> ## Documentation Index > Fetch the complete documentation index at: https://docs.open-metadata.org/llms.txt > Use this file to discover all available pages before exploring further. # OSS Security Best Practices # OSS Security ## Encryption of Connection Credentials OpenMetadata ensures that sensitive information, such as passwords and connection secrets, is securely stored. * **Encryption Algorithm**: OpenMetadata uses **Fernet encryption** to encrypt secrets and passwords before storing them in the database. * **Fernet Encryption Details**: * Uses **AES-128 in CBC mode** with a strong key-based approach. * **Not based on hashing or salting**, but rather an encryption/decryption method with a symmetric key. * **Secrets Manager Support**: * Users can **avoid storing credentials** in OpenMetadata by configuring an external **Secrets Manager**. * More details on setting up a Secrets Manager can be found here: 🔗 [Secrets Manager Documentation](https://docs.open-metadata.org/latest/deployment/secrets-manager) ## Secure Connections to Data Sources OpenMetadata supports **encrypted connections** to various databases and services. * **SSL/TLS Support**: * OpenMetadata allows users to configure **SSL/TLS encryption** for secure data transmission. * Users can specify **SSL modes** and provide **CA certificates** for SSL validation. * **How to Enable SSL?** * Each connector supports different SSL configurations. * Follow the detailed guide for enabling SSL in OpenMetadata: 🔗 [Enable SSL in OpenMetadata](https://docs.open-metadata.org/latest/deployment/security/enable-ssl) ## **Additional Security Measures** * **Role-Based Access Control (RBAC)**: OpenMetadata allows administrators to define user roles and permissions. * **Authentication & Authorization**: OpenMetadata supports integration with OAuth, SAML, and LDAP for secure authentication. * **Data Access Control**: Users can restrict access to metadata based on policies and governance rules. - **Passwords and secrets are securely encrypted** using **Fernet encryption**. - **Connections to data sources can be encrypted** using **SSL/TLS**. - **Secrets Managers** can be used to manage credentials externally.