Security Best Practices

      Security is a process and Couchbase Capella strives to achieve the best ways to protect your data, from Zero Trust, through adaptive access, to centralized management and proactive monitoring. Best practices in the way you work with Capella further protect you from malicious attacks.

      This page groups together listings of some of the many features of Capella security architecture with links to places in the docs where you have a chance to apply good practice to your Couchbase instance.

      Security Highlights

      All communication is encrypted using TLS 1.2 or higher. This can’t be turned off.


      Capella provides event auditing, whereby events are logged. Log files can be downloaded for inspection.

      Event auditing occurs on a per node basis: each node captures only its own events, and saves the records in its own log file. When a database’s log files are to be inspected, the user can perform a download: all log files are duly downloaded, as a single, compressed file, to the user’s current system.

      For a full overview, providing access to step-by-step instructions and reference information, see Auditing.

      Encryption at Rest

      By default, Couchbase Capella databases use the underlying cloud provider’s key management service to create a new key for each database. These key management services include AWS Key Management Service, Google Cloud Key Management Service, and Azure Key Vault.

      Capella uses customer master keys that are 256-bit Advanced Encryption Standard (AES) symmetric keys and are not exportable. AES-256, which has a key length of 256 bits, supports the largest bit size and is practically unbreakable by brute force based on current computing power, making it the strongest encryption standard. Customer master keys use hardware security modules (HSMs) validated under FIPS 140-2.

      Customer Managed Encryption Keys

      Capella also supports customer-managed encryption keys. Customer-managed encryption allows you to move control of the keys from Couchbase to your own key management system. By managing your encryption keys, you control their configuration, rotation cycles, geographic storage location, and can directly revoke them.

      Access Management

      Capella is built upon Couchbase’s sophisticated Role-Based Access Control.

      Organization and Project Overview: Couchbase Capella is organized into organizations and projects, each of which has its own user roles.

      Allowed IPs: Limit both the IP addresses that can access your data, and the period for which they have access.

      Database Credentials: Provide programmatic and application-level access to data on a database.


      Federated & SSO Authentication: Couchbase Capella allows users to sign in to the Capella UI using federated and SSO authentication after configuring Capella to authenticate using data passed from your identity provider (IdP). Okta, Azure AD, Ping Identity, and CyberArk are supported IdPs.

      Multi-Factor Authentication (MFA): Any non-SSO user within your organization can use Capella’s MFA. MFA improves your Capella account security by requiring two credentials to sign in: your password and a time-based one-time password (TOTP).

      Five failed attempts at logging in a user results in that account being locked for five minutes.

      Secrets Management

      Application passwords management can be simplified with our Hashicorp Vault plug-in. Vault’s Database Secrets Engine generates dynamic, short-lived database credentials, which streamlines the management of database connections and roles. You can also customize permissions and TTL settings.

      Applying Best Practice

      Make sure to familiarize yourself with our Access Management (RBAC), to ensure your applications take advantage of the Least Privileges and Separation of Duties that we offer.

      We strongly recommend enabling Multi-Factor Authentication (MFA) to authenticate against Capella—​adding a strong layer of protection against many common attacks.


      Couchbase Capella manages the infrastructure lifecycle for you, upgrading the Couchbase Cluster with a new version of Couchbase Server, and communicating the release cycle and policy with you. Customers should update the Couchbase SDK that they use in their applications to the latest patched version, and validate after upgrading.

      Monitoring & Alerts

      Couchbase Capella provides a performance metrics dashboard. The customer reviews the metrics and is responsible for scaling the database to accommodate changes in workload or dataset size Capella provides an Alerts dashboard — informing you of any problems, such as a failed backup. Reviewing these alerts and taking appropriate actions is a shared responsibility between the Couchbase Support team and the customer.

      Multi-Factor Authentication

      Multi-Factor Authentication (MFA) is available for non-SSO Capella users. Users can choose to add another layer of security by requiring a one-time passcode to be used in conjunction with the password to log in to the Couchbase Capella Control Plane.

      See Manage Multi-Factor Authentication (MFA) for more information.


      Private Networking with AWS, GCP, or Azure VPC peering.

      Shared Responsibilities

      Good security is a partnership of application and database. With Capella, most operations are automated, but some areas need active input from the customer to get the best possible results.

      With a fully-hosted solution, Couchbase takes care of all of the infrastructure, as well as managing the database deployment. However, customers should take care to follow best practices for authentication, as well as least privilege in RBAC. This page highlights some of those best practices.

      Key areas of customer responsibility are Defining Roles and Customer Access Control policy.

      Common Next Steps

      Now that you have seen an overview of Capella’s security features, any one of the above links will take you deeper. You may also want to continue with one of the following next steps:

      • Authenticating your client by X.509 certificate —  Java; Node.js.