injection attacks — SQL or NoSQL injection patterns in query streams

Detection latency: under 10 milliseconds. When a threat is detected, Maree-DB automatically locks down — blocking all writes and alerting your team — while preserving read access for forensic investigation.

Fortress Lock

Fortress Lock is Maree-DB's autonomous lockdown and self-resurrection system. When activated (automatically on threat detection, or manually by an administrator):

  • All write operations halt immediately
  • Active suspicious connections are terminated
  • An alert is sent to your designated security contact
  • A cryptographic snapshot of the current state is taken for forensic review
  • Unlock requires a secure challenge-response with your designated key custodian

Once the threat is cleared, Maree-DB can self-resurrect — resuming normal operation automatically — without requiring manual restart or manual recovery steps.

Tamper-Evident Integrity

Every write to Maree-DB is recorded in a tamper-evident chain. If any record is modified, deleted, or inserted outside of normal database operations — including by direct filesystem access — the integrity verification detects it immediately on the next read. You receive a cryptographic proof that tampering occurred, when it occurred, and which records were affected.

This is not a log file that can be cleared. It is a mathematical chain — altering any entry invalidates all subsequent entries, making silent tampering impossible.

7. Air-Gapped and SCIF Environments

Maree-DB is designed from the ground up for classified, air-gapped, and Sensitive Compartmented Information Facility (SCIF) deployments.

Licence Activation Without Internet

There are three activation paths — none of them require a persistent internet connection:

  • Online (30 seconds): One-time HTTP call to our activation server. Sends only your Hardware ID. No data, no telemetry. Connection is closed immediately.
  • Phone/Email: Call or email SupportCALL with your Hardware ID. We issue your node-locked licence key by return. No internet required on your side.
  • USB Transfer: Generate your Hardware ID on the air-gapped machine, carry it out on a USB drive, activate at activate.mareedb.com/manual on any internet-connected machine, carry the licence key back on USB. The server never touches a network.

After activation, the server requires zero network connectivity. Licence verification is entirely local — a cryptographic check performed by the running binary, with no outbound connection of any kind.

Post-Quantum Cryptography

Maree-DB includes post-quantum cryptographic primitives for key exchange and digital signatures. This means your encrypted data remains secure even against quantum computers — protecting your archives against "harvest now, decrypt later" attacks. The post-quantum layer is an additional protection on top of, not a replacement for, current industry-standard cryptography.

Summary: Your data is encrypted. Your keys are in your safe. SupportCALL cannot see your data. Ransomware is detected in <10 ms. The server never phones home. Air-gap deployable. SCIF-approved architecture.

Questions? Contact security@mareedb.com