Security Reference
Summary
This document describes the security architecture that is visible in the Velox source code today. It covers authentication, authorization, Windows permissions, encryption, secrets, certificates, TLS behavior, and audit logging.
The source code shows strong Windows-service management controls and broad outbound authentication support. It does not show a Velox Designer login model, and it does not show centralized inbound API authentication or authorization enforcement in the reviewed API dispatch path. Where security behavior is configured but not found in active runtime code, that is stated explicitly.
Related PKB Documents
- Architecture
- Domain Model
- Service Reference
- Flow Execution
- Logging Reference
- Error Reference
- Technical Debt
- General Setup Configuration
- Connection Configuration
- Transport Configuration
- Flow Configuration
- System Runtime Configuration
Source Code Locations
| Area | Source locations |
|---|---|
| Authentication and TLS enumerations | Classes/Tools/vxTypes.pas:191, Classes/Tools/vxTypes.pas:196, Classes/Tools/vxTypes.pas:201, Classes/Tools/vxTypes.pas:207, Classes/Tools/vxTypes.pas:211, Classes/Tools/vxTypes.pas:215 |
| Reversible encryption and hashing | Classes/Tools/vxEncryption.pas:83, Classes/Tools/vxEncryption.pas:100, Classes/Tools/vxEncryption.pas:130, Classes/Tools/vxEncryption.pas:131, Classes/Tools/vxEncryption.pas:135, Classes/Tools/vxEncryption.pas:199 |
| General Setup security configuration | Classes/vxSetup.pas:237, Classes/vxSetup.pas:242, Classes/vxSetup.pas:251, Classes/vxSetup.pas:252, Classes/vxSetup.pas:259, Classes/vxSetup.pas:260, Classes/vxSetup.pas:275, Classes/vxSetup.pas:278, Classes/vxSetup.pas:282 |
| General Setup UI | Forms/frmSetupGeneral.pas:139, Forms/frmSetupGeneral.pas:141, Forms/frmSetupGeneral.pas:942, Forms/frmSetupGeneral.pas:943, Forms/frmSetupGeneral.pas:966, Forms/frmSetupGeneral.pas:969, Forms/frmSetupGeneral.pas:1035, Forms/frmSetupGeneral.pas:1036, Forms/frmSetupGeneral.pas:1062, Forms/frmSetupGeneral.pas:1065 |
| Windows service permissions | Classes/Tools/vxService.pas:71, Classes/Tools/vxService.pas:90, Classes/Tools/vxService.pas:209, Classes/Tools/vxService.pas:307, Forms/frmSetupGeneral.pas:301, Forms/frmSetupGeneral.pas:334, Forms/frmSetupGeneral.pas:497, Forms/frmSetupGeneral.pas:536, Forms/frmSetupGeneral.pas:572, Forms/frmSetupGeneral.pas:609, Forms/frmSetupGeneral.pas:626, Forms/frmMain.pas:2126, Forms/frmMain.pas:2151 |
| Windows account validation and service-logon right | Forms/frmServicePassword.pas:62, Forms/frmServicePassword.pas:84, Forms/frmServicePassword.pas:103, Forms/frmServicePassword.pas:118, Classes/Tools/vxShell.pas:201, Classes/Tools/vxShell.pas:210, Classes/Tools/vxShell.pas:220, Classes/Tools/vxShellLSA.pas:121 |
| Velox API Service startup | VeloxAPIService/classMain.pas:213, VeloxAPIService/classMain.pas:251, VeloxAPIService/classMain.pas:254 |
| API dispatch and REST flow execution | Classes/Service/vxManagerREST.pas:109, Classes/Service/vxManagerREST.pas:134, Classes/Service/vxManagerREST.pas:194, Classes/Service/vxManagerREST.pas:467, Classes/Service/vxManagerREST.pas:487, Classes/Service/vxManagerREST.pas:522, Classes/Service/vxManagerREST.pas:561, Classes/Service/vxActionThread.pas:671, Classes/vxActionMan.pas:685, Classes/vxActionMan.pas:1545, Classes/vxActionMan.pas:2711, Classes/vxActionMan.pas:2767, Classes/vxActionMan.pas:2849, Classes/vxScripter.pas:1052, Classes/vxScripter.pas:1289 |
| Outbound HTTP and OAuth | Classes/Tools/vxHTTP.pas:365, Classes/Tools/vxHTTP.pas:406, Classes/Tools/vxHTTP.pas:414, Classes/Tools/vxHTTP.pas:514, Classes/Tools/vxHTTP.pas:545, Classes/Tools/vxHTTP.pas:741, Classes/Tools/vxOAuth.pas:76, Classes/Tools/vxOAuth.pas:123, Classes/Tools/vxOAuth.pas:207, Classes/Tools/vxOAuth.pas:235, Classes/Tools/vxOAuth.pas:301, Classes/Tools/vxOAuth.pas:350, Classes/Tools/vxOAuth.pas:492 |
| Email authentication and TLS | Classes/Tools/vxEmail.pas:252, Classes/Tools/vxEmail.pas:303, Classes/Tools/vxEmail.pas:309, Classes/Tools/vxEmail.pas:317, Classes/Tools/vxEmail.pas:318, Classes/Tools/vxEmail.pas:358, Classes/Tools/vxEmail.pas:780, Classes/Tools/vxEmail.pas:785, Classes/Tools/vxEmail.pas:790 |
| Transports and transport security | Classes/Transports/vxTransport.pas:253, Classes/Transports/vxTransport.pas:265, Classes/Transports/vxTransport.pas:369, Classes/Transports/vxTransport.pas:372, Classes/Transports/vxTransport.pas:568, Classes/Transports/vxTransport.pas:882, Classes/Transports/vxTransport.pas:887, Classes/Transports/vxTransportHTTP.pas:124, Classes/Transports/vxTransportHTTP.pas:250, Classes/Transports/vxTransportHTTP.pas:279, Classes/Transports/vxTransportFTP.pas:230, Classes/Transports/vxTransportPOP.pas:330, Classes/Transports/vxTransportIMAP.pas:671, Classes/Transports/vxTransportMSMQ.pas |
| SFTP host-key validation | Classes/Transports/vxTransportSFTP.pas:372, Classes/Transports/vxTransportSFTP.pas:395, Classes/Transports/vxTransportSFTP.pas:438, Classes/Transports/vxTransportSFTP.pas:453, Classes/Transports/vxTransportSFTP.pas:459, Classes/Transports/vxTransportSFTP.pas:464, Classes/Transports/vxTransportSFTP.pas:470, Classes/Transports/vxTransportSFTP.pas:480 |
| Database credentials and certificate trust | Classes/vxDBCon.pas:126, Classes/vxDBCon.pas:138, Classes/vxDBCon.pas:160, Classes/vxDBCon.pas:425, Classes/vxDBCon.pas:433, Classes/vxDBCon.pas:467, Classes/vxDBCon.pas:475, Classes/Tools/vxDBConfig.pas:209, Classes/vxSQLConnection.pas:290, Forms/frmSetupDBCon.pas:147, Forms/frmSetupDBCon.pas:401 |
| Azure Key Vault variable provider | Classes/Tools/vxAzure.pas:10, Classes/Tools/vxAzure.pas:29, Classes/Tools/vxAzure.pas:46, Classes/Tools/vxAzure.pas:66, Classes/Tools/vxAzure.pas:67, Classes/Tools/vxAzure.pas:69, Classes/Tools/vxAzure.pas:76, Classes/Tools/vxAzure.pas:83 |
| Certificate cache paths | Classes/Tools/vxConfigPath.pas:29, Classes/Tools/vxConfigPath.pas:331, Classes/Tools/vxConfigPath.pas:336, Classes/Tools/vxConfigPath.pas:341 |
| Audit and system logging | Classes/vxModule.pas:809, Classes/vxModule.pas:855, Classes/vxModule.pas:860, Classes/vxModule.pas:877, Classes/vxModule.pas:4817, Classes/vxModule.pas:4846, Classes/vxModule.pas:4853, Classes/vxModule.pas:4860, Classes/vxModule.pas:4867, Classes/Tools/vxEventLogger.pas:129, Classes/Tools/vxEventLogger.pas:165, Classes/GUI/vxModuleManager.pas:152, Classes/GUI/vxFormManager.pas:383, Forms/frmMain.pas:815, Forms/frmMain.pas:1706, VeloxService/classMain.pas:518, VeloxService/classMain.pas:606, VeloxService/classMain.pas:623 |
Important Classes, Forms, Services, and Configuration
Important Classes
| Class | Purpose |
|---|---|
TvxSetup | Holds General Setup security-related settings, including SMTP credentials, proxy credentials, Azure credentials, Velox API SSL settings, service users, SSL certificate paths, audit settings, and debug logging flags. |
TvxEncryption | Provides reversible string encryption using LockBox AES-256/CBC with a static application password assembled in code. |
TvxHash | Provides SHA-384 hashing support. |
TvxRESTManager | Dispatches inbound Velox API Service requests to configured REST flow endpoints. |
TvxRESTItem | Represents one REST endpoint backed by a flow and executes GET or POST requests. |
TRESTActionThread | Executes a REST flow and reads X-UserNum from the request into the action. |
TvxActionMan | Represents flows. Stores REST endpoint settings, RESTAllowAnonymous, shell-action credentials, and the runtime UserNum. |
TvxHTTP | Shared outbound HTTP client wrapper with Basic, Bearer, OAuth, Windows, NTLM, proxy, and SSL handling. |
TvxOAuth2Authenticator | Implements OAuth authorization-code, client-credentials, password, refresh-token, and NetSuite JWT client assertion behavior. |
TvxEmail | Sends email through SMTP with SASL/OAuth and TLS settings loaded from General Setup. |
TvxTransport | Base transport class that stores encrypted transport passwords, SSL key passwords, certificate cache access, and generic TLS callback behavior. |
TvxTransportSFTP | Implements SFTP authentication and host-key validation/pinning. |
TvxDBCon | Stores database connection settings, encrypted passwords, and database certificate trust settings. |
TvxAzureSecretList | Variable provider that reads Azure Key Vault secrets through Microsoft OAuth client credentials. |
TvxSystemLog | Stores system, audit, debug-audit, and user activity log items. |
TvxEventLogger | Writes Windows Event Log entries and mirrors them into gSystemLog. |
Important Forms
| Form | Purpose |
|---|---|
TSetupGeneral (Forms/frmSetupGeneral.pas) | Edits General Setup, Velox API SSL settings, service users, service install/uninstall, SMTP/proxy/Azure credentials, and audit settings. |
TvxServicePassword (Forms/frmServicePassword.pas) | Collects and validates Windows service account credentials, checks Logon as a Service rights, and grants the right when needed. |
TfrmSSLSettings (Forms/frmSSLSettings.pas) | Edits SSL/TLS certificate paths, key password, verification flags, verify depth, TLS type, and SSL client type for setup or transport objects. |
TSetupDBCon (Forms/frmSetupDBCon.pas) | Edits database connections, including password and trust-certificate behavior. |
TvxUpdatePasswords (Forms/frmUpdatePasswords.pas) | Applies password update files to transports, SFTP private keys, SMTP password, and database connection passwords. |
TMain (Forms/frmMain.pas) | Enables service control actions based on elevation or configured service-user rights and logs Designer activity. |
TfrmAboutVelox (Forms/frmAboutVelox.pas) | Displays current Windows user, elevation state, and writable folder status. |
Important Services
| Service | Security-relevant behavior |
|---|---|
| Velox Service | Runs background scheduled flows, monitors, transports, IPC/service commands, and writes Windows Event Log plus system log entries. Service enable/disable and flow update events are audited. |
| Velox API Service | Hosts inbound REST endpoints through TIdHTTPWebBrokerBridge; dispatches requests to REST flows. API SSL settings exist in General Setup, but the reviewed service startup code does not show certificate/SSL handler wiring. |
| Velox Designer | Desktop application. Uses the current Windows user for display, audit, and service-control authorization checks. A Velox-specific login model was not found in the reviewed code. |
Important Configuration
| Configuration | Source |
|---|---|
SMTPPassword, SMTPOAuthClientId, SMTPOAuthTenant, SMTPAuthType | TvxSetup and General Setup UI |
SSLClientKeyPassword, root certificate, client key, client certificate, verify peer, verify depth, SSL/TLS type | TvxSetup, TvxTransport, and SSL Settings dialog |
AzureClientId, AzureSecret, AzureTenant, AzureKeyVault | TvxSetup and Azure Key Vault variable provider |
ProxyAuthType, proxy username/password/domain | TvxSetup and TvxHTTP proxy authentication |
VeloxAPIEnableSSL, VeloxAPICertificate | TvxSetup and General Setup UI |
ServiceUsers | TvxSetup, service DACL grant/revoke code, and Designer service-control enablement |
DetailedSystemAudit, EnableLogUserReporting | TvxSetup, General Setup UI, and TvxSystemLog |
Flow RESTAllowAnonymous | TvxActionMan, saved to VX_ACTION.RESTALLOWANON; enforcement was not found in the reviewed dispatch path |
DB connection password and TrustCertificate | TvxDBCon, vxDBConfig, vxSQLConnection, and DB connection setup UI |
| Transport password, private key, SSL client key password | TvxTransport and transport subclasses |
Security Architecture Overview
Velox security is split across several layers:
- Windows identity and elevation are used for Designer service administration.
- Windows service accounts are validated through Windows APIs and may be granted Logon as a Service.
- Service start/stop/query authorization is implemented through Windows service DACL updates.
- Inbound Velox API Service requests are dispatched to flows by endpoint. Centralized authentication or authorization enforcement was not found in the reviewed dispatch path.
- Outbound connections support several authentication methods, including Basic, Bearer, OAuth, Windows/SSPI, NTLM, SFTP private keys, and database-specific authentication types.
- Secrets are stored through Velox encrypted-property patterns or fetched from Azure Key Vault variables.
- Audit and diagnostic records are written through
TvxSystemLogandTvxEventLogger.
Authentication
Velox Designer Authentication
No Velox-specific Designer login system was found in the reviewed source code.
The Designer uses the current Windows user for:
- display in About/diagnostic UI;
- system-log messages such as Designer open/close;
- deciding whether service control buttons should be enabled when combined with service-user rights.
The About form displays current user and elevation state (Forms/frmAboutVelox.pas). Designer startup/shutdown logging includes GetUserNameExString and computer name (Forms/frmMain.pas:815, Forms/frmMain.pas:1706).
Windows Service Account Authentication
Service installation can be performed with a Windows account. The workflow is:
Implementation details:
TvxServicePasswordvalidates the supplied account usingLogonUser(Forms/frmServicePassword.pas:62).- It checks whether the account can log on as a service with
LogonUserAsService(Forms/frmServicePassword.pas:103). - If required, it grants the Logon as a Service right through
GrantLogonAsService(Forms/frmServicePassword.pas:118,Classes/Tools/vxShellLSA.pas:121). - Service install actions require the Designer process to be elevated (
Forms/frmSetupGeneral.pas:536,Forms/frmSetupGeneral.pas:572).
The service account password is used for Windows service installation/change operations. The reviewed setup save path does not show this password being stored as a General Setup property.
Service Control Authentication and Authorization
Designer service start/stop/restart controls are enabled only when one of these conditions is true:
- the Designer process is elevated; or
gSetup.ServiceUsersExists(GetUserNameExString)returns true.
Source locations:
- enable checks in
Forms/frmMain.pas:2126andForms/frmMain.pas:2151; TvxSetup.ServiceUsersExistsinClasses/vxSetup.pas:1097;- service-user grant/revoke in
Forms/frmSetupGeneral.pas:301,Forms/frmSetupGeneral.pas:497; - Windows service DACL changes in
Classes/Tools/vxService.pas:90andClasses/Tools/vxService.pas:209.
GrantServiceUserRights is called with SERVICE_START or SERVICE_STOP or SERVICE_QUERY_STATUS (Forms/frmSetupGeneral.pas:315 to Forms/frmSetupGeneral.pas:318). This gives configured service users limited operational control without making them administrators.
ServiceUsersExists compares the current Windows user against the configured service-user list and also tries username-only and .\username variants when a domain-qualified name is supplied. This means service-user matching is not a strict single-string comparison in all cases.
Velox API Service Inbound Authentication
The reviewed inbound API dispatch path does not show centralized authentication enforcement.
Source facts:
VeloxAPIServicecreates aTIdHTTPWebBrokerBridge, setsDefaultPort, and starts it (VeloxAPIService/classMain.pas:213,VeloxAPIService/classMain.pas:251,VeloxAPIService/classMain.pas:254).TvxRESTManager.ExecuteAPIForEndpointreadsRequest.InternalPathInfo, looks up an endpoint, and callslAPI.WebActionHandlerwhen found (Classes/Service/vxManagerREST.pas:561toClasses/Service/vxManagerREST.pas:594).TvxRESTItem.WebActionHandlerchecks whether the endpoint is enabled and dispatches GET or POST (Classes/Service/vxManagerREST.pas:109toClasses/Service/vxManagerREST.pas:130).RESTALLOWANONis stored and queried (Classes/vxActionMan.pas:2711,Classes/vxActionMan.pas:2767,Classes/Service/vxManagerREST.pas:487), but noRESTAllowAnonymouscheck was found in the reviewed active request dispatch path.TRESTActionThreadcopiesX-UserNumfrom the request intoFAction.UserNum(Classes/Service/vxActionThread.pas:671).TvxActionMan.SetUserNumwrites that value into local variableVeloxUserNum(Classes/vxActionMan.pas:2849toClasses/vxActionMan.pas:2852).- The script engine exposes a pointer variable named
UserNum(Classes/vxScripter.pas:1052,Classes/vxScripter.pas:1289).
The code comments say UserNum is "set by API to the usernum of authorised user" (Classes/vxActionMan.pas:643), but the reviewed code does not show how the header is authenticated or how the user is authorized before the flow executes.
When API debug output is enabled, the default endpoint includes the request Authorization header in generated HTML (Classes/Service/vxManagerREST.pas:522). This can expose bearer/basic credentials or tokens in debug responses.
Database Authentication
Velox database connections support these SQL authentication modes in TvxSQLAuthType (Classes/Tools/vxTypes.pas:201):
- Windows Authentication;
- SQL Server Authentication;
- Entra MFA;
- Entra Password;
- Entra Integrated;
- Entra Service Principal;
- Entra Managed Identity.
TvxDBCon.Password is encrypted using the shared Velox encrypted-property pattern (Classes/vxDBCon.pas:425, Classes/vxDBCon.pas:467). PasswordEncrypted allows encrypted password values to be set directly (Classes/vxDBCon.pas:126, Classes/vxDBCon.pas:433, Classes/vxDBCon.pas:475).
SQL Server certificate trust is represented by TvxDBCon.TrustCertificate (Classes/vxDBCon.pas:160). When enabled, SQL connection configuration adds TrustServerCertificate=True (Classes/Tools/vxDBConfig.pas:209, Classes/vxSQLConnection.pas:290).
Outbound HTTP Authentication
Velox supports these shared outbound HTTP authentication types in TvxAuthType (Classes/Tools/vxTypes.pas:207):
- None;
- Basic;
- Bearer Token;
- Microsoft OAuth;
- Google OAuth;
- Netsuite OAuth;
- Custom OAuth;
- Windows (SSPI);
- NTLM (OLD).
TvxHTTP configures authentication handlers through ConfigureAuthentication, HTTPSelectAuthorization, and HTTPAuthorization (Classes/Tools/vxHTTP.pas:365, Classes/Tools/vxHTTP.pas:514, Classes/Tools/vxHTTP.pas:545). OAuth flows are delegated to TvxOAuth2Authenticator (Classes/Tools/vxHTTP.pas:406, Classes/Tools/vxHTTP.pas:414).
Proxy authentication is handled separately from target-server authentication using General Setup proxy values (Classes/Tools/vxHTTP.pas:741).
OAuth Authentication
TvxOAuth2Authenticator implements:
- authorization-code flow;
- client-credentials flow;
- password grant;
- refresh-token grant;
- NetSuite JWT client assertion.
Source locations:
- configuration in
Classes/Tools/vxOAuth.pas:76; - authorization selection in
Classes/Tools/vxOAuth.pas:123; - NetSuite JWT creation in
Classes/Tools/vxOAuth.pas:207; - client credentials in
Classes/Tools/vxOAuth.pas:235; - password grant in
Classes/Tools/vxOAuth.pas:301; - refresh token in
Classes/Tools/vxOAuth.pas:350; - bearer header construction in
Classes/Tools/vxOAuth.pas:492.
When ClientSecret is blank during configuration, the code uses the password value as the client secret (Classes/Tools/vxOAuth.pas:79 to Classes/Tools/vxOAuth.pas:82). OAuth access and refresh tokens are held in authenticator object fields. Persistent token storage was not found in the reviewed code.
Email Authentication
SMTP authentication is configured from General Setup through TvxEmail:
- no authentication;
- SASL authentication using
SASLProviders; - OAuth access-token callbacks for OAuth SASL mechanisms.
Source locations:
- SMTP auth selection in
Classes/Tools/vxEmail.pas:303; - SASL mechanism creation in
Classes/Tools/vxEmail.pas:309; - OAuth token callback setup in
Classes/Tools/vxEmail.pas:317; - OAuth authenticator configuration in
Classes/Tools/vxEmail.pas:318; - token retrieval in
Classes/Tools/vxEmail.pas:358.
POP and IMAP transports also support SASL/OAuth behavior (Classes/Transports/vxTransportPOP.pas:330, Classes/Transports/vxTransportIMAP.pas:671).
Transport Authentication
Transport authentication varies by transport type:
- FTP uses Basic credentials when
AuthType = fatBasic; otherwise it sets anonymous credentials (Classes/Transports/vxTransportFTP.pas:230). - HTTP transport mirrors the shared HTTP auth model and performs OAuth token acquisition (
Classes/Transports/vxTransportHTTP.pas:124,Classes/Transports/vxTransportHTTP.pas:250,Classes/Transports/vxTransportHTTP.pas:279). - POP and IMAP can use Basic or SASL/OAuth (
Classes/Transports/vxTransportPOP.pas:330,Classes/Transports/vxTransportIMAP.pas:671). - SFTP supports password and private-key authentication (
Classes/Tools/vxTypes.pas:215,Classes/Transports/vxTransportSFTP.pas:372). - MSMQ exposes an
Authenticatesetting and, when true, usesMQMSG_AUTH_LEVEL_ALWAYSin the transport implementation.
Shell Action Authentication
Shell action execution can run with configured credentials in background or non-main-thread execution:
TvxActionManstoresFUserPassencrypted and decrypts it throughGetUserPass(Classes/vxActionMan.pas:3372,Classes/vxActionMan.pas:3374).- Shell execution calls
LogonUserwhen username/password are supplied (Classes/vxActionMan.pas:3296,Classes/vxActionMan.pas:3299). - The code uses Windows impersonation before launching the configured command (
Classes/vxActionMan.pas:3338,Classes/Tools/vxShell.pas:561,Classes/Tools/vxShell.pas:602).
Authorization
Implemented Authorization
The clearest authorization model in the reviewed source is Windows service administration:
- elevated Designer users can install/uninstall services and edit service users;
- non-elevated users can start/stop/restart services only when they are configured service users and the Windows service DACL has been granted the relevant rights;
- configured service users receive start, stop, and query-status rights on the Velox service and API service.
Service install/uninstall actions require elevation. Add/remove service-user operations also require elevation (Forms/frmSetupGeneral.pas:334, Forms/frmSetupGeneral.pas:497, Forms/frmSetupGeneral.pas:536, Forms/frmSetupGeneral.pas:572, Forms/frmSetupGeneral.pas:609, Forms/frmSetupGeneral.pas:626).
Authorization Not Found or Unclear
The reviewed code does not show:
- a Velox Designer role/permission system;
- a central API authorization check before an API-backed flow runs;
- validation that
X-UserNumbelongs to an authenticated API caller; - enforcement of
RESTAllowAnonymousin the active API dispatch path; - module-level authorization beyond the current Windows/elevation checks used for service administration.
Individual scripts or flows may implement their own authorization logic, but that cannot be asserted from the shared framework code reviewed here.
Permissions
Windows Privileges and Service Rights
Velox relies on Windows for service-level permissions:
IsProcessElevatedchecks whether the current process is elevated (Classes/Tools/vxService.pas:71).- service-user rights are granted and revoked by editing service DACLs (
Classes/Tools/vxService.pas:90,Classes/Tools/vxService.pas:209); - service account changes use Windows service APIs (
Classes/Tools/vxService.pas:307); - Logon as a Service is granted through LSA (
Classes/Tools/vxShellLSA.pas:121).
File System Permissions
Velox creates and uses app-data folders, user-data folders, process folders, log folders, and certificate folders. Certificate paths are exposed through:
AppDataCertificatePath(Classes/Tools/vxConfigPath.pas:331);AppDataPrivateCertPath(Classes/Tools/vxConfigPath.pas:336);AppDataPublicCertPath(Classes/Tools/vxConfigPath.pas:341).
The About dialog checks whether configured folders are writable. Runtime code logs explicit errors when process folders cannot be created and tells the user to check the permissions of the Windows account running Velox.
For stability, the Windows service account must have access to:
- Velox configuration database;
- user data/database targets;
- configured transport file paths;
- process folders;
- app-data/log folders;
- certificate cache folders;
- any network shares used by flows, transports, shell actions, or file processing.
The exact required NTFS/share permissions depend on each configured flow and transport.
Encryption
Reversible Encryption Implementation
Velox reversible string encryption is implemented in Classes/Tools/vxEncryption.pas.
Source facts:
EncryptStringreturns blank when plaintext is blank and otherwise delegates toTvxEncryption(Classes/Tools/vxEncryption.pas:83).DecryptStringreturns blank when ciphertext is blank and otherwise delegates toTvxEncryption(Classes/Tools/vxEncryption.pas:100).TvxEncryptionsets LockBox block cipher id tonative.AES-256(Classes/Tools/vxEncryption.pas:130).- It uses CBC chain mode (
Classes/Tools/vxEncryption.pas:131). - The codec password is assembled from static code/config parts:
Part3 + EncryptionPart1 + EncryptionPart2 + 'F#k8'(Classes/Tools/vxEncryption.pas:135). TvxHashuses SHA-384 (Classes/Tools/vxEncryption.pas:199).
No DPAPI, per-machine key, per-install key, or user-specific key derivation was found in this encryption implementation. Encrypted values are therefore reversible by Velox code that has access to the shared application key material.
Encrypted Property Pattern
Several classes use the same pattern:
- when a component is being written, the getter returns the encrypted stored value;
- during normal runtime access, the getter returns the decrypted value;
- during component loading/reading, setters accept the stored encrypted value;
- during normal editing, setters encrypt incoming plaintext.
This pattern appears in:
TvxSetupfor SMTP password, SSL client-key password, Azure client id, Azure secret, and proxy password (Classes/vxSetup.pas:431,Classes/vxSetup.pas:455,Classes/vxSetup.pas:667,Classes/vxSetup.pas:675,Classes/vxSetup.pas:821,Classes/vxSetup.pas:847,Classes/vxSetup.pas:937,Classes/vxSetup.pas:961,Classes/vxSetup.pas:1136,Classes/vxSetup.pas:1144);TvxDBCon.PasswordandPasswordEncrypted(Classes/vxDBCon.pas:425,Classes/vxDBCon.pas:433,Classes/vxDBCon.pas:467,Classes/vxDBCon.pas:475);TvxDBParams.Password(Classes/vxDBParams.pas:74,Classes/vxDBParams.pas:79);TvxTransport.PasswordandTvxTransport.SSLClientKeyPassword(Classes/Transports/vxTransport.pas:1134,Classes/Transports/vxTransport.pas:1157,Classes/Transports/vxTransport.pas:1292,Classes/Transports/vxTransport.pas:1308);- shell action user password (
Classes/vxActionMan.pas:3372,Classes/vxActionMan.pas:3374); - encrypted variables (
Classes/vxVariables.pas:332,Classes/vxVariables.pas:470).
Secrets
Stored Secrets
| Secret | Storage/handling |
|---|---|
| SMTP password | TvxSetup.SMTPPassword; encrypted property pattern. |
| SMTP OAuth client id/tenant | Stored in General Setup. Encryption for these fields was not identified in the reviewed code. |
| SMTP OAuth secret/password | Reuses SMTPPassword in email OAuth setup. |
| Proxy password | TvxSetup.ProxyPassword; encrypted property pattern. |
| Azure client id | TvxSetup.AzureClientId; encrypted property pattern. |
| Azure secret | TvxSetup.AzureSecret; encrypted property pattern. |
| Database password | TvxDBCon.Password; encrypted property pattern. |
| DB params JSON password | TvxDBParams.Password; decrypted in getter. |
| Transport password | TvxTransport.Password; encrypted property pattern. |
| Transport SSL client-key password | TvxTransport.SSLClientKeyPassword; encrypted property pattern. |
| SFTP private key name/file | Stored as transport configuration and resolved against the private certificate cache. |
| Shell action password | TvxActionMan.FUserPass; encrypted property pattern. |
| Encrypted variables | TvxVariable.Encrypted controls encrypt/decrypt behavior for variable values. |
| OAuth access/refresh tokens | Stored in authenticator object fields at runtime; persistent secure token storage was not found. |
| Azure Key Vault secrets | Retrieved at runtime through TvxAzureSecretList; returned value comes from Azure Key Vault JSON field value. |
Azure Key Vault
Azure Key Vault integration is implemented as a variable-list provider:
Source facts:
- default vault name is read from
gSetup.AzureKeyVault(Classes/Tools/vxAzure.pas:29,Classes/Tools/vxAzure.pas:37); - secret codes are split into vault and field names (
Classes/Tools/vxAzure.pas:46toClasses/Tools/vxAzure.pas:57); - Microsoft OAuth is configured with setup Azure credentials and scope
https://vault.azure.net/.default(Classes/Tools/vxAzure.pas:66toClasses/Tools/vxAzure.pas:69); - secret retrieval calls
https://<vault>.vault.azure.net/secrets/<field>?api-version=7.4(Classes/Tools/vxAzure.pas:76); - the returned JSON
valueis used as the variable value (Classes/Tools/vxAzure.pas:83).
The code comment says GetValue is "only called once when variable is created" (Classes/Tools/vxAzure.pas:52 to Classes/Tools/vxAzure.pas:53). Broader caching or refresh behavior was not determined from the reviewed code.
Password Update File
TvxUpdatePasswords updates stored credentials from a selected password update file:
- transport passwords and SFTP private keys;
- General Setup SMTP password;
- database connection passwords.
Source locations include Forms/frmUpdatePasswords.pas:51, Forms/frmUpdatePasswords.pas:131, Forms/frmUpdatePasswords.pas:166, Forms/frmUpdatePasswords.pas:195, and Forms/frmUpdatePasswords.pas:201. The form also links to AppDataDataPath + 'VeloxPasswords.txt' (Forms/frmUpdatePasswords.pas:220).
The file format and operational controls around that file should be documented separately if the file is used in production operations.
Secret Exposure Considerations Visible in Code
The following behaviors are visible in code and should be considered when troubleshooting or extending security-sensitive areas:
- API debug HTML can include
Request.Authorization(Classes/Service/vxManagerREST.pas:522). - OAuth secrets and access tokens are present in process memory while requests are being authorized.
- Encrypted persisted values are reversible by Velox code because the encryption key material is in application code/config.
- HTTP/email transport debug or intercept logging may include request or response details depending on configuration. See Logging Reference.
Certificates and TLS
TLS and SSL Configuration Types
Velox defines TLS and SSL client options in Classes/Tools/vxTypes.pas:
TvxTLSType: No TLS, implicit SSL/TLS, Require TLS, Explicit TLS/STARTTLS (Classes/Tools/vxTypes.pas:191).TvxSSLClientType: None, Auto, TLS v1.3, TLS v1.2, TLS v1.1, TLS v1, SSL v3, and old aliases (Classes/Tools/vxTypes.pas:196).
IndySSLTypeArray maps fstTLS13 to sslvTLSv1_2 in the reviewed code (Classes/Tools/vxTypes.pas:198). Therefore, the presence of a "TLS v1.3" UI/configuration value does not prove TLS 1.3 is used by the Indy SSL handler path.
SSL Settings Dialog
TfrmSSLSettings edits SSL settings for either General Setup or a transport:
- root certificate;
- client key;
- client key password;
- client certificate;
- verify peer;
- no peer certificate;
- verify peer once;
- verify depth;
- SSL client type;
- TLS type.
Source file: Forms/frmSSLSettings.pas.
Certificate Cache
Velox keeps certificate and key material under app-data certificate folders:
- certificate root:
AppDataCertificatePath(Classes/Tools/vxConfigPath.pas:331); - private certificate/key path:
AppDataPrivateCertPath(Classes/Tools/vxConfigPath.pas:336); - public certificate/key path:
AppDataPublicCertPath(Classes/Tools/vxConfigPath.pas:341).
TvxTransport creates SecureBridge file storage objects for public and private key folders (Classes/Transports/vxTransport.pas:369, Classes/Transports/vxTransport.pas:372).
Private Key Creation and Import
TvxTransport.CreatePrivateKey creates private/public key material and exports public key files to the public cache (Classes/Transports/vxTransport.pas:568, Classes/Transports/vxTransport.pas:594, Classes/Transports/vxTransport.pas:596, Classes/Transports/vxTransport.pas:600). SelectFolder imports private key files into the private certificate cache (Classes/Transports/vxTransport.pas:1219). DeletePrivateKey removes stored private keys and attempts to delete related public key files (Classes/Transports/vxTransport.pas:391).
Exact cryptographic algorithm selection inside key generation depends on transport settings and SecureBridge behavior. The reviewed code shows RSA and EC generation paths, but a complete operational matrix is outside this document.
API Service SSL Configuration
General Setup contains Velox API SSL settings:
VeloxAPIEnableSSL(Classes/vxSetup.pas:259);VeloxAPICertificate(Classes/vxSetup.pas:260);- UI controls in
Forms/frmSetupGeneral.pas:139andForms/frmSetupGeneral.pas:141; - load/save in
Forms/frmSetupGeneral.pas:942,Forms/frmSetupGeneral.pas:943,Forms/frmSetupGeneral.pas:1035, andForms/frmSetupGeneral.pas:1036.
TvxSetup.GetVeloxAPIURL appears to build an HTTPS URL when SSL is enabled (Classes/vxSetup.pas:542 to Classes/vxSetup.pas:545). However, GetRESTActionURL always returns http:// (Classes/Tools/vxREST.pas:12 to Classes/Tools/vxREST.pas:14), and the reviewed VeloxAPIService startup code starts TIdHTTPWebBrokerBridge without showing SSL IOHandler/certificate wiring (VeloxAPIService/classMain.pas:213, VeloxAPIService/classMain.pas:251, VeloxAPIService/classMain.pas:254).
Therefore, API SSL configuration exists, but active API-service TLS enforcement could not be confirmed from the reviewed code.
Peer Verification Behavior
The generic Indy SSL peer-verification callbacks reviewed here return True regardless of the AOk input:
TvxHTTP.SSLHandlerVerifyPeerreturnsTrue(Classes/Tools/vxHTTP.pas:640toClasses/Tools/vxHTTP.pas:642);TvxEmail.SSLHandlerVerifyPeerreturnsTrue(Classes/Tools/vxEmail.pas:785toClasses/Tools/vxEmail.pas:787);TvxTransport.SSLHandlerVerifyPeerreturnsTrue(Classes/Transports/vxTransport.pas:887toClasses/Transports/vxTransport.pas:889).
Email and transport settings still configure certificate files, verify mode, and TLS behavior, but these callbacks mean the reviewed generic peer-validation result is not rejected in those callback methods.
TvxEmail.SSLHandlerGetPassword returns an empty string (Classes/Tools/vxEmail.pas:780 to Classes/Tools/vxEmail.pas:782). TvxTransport.SSLHandlerGetPassword returns the configured SSLClientKeyPassword (Classes/Transports/vxTransport.pas:882 to Classes/Transports/vxTransport.pas:884).
SFTP Host-Key Validation
SFTP uses a separate SecureBridge host-key validation model:
- the server key fingerprint is calculated with MD5 (
Classes/Transports/vxTransportSFTP.pas:442); - if a stored public key for the host exists, the fingerprint must match or the connection is rejected (
Classes/Transports/vxTransportSFTP.pas:444toClasses/Transports/vxTransportSFTP.pas:456); - if the stored key cannot be loaded, the connection is rejected (
Classes/Transports/vxTransportSFTP.pas:459toClasses/Transports/vxTransportSFTP.pas:460); - if no key exists and the code is running in the background or outside the main thread, the connection is rejected (
Classes/Transports/vxTransportSFTP.pas:464toClasses/Transports/vxTransportSFTP.pas:467); - if no key exists in interactive Designer context, the user is prompted and the accepted key is saved to public key storage (
Classes/Transports/vxTransportSFTP.pas:470toClasses/Transports/vxTransportSFTP.pas:480).
This is the clearest certificate/key trust enforcement path found in reviewed transport code.
Database Certificate Trust
Database connections expose TrustCertificate (Classes/vxDBCon.pas:160). For SQL Server configuration paths reviewed here, this adds TrustServerCertificate=True to the custom connection string (Classes/Tools/vxDBConfig.pas:209, Classes/vxSQLConnection.pas:290).
The business reason for enabling trust-certificate mode is not encoded in the code. Treat it as a connection-specific runtime setting.
Audit Logging
Logging Architecture
Security-relevant audit logging is performed through TvxSystemLog and TvxEventLogger.
TvxSystemLog supports:
LogAudit;LogAuditDebug;LogUser;MessageLog;- save/finalise lifecycle functions.
Source locations:
- class definition in
Classes/vxModule.pas:809; - lifecycle functions in
Classes/vxModule.pas:855,Classes/vxModule.pas:860,Classes/vxModule.pas:877; - setup-controlled audit state in
Classes/vxModule.pas:4817; LogAuditinClasses/vxModule.pas:4846;LogAuditDebuginClasses/vxModule.pas:4853;LogUserinClasses/vxModule.pas:4860;MessageLogoverride inClasses/vxModule.pas:4867.
TvxEventLogger.LogMessage writes Windows Event Log entries and also writes to gSystemLog.MessageLog with mapped levels (Classes/Tools/vxEventLogger.pas:129, Classes/Tools/vxEventLogger.pas:165 to Classes/Tools/vxEventLogger.pas:168).
Detailed System Audit
DetailedSystemAudit is loaded from setup when the system log is saved (Classes/vxModule.pas:4817 to Classes/vxModule.pas:4824). LogAudit only writes when FDetailedSystemAudit is true (Classes/vxModule.pas:4846 to Classes/vxModule.pas:4850). LogAuditDebug also requires Designer mode or debug mode (Classes/vxModule.pas:4853 to Classes/vxModule.pas:4857).
TvxSetup defaults FDetailedSystemAudit to true (Classes/vxSetup.pas:395) and exposes it in General Setup (Forms/frmSetupGeneral.pas:969, Forms/frmSetupGeneral.pas:1065).
User Activity Logging
Designer/module activity is logged through gSystemLog.LogUser:
- module created/opened in
Classes/GUI/vxModuleManager.pas:152,Classes/GUI/vxModuleManager.pas:156,Classes/GUI/vxModuleManager.pas:186, andClasses/GUI/vxModuleManager.pas:190; - form opened in
Classes/GUI/vxFormManager.pas:383,Classes/GUI/vxFormManager.pas:435, andClasses/GUI/vxFormManager.pas:463; - module created/saved/deleted in
Classes/vxModule.pas:1795,Classes/vxModule.pas:1860, andClasses/vxModule.pas:2020; - Designer open/close in
Forms/frmMain.pas:815andForms/frmMain.pas:1706.
EnableLogUserReporting exists in setup and UI (Classes/vxSetup.pas:278, Forms/frmSetupGeneral.pas:966, Forms/frmSetupGeneral.pas:1062). In the reviewed TvxSystemLog.LogUser implementation, logging is gated by Designer state rather than by EnableLogUserReporting (Classes/vxModule.pas:4860 to Classes/vxModule.pas:4864). The exact intended runtime effect of EnableLogUserReporting is unclear from the reviewed code.
Service Audit Logging
The Velox Service logs operational audit events, including:
- outbound transport updated (
VeloxService/classMain.pas:518); - flow updated (
VeloxService/classMain.pas:522); - outbound transport enabled/disabled (
VeloxService/classMain.pas:553,VeloxService/classMain.pas:583); - flow enabled/disabled (
VeloxService/classMain.pas:557,VeloxService/classMain.pas:587); - service enabled/disabled (
VeloxService/classMain.pas:606,VeloxService/classMain.pas:623); - flow requested to end (
VeloxService/classMain.pas:660).
Service startup, shutdown, install, uninstall, error, and runtime status messages are also written through gEventLogger.LogMessage throughout VeloxService/classMain.pas.
High-Level Security Data Flow
Known Unclear Areas and Security Gaps
These items are based only on reviewed source code. They should be verified before changing security-sensitive behavior.
| Area | What is unclear or concerning | Evidence |
|---|---|---|
| Designer authentication | No Velox-specific Designer login or role model was found. | Designer uses current Windows user in About/logging/service-control checks. |
| Inbound API authentication | No centralized API authentication enforcement was found before flow execution. | ExecuteAPIForEndpoint looks up endpoint and calls WebActionHandler; no auth check found in that path. |
RESTAllowAnonymous | Stored and queried, but active enforcement was not found in reviewed API dispatch. | RESTALLOWANON persistence in TvxActionMan; dispatch path in vxManagerREST. |
X-UserNum trust | X-UserNum is copied from the request into the action, but validation of that header was not found. | Classes/Service/vxActionThread.pas:671; Classes/vxActionMan.pas:2849. |
| API SSL | API SSL settings exist, but reviewed API service startup does not show SSL handler/certificate setup. | TvxSetup.VeloxAPIEnableSSL, VeloxAPICertificate; VeloxAPIService/classMain.pas:213, :251, :254. |
| API default debug output | Authorization header can appear in debug HTML. | Classes/Service/vxManagerREST.pas:522. |
| TLS peer verification | Generic HTTP, email, and base transport verify callbacks return True regardless of AOk. | vxHTTP.pas:640, vxEmail.pas:785, vxTransport.pas:887. |
| TLS 1.3 configuration | fstTLS13 maps to sslvTLSv1_2 in the reviewed Indy mapping. | Classes/Tools/vxTypes.pas:196 to Classes/Tools/vxTypes.pas:198. |
| Reversible encryption keying | Secret encryption uses static application key material assembled in code/config; no DPAPI or per-install key was found. | Classes/Tools/vxEncryption.pas:130 to Classes/Tools/vxEncryption.pas:135. |
| OAuth token storage | Runtime token fields are visible, but persistent token storage was not found. | TvxOAuth2Authenticator source. |
| Azure secret refresh | Code comment says Azure variable value is called once when variable is created; broader refresh behavior is unclear. | Classes/Tools/vxAzure.pas:52 to Classes/Tools/vxAzure.pas:53. |
EnableLogUserReporting | Setting exists, but direct gating in TvxSystemLog.LogUser was not found. | TvxSetup.EnableLogUserReporting; Classes/vxModule.pas:4860. |