Security Overview

    Security is a process and Couchbase Capella strives to achieve the best ways to protect your data, from Zero Trust, through adaptive access, to centralized management and proactive monitoring. Best practices in the way you work with Capella will further protect you from malicious attacks.

    This page groups together listings of some of the many features of Capella security architecture with links to places in the docs where you have a chance to apply good practice to your Couchbase instance.

    Security Highlights

    All communication is encrypted using TLS 1.2 or higher. This cannot be turned off.

    Encryption at Rest

    Couchbase Capella automatically uses the underlying Cloud Provider’s Key Management System — KMS for AWS and Cloud Key Management Service for GCP.

    If you’re still using Couchbase Server 6.6 hosted in your own Cloud provider’s VPC, this list also includes Key Vault for Azure. It does not include GCP.

    Couchbase Capella uses customer master keys that are 256-bit Advanced Encryption Standard (AES) symmetric keys and are not exportable. AES-256, which has a key length of 256 bits, supports the largest bit size and is practically unbreakable by brute force based on current computing power, making it the strongest encryption standard. A new key is created for each cluster/database.

    Customer master keys use hardware security modules (HSMs) that have been validated under FIPS 140-2.

    Access Management

    Capella is built upon Couchbase’s sophisticated Role-Based Access Control, with Couchbase Managed Cloud offering further refinements.

    Organization and Project Overview: Couchbase Capella is organized into organizations and projects, each of which has its own user roles.

    Allowed IPs: Limit both the IP addresses that can access your data, and the period for which they have access.

    Database Credentials: Provide programmatic and application-level access to data on a cluster.


    Please note that five failed attempts at logging in a user will result in that account being locked for five minutes.

    Applying Best Practice

    Make sure to familiarize yourself with our Access Management (RBAC), to ensure your applications take advantage of the Least Privileges and Separation of Duties that we offer.

    We strongly recommend enabling Multi-Factor Authentication (MFA) to authenticate against Capella — adding a strong layer of protection against many common attacks.


    Couchbase Capella will manage the infrastructure lifecycle for you, upgrading the Couchbase Cluster with a new version of Couchbase Server, and communicating the release cycle and policy with you. Customers should update the Couchbase SDK that they use in their applications to the latest patched version, and validate after upgrading.

    Monitoring & Alerts

    Couchbase Capella provides a performance metrics dashboard. The customer reviews the metrics and is responsible for scaling the cluster to accommodate changes in workload or dataset size Capella provides an Alerts dashboard — informing you of any problems, such as a failed backup. Reviewing these alerts and taking appropriate actions is a shared responsibility between the Couchbase Support team and the customer.

    Multi-Factor Authentication

    Multi-Factor Authentication (MFA) is available in both Couchbase’s Cloud Account and Own Cloud Account. Users can choose to add another layer of security by requiring a one-time passcode to be used in conjunction with the password to log in to the Couchbase Capella Control Plane.


    Private Networking with AWS VPC peering.

    If you’re still using Couchbase Server 6.6 hosted in your own Cloud provider’s VPC, Azure VNet peering is also an option.

    Shared Responsibilities

    Good security is a partnership of application and database. With Capella, most operations are automated, but some areas need active input from the customer to get the best possible results.

    • Couchbase’s Cloud Account

    • Own Cloud Account

    With a fully-hosted solution, Couchbase takes care of all of the infrastructure, as well as managing the database deployment. However, customers should take care to follow best practices for authentication, as well as least privilege in RBAC. This page highlights some of those best practices.

    Couchbase’s Responsibilities
    This information is for anyone still using Couchbase Server 6.6, hosted in their own Cloud provider’s VPC. It does not apply to Couchbase 7.0, hosted in Couchbase’s VPC and fully managed for you.
    • Operate the Cloud Control Plane, including the user interface of the Cloud Service

    • Implement reasonable technical and organizational measures to protect the security of the Cloud Control Plane

    • Does not host the Customer Cloud Environment into which the Data Plane is deployed

    • Does not host the systems in which Customer Content may be stored

    Customer’s Role
    • Obtain a Customer Capella Environment through cloud provider

    • Notify Couchbase immediately of any unauthorized use of the user account

    • Protect the security of all Registration Information

    • Properly maintain and secure the Customer Cloud Environment

    • Not interfere with updates to the Cloud Service

    • Implement the appropriate configurations to enable backup and recovery features of the Cloud Service

    No matter which version of Capella you are using, key areas of customer responsibility are Defining Roles and Customer Access Control policy.

    See Also

    Common Next Steps

    Now that you have seen an overview of Capella’s security features, any one of the above links will take you deeper. You may also want to continue with one of the following next steps:

    • Authenticating your client by X.509 certificate —  Java; Node.js.