Secure by default

A database client that keeps secrets out of plaintext

bzora treats security as the default, not a setting you have to go and find. Passwords and SSH keys live in your operating system's keychain; the connection files saved on disk are secret-free.

What "secure by default" actually means here

Keychain-only secrets. Credentials are stored in the macOS Keychain, Windows Credential Manager, or libsecret on Linux — never written to a config file in plaintext.
Verified encryption, no silent downgrade. Connections default to sslmode=verify-full on Postgres and verified tls on MySQL. bzora won't quietly fall back to an unencrypted connection.
No injection surface. Every value is parameterized; identifiers are validated and quoted; data is rendered as text, never as HTML.
No telemetry. Your queries and results go only to the databases you connect to. The only thing bzora sends out is your license key, to verify your purchase.

An honest word on "secure"

Plenty of good native clients also store credentials in the OS keychain — bzora isn't unique in that. Where the difference shows up is in defaults: some tools save passwords to a config file unless you opt in, or reserve a proper master-password store for a paid tier. bzora's secure path is the only path, with nothing to configure and no plaintext fallback.

Download bzora free Buy — €29 (≈ $32)

See how credential handling compares in bzora vs DBeaver, or browse all comparisons.