Please use the form below to provide your feedback. Because your feedback is valuable to us, the information you submit in this form is recorded in our issue tracking system (JIRA), which is publicly available. You can track the status of your feedback using the ticket number displayed in the dialog once you submit the form.

Encryption At Rest

    Understand encryption at rest in Couchbase Server and how to configure it using the Autonomous Operator.

    Overview

    Encryption at rest is a security feature introduced in Couchbase Server 8.0.0 that protects your data by encrypting it on disk. When enabled, sensitive data stored on the Couchbase nodes is encrypted, ensuring that even if the underlying storage is compromised, the data remains secure.

    What Data Can Be Encrypted?

    Encryption at rest supports encrypting multiple types of data within your Couchbase deployment:

    • Data in buckets - The actual documents and data stored in your buckets

    • Cluster configuration - Sensitive cluster settings and configurations

    • Logs - Server log files (note: encrypting logs will break fluent-bit log streaming)

    • Audit logs - Security audit trail data

    Field-Level Encryption in Applications

    Applications can use the SDK to encrypt specific fields. Depending on your application’s requirements, field-level encryption may be more appropriate than encrypting the entire bucket. See the SDK documentation for your development language for more information. For example:

    Key Types

    Couchbase offers flexibility in how encryption keys are managed through three different key types:

    Couchbase Server Managed Keys

    Also called AutoGenerated keys, these are the simplest option. Couchbase Server automatically generates and manages these keys without requiring external services. This is ideal for:

    • Environments without external key management infrastructure

    • Use cases where key management can be handled within Couchbase

    AWS KMS Keys

    AWS Key Management Service (KMS) integration allows you to use AWS-managed encryption keys. This is recommended when:

    • Running Couchbase in AWS (EKS or EC2)

    • Your organization uses AWS KMS for centralized key management

    • You need compliance with AWS security standards

    KMIP Keys

    Key Management Interoperability Protocol (KMIP) is an industry standard that works with enterprise key management systems from vendors like Thales, IBM, or HashiCorp Vault. Choose KMIP when:

    • You have an existing enterprise key management system

    • You need vendor-neutral key management

    • Compliance requires external key management

    Key Concepts

    Key Encryption Keys (KEK) and Data Encryption Keys (DEK)

    Couchbase uses a two-tier key hierarchy:

    • Key Encryption Keys (KEK) - The master keys you define through CouchbaseEncryptionKey resources. These encrypt other keys or data.

    • Data Encryption Keys (DEK) - Temporary keys generated by Couchbase to encrypt actual data. These are encrypted by KEKs.

    Key Rotation

    Key rotation is an important security practice. With encryption at rest:

    • KEK rotation can be scheduled through the CouchbaseEncryptionKey resource

    • DEK rotation happens automatically based on the rotationInterval setting

    • When a key rotates, new data is encrypted with the new key while old data remains accessible

    Key Usage Restrictions

    You can restrict what each key encrypts by setting usage parameters:

    • configuration - Cluster configuration data

    • key - Other encryption keys

    • log - Log files

    • audit - Audit logs

    • allBuckets - All bucket data

    By default, keys can encrypt anything. Restricting usage improves security through separation of concerns.

    How to Enable Encryption At Rest

    Enabling encryption at rest with the Autonomous Operator involves three main steps:

    Step 1: Enable Encryption Management

    First, enable encryption at rest management on your CouchbaseCluster resource:

    apiVersion: couchbase.com/v2
kind: CouchbaseCluster
metadata:
  name: my-cluster
spec:
  security:
    encryptionAtRest:
      managed: true

    Step 2: Create Encryption Keys

    Create one or more CouchbaseEncryptionKey resources. Here’s a simple example with an auto-generated key:

    apiVersion: couchbase.com/v2
kind: CouchbaseEncryptionKey
metadata:
  name: my-key
spec:
  keyType: AutoGenerated

    For AWS KMS or KMIP keys, additional configuration is required (see Couchbase Encryption At Rest).

    Step 3: Apply Encryption to Data

    Configure which data should be encrypted on your cluster or buckets:

    apiVersion: couchbase.com/v2
kind: CouchbaseCluster
metadata:
  name: my-cluster
spec:
  security:
    encryptionAtRest:
      managed: true
      configuration:
        enabled: true
        keyName: "my-key"
      audit:
        enabled: true
        keyName: "my-key"

    For bucket-level encryption:

    apiVersion: couchbase.com/v2
kind: CouchbaseBucket
metadata:
  name: secure-bucket
spec:
  name: secure-bucket
  memoryQuota: 512Mi
  encryptionAtRest:
    keyName: "my-key"

    Security Considerations

    When implementing encryption at rest:

    • Key Protection - Consider encrypting your data keys with a dedicated Key Encryption Key (KEK) rather than using the cluster master password

    • Key Rotation - Implement regular key rotation schedules appropriate for your security requirements

    • External Key Management - For sensitive environments, consider using AWS KMS or KMIP instead of auto-generated keys

    • Log Encryption Trade-offs - Be aware that encrypting logs prevents log streaming to monitoring systems

    Next Steps

    For detailed configuration instructions and advanced features, see: