Configuring Embedded Storage

The transactor runs an embedded JDBC storage when configured for the free: or dev: protocol.

Local Dev Convenience

By default, the embedded storage runs with default passwords is accessible only by other processes on the same machine. This configuration is intended for interactive development where application peers and the transactor are colocated.

Securing Remote Access

To allow remote peers access to embedded storage you must do three things:

  • choose two passwords for the embedded storage
  • set the secure-access property
  • add a password to the connection URI used by peers

Choose Passwords

Datomic's embedded JDBC storage has two passwords: an 'admin' password used by the transactor plus a 'datomic' password used by the peers. Once you set these passwords, you are responsible for remembering them. If you lose a password, you will not be able to access your data, and will need to recover from a Datomic backup.

Set the passwords by setting the following transactor properties:

storage-admin-password=
storage-datomic-password=

Set secure-access Property

To enable remote access to Datomic's embedded storage, set the following transactor property:

storage-access=remote

New transactor properties will take effect on the next transactor start.

Add Password To Connection URI

After you set storage-datomic-password, peers must include the 'datomic' password in the connection URI, e.g.

datomic:dev://my-host:4334/my-db?password=my-secret

Rotating Passwords

Once you have set the storage-datomic-password, you can rotate it as follows:

  • set old-storage-datomic-password to the current password
  • set storage-datomic-password to a new password
  • restart the transactor
  • change peer Connection URIs to use the new password

The storage-admin-password can be rotated in similar fashion. Be careful not to lose track of passwords while performing a password rotation.