
Don't forget to ⭐ this repo if you like immudb!
:tada: 157M pulls from docker hub!
Detailed documentation can be found at https://docs.immudb.io/

immudb is a database with built-in cryptographic proof and verification. It tracks changes in sensitive data and the integrity of the history will be protected by the clients, without the need to trust the database. It can operate as a key-value store, as a document model database, and/or as relational database (SQL).
Traditional database transactions and logs are mutable, and therefore there is no way to know for sure if your data has been compromised. immudb is immutable. You can add new versions of existing records, but never change or delete records. This lets you store critical data without fear of it being tampered.
Data stored in immudb is cryptographically coherent and verifiable. Unlike blockchains, immudb can handle millions of transactions per second, and can be used both as a lightweight service or embedded in your application as a library. immudb runs everywhere, on an IoT device, your notebook, a server, on-premise or in the cloud.
When used as a relational data database, it supports both transactions and blobs, so there are no limits to the use cases. Developers and organizations use immudb to secure and tamper-evident log data, sensor data, sensitive data, transactions, software build recipes, rule-base data, artifacts and even video streams. Examples of organizations using immudb today.
You may download the immudb binary from the latest releases on Github. Once you have downloaded immudb, rename it to immudb, make sure to mark it as executable, then run it. The following example shows how to obtain v1.9.5 for linux amd64:
wget https://github.com/codenotary/immudb/releases/download/v1.9.5/immudb-v1.9.5-linux-amd64
mv immudb-v1.9.5-linux-amd64 immudb
chmod +x immudb
# run immudb in the foreground to see all output
./immudb
# or run immudb in the background
./immudb -d
Use Docker to run immudb in a ready-to-use container:
docker run -d --net host -it --rm --name immudb codenotary/immudb:latest
If you are running the Docker image without host networking, make sure to expose ports 3322 and 9497.
In kubernetes, use helm for an easy deployment: just add our repository and install immudb with these simple commands:
helm repo add immudb https://packages.codenotary.org/helm
helm repo update
helm install immudb/immudb --generate-name
Immudb helm chart creates a persistent volume for storing immudb database. Those database are now by default placed in a subdirectory.
That's for compatibility with ext4 volumes that have a /lost+found directory that can confuse immudb. Some volume providers,
like EBS or DigitalOcean, are using this kind of volumes. If we placed database directory on the root of the volume,
that /lost+found would be treated as a database. So we now create a subpath (usually immudb) subpath for storing that.
This is different from what we did on older (<=1.3.1) helm charts, so if you have already some volumes with data you can set
value volumeSubPath to false (i.e.: --set volumeSubPath.enabled=false) when upgrading so that the old way is used.
You can alternatively migrate the data in a /immudb directory. You can use this pod as a reference for the job:
apiVersion: v1
kind: Pod
metadata:
name: migrator
spec:
volumes:
- name: "vol0"
persistentVolumeClaim:
claimName: <your-claim-name-here>
containers:
- name: migrator
image: busybox
volumeMounts:
- mountPath: "/data"
name: "vol0"
command:
- sh
- -c
- |
mkdir -p /data/immudb
ls /data | grep -v -E 'immudb|lost\+found'|while read i; do mv /data/$i /data/immudb/$i; done
As said before, you can totally disable the use of subPath by setting volumeSubPath.enabled=false.
You can also tune the subfolder path using volumeSubPath.path value, if you prefer your data on a
different directory than the default immudb.
immudb can store its data in the Amazon S3 service (or a compatible alternative). The following example shows how to run immudb with the S3 storage enabled:
export IMMUDB_S3_STORAGE=true
export IMMUDB_S3_ACCESS_KEY_ID=<S3 ACCESS KEY ID>
export IMMUDB_S3_SECRET_KEY=<SECRET KEY>
export IMMUDB_S3_BUCKET_NAME=<BUCKET NAME>
export IMMUDB_S3_LOCATION=<AWS S3 REGION>
export IMMUDB_S3_PATH_PREFIX=testing-001
export IMMUDB_S3_ENDPOINT="https://${IMMUDB_S3_BUCKET_NAME}.s3.${IMMUDB_S3_LOCATION}.amazonaws.com"
./immudb
When working with the external storage, you can enable the option for the remote storage to be the primary source of identifier. This way, if immudb is run using ephemeral disks, such as with AWS ECS Fargate, the identifier can be taken from S3. To enable that, use:
export IMMUDB_S3_EXTERNAL_IDENTIFIER=true
You can also use the role-based credentials for more flexible and secure configuration. This allows the service to be used with instance role configuration without a user entity. The following example shows how to run immudb with the S3 storage enabled using AWS Roles:
export IMMUDB_S3_STORAGE=true
export IMMUDB_S3_ROLE_ENABLED=true
export IMMUDB_S3_BUCKET_NAME=<BUCKET NAME>
export IMMUDB_S3_LOCATION=<AWS S3 REGION>
export IMMUDB_S3_PATH_PREFIX=testing-001
export IMMUDB_S3_ENDPOINT="https://${IMMUDB_S3_BUCKET_NAME}.s3.${IMMUDB_S3_LOCATION}.amazonaws.com"
./immudb
If using Fargate, the credentials URL can be sourced automatically:
export IMMUDB_S3_USE_FARGATE_CREDENTIALS=true
Optionally, you can specify the exact role immudb should be using with:
export IMMUDB_S3_ROLE=<AWS S3 ACCESS ROLE NAME>
Remember, the IMMUDB_S3_ROLE_ENABLED parameter still should be on.
You can also easily use immudb with compatible s3 alternatives such as the minio server:
export IMMUDB_S3_ACCESS_KEY_ID=minioadmin
export IMMUDB_S3_SECRET_KEY=minioadmin
export IMMUDB_S3_STORAGE=true
export IMMUDB_S3_BUCKET_NAME=immudb-bucket
export IMMUDB_S3_PATH_PREFIX=testing-001
export IMMUDB_S3_ENDPOINT="http://localhost:9000"
# Note: This spawns a temporary minio server without data persistence
docker run -d -p 9000:9000 minio/minio server /data
# Create the bucket - this can also be done through web console at http://localhost:9000
docker run --net=host -it --entrypoint /bin/sh minio/mc -c "
mc alias set local http://localhost:9000 minioadmin minioadmin &&
mc mb local/${IMMUDB_S3_BUCKET_NAME}
"
# Run immudb instance
./immudb
You may download the immuclient binary from the latest releases on Github. Once you have downloaded immuclient, rename it to immuclient, make sure to mark it as executable, then run it. The following example shows how to obtain v1.5.0 for linux amd64:
wget https://github.com/codenotary/immudb/releases/download/v1.5.0/immuclient-v1.5.0-linux-amd64
mv immuclient-v1.5.0-linux-amd64 immuclient
chmod +x immuclient
# start the interactive shell
./immuclient
# or use commands directly
./immuclient help
Or just use Docker to run immuclient in a ready-to-use container. Nice and simple.
docker run -it --rm --net host --name immuclient codenotary/immuclient:latest
Structured Audit Logging
immudb now supports immutable, structured audit logging of all server operations. When enabled, every gRPC operation is recorded as a JSON audit event stored in immudb's own tamper-proof KV store under the audit: key prefix.
Enable audit logging:
# Log all operations
./immudb --audit-log
# Log only write, admin, auth, and system operations (exclude reads)
./immudb --audit-log --audit-log-events=write
# Log only admin, auth, and system operations
./immudb --audit-log --audit-log-events=admin
Each audit event captures:
| Field | Description |
|---|---|
ts |
Nanosecond timestamp |
user |
Authenticated username |
ip |
Client IP address |
db |
Target database |
method |
gRPC method name |
type |
Event category: AUTH, ADMIN, WRITE, READ, SYSTEM |
ok |
Whether the operation succeeded |
err |
Error message (if failed) |
dur_ms |
Operation duration in milliseconds |
sid |
Session ID |
Audit events are written asynchronously to avoid impacting request latency. They can be queried using the standard Scan API with prefix audit: and verified with VerifiableGet for tamper-proof compliance evidence. Events are stored as JSON, ready for export to external SIEM systems (Splunk, ELK, etc.).
DIFF OF SQL Query
immudb now supports comparing table state between two points in time using the new DIFF OF SQL syntax:
SELECT _diff_action, id, title, active FROM (DIFF OF mytable) SINCE TX 100 UNTIL TX 200
The _diff_action column indicates whether each row was an INSERT, UPDATE, or DELETE within the specified transaction range. Both SINCE/AFTER and UNTIL/BEFORE period specifiers are supported. Standard WHERE clauses can be applied to filter results.
PostgreSQL SQL Compatibility
immudb's PostgreSQL wire protocol server now supports a comprehensive set of SQL features for ORM and tool compatibility. Connect with any PostgreSQL client (psql, pgAdmin, JDBC, SQLAlchemy, Django, GORM, ActiveRecord) and use standard SQL.
RETURNING clause for INSERT, UPDATE, and DELETE:
INSERT INTO users (name) VALUES ('Alice') RETURNING id, name;
UPDATE users SET name = 'Bob' WHERE id = 1 RETURNING *;
DELETE FROM users WHERE id = 1 RETURNING *;
Common Table Expressions (WITH / WITH RECURSIVE):
WITH RECURSIVE tree AS (
SELECT id, name FROM nodes WHERE parent_id = 0
UNION ALL
SELECT n.id, n.name FROM nodes n INNER JOIN tree t ON n.parent_id = t.id
)
SELECT * FROM tree;
Window functions:
SELECT name, dept,
ROW_NUMBER() OVER (PARTITION BY dept ORDER BY salary DESC) rank,
SUM(salary) OVER (PARTITION BY dept) dept_total,
LAG(salary) OVER (ORDER BY salary) prev_salary
FROM employees;
Supported window functions: ROW_NUMBER, RANK, DENSE_RANK, LAG, LEAD, FIRST_VALUE, LAST_VALUE, NTILE, and window aggregates (COUNT, SUM, MIN, MAX, AVG).
Views and Sequences:
CREATE VIEW active_users AS SELECT * FROM users WHERE active = true;
CREATE SEQUENCE order_seq;
SELECT NEXTVAL('order_seq');
Full SQL feature set:
| Category | Features |
|---|---|
| Joins | INNER, LEFT, RIGHT, CROSS, FULL OUTER, NATURAL, USING |
| Subqueries | EXISTS, IN, NOT EXISTS, NOT IN (correlated and non-correlated) |
| Set operations | UNION, UNION ALL, EXCEPT, INTERSECT |
| DML | INSERT...ON CONFLICT DO UPDATE, INSERT/UPDATE/DELETE...RETURNING |
| DDL | CREATE/DROP VIEW, CREATE/DROP SEQUENCE, ALTER COLUMN, FOREIGN KEY |
| Ordering | ORDER BY with NULLS FIRST/LAST, LIMIT ALL |
| Pattern matching | LIKE, ILIKE (case-insensitive) -- standard SQL wildcards (% and _) |
| Query analysis | EXPLAIN |
| Aggregates | COUNT, SUM, MIN, MAX, AVG, COUNT(D |
$ claude mcp add immudb \
-- python -m otcore.mcp_server <graph>