Please use the form below to provide your feedback. Because your feedback is valuable to us, the information you submit in this form is recorded in our issue tracking system (JIRA), which is publicly available. You can track the status of your feedback using the ticket number displayed in the dialog once you submit the form.

Encryption At Rest

      +
      Understand encryption at rest in Couchbase Server and how to configure it using the Autonomous Operator.

      Overview

      Encryption at rest is a security feature introduced in Couchbase Server 8.0.0 that protects your data by encrypting it on disk. When enabled, sensitive data stored on the Couchbase nodes is encrypted, ensuring that even if the underlying storage is compromised, the data remains secure.

      What Data Can Be Encrypted?

      Encryption at rest supports encrypting multiple types of data within your Couchbase deployment:

      • Data in buckets - The actual documents and data stored in your buckets

      • Cluster configuration - Sensitive cluster settings and configurations

      • Logs - Server log files (note: encrypting logs will break fluent-bit log streaming)

      • Audit logs - Security audit trail data

      Field-Level Encryption in Applications

      Applications can use the SDK to encrypt specific fields. Depending on your application’s requirements, field-level encryption may be more appropriate than encrypting the entire bucket. See the SDK documentation for your development language for more information. For example:

      Key Types

      Couchbase offers flexibility in how encryption keys are managed through three different key types:

      Couchbase Server Managed Keys

      Also called AutoGenerated keys, these are the simplest option. Couchbase Server automatically generates and manages these keys without requiring external services. This is ideal for:

      • Environments without external key management infrastructure

      • Use cases where key management can be handled within Couchbase

      AWS KMS Keys

      AWS Key Management Service (KMS) integration allows you to use AWS-managed encryption keys. This is recommended when:

      • Running Couchbase in AWS (EKS or EC2)

      • Your organization uses AWS KMS for centralized key management

      • You need compliance with AWS security standards

      KMIP Keys

      Key Management Interoperability Protocol (KMIP) is an industry standard that works with enterprise key management systems from vendors like Thales, IBM, or HashiCorp Vault. Choose KMIP when:

      • You have an existing enterprise key management system

      • You need vendor-neutral key management

      • Compliance requires external key management

      Key Concepts

      Key Encryption Keys (KEK) and Data Encryption Keys (DEK)

      Couchbase uses a two-tier key hierarchy:

      • Key Encryption Keys (KEK) - The master keys you define through CouchbaseEncryptionKey resources. These encrypt other keys or data.

      • Data Encryption Keys (DEK) - Temporary keys generated by Couchbase to encrypt actual data. These are encrypted by KEKs.

      Key Rotation

      Key rotation is an important security practice. With encryption at rest:

      • KEK rotation can be scheduled through the CouchbaseEncryptionKey resource

      • DEK rotation happens automatically based on the rotationInterval setting

      • When a key rotates, new data is encrypted with the new key while old data remains accessible

      Key Usage Restrictions

      You can restrict what each key encrypts by setting usage parameters:

      • configuration - Cluster configuration data

      • key - Other encryption keys

      • log - Log files

      • audit - Audit logs

      • allBuckets - All bucket data

      By default, keys can encrypt anything. Restricting usage improves security through separation of concerns.

      How to Enable Encryption At Rest

      Enabling encryption at rest with the Autonomous Operator involves three main steps:

      Step 1: Enable Encryption Management

      First, enable encryption at rest management on your CouchbaseCluster resource:

      apiVersion: couchbase.com/v2
kind: CouchbaseCluster
metadata:
  name: my-cluster
spec:
  security:
    encryptionAtRest:
      managed: true

      Step 2: Create Encryption Keys

      Create one or more CouchbaseEncryptionKey resources. Here’s a simple example with an auto-generated key:

      apiVersion: couchbase.com/v2
kind: CouchbaseEncryptionKey
metadata:
  name: my-key
spec:
  keyType: AutoGenerated

      For AWS KMS or KMIP keys, additional configuration is required (see Couchbase Encryption At Rest).

      Step 3: Apply Encryption to Data

      Configure which data should be encrypted on your cluster or buckets:

      apiVersion: couchbase.com/v2
kind: CouchbaseCluster
metadata:
  name: my-cluster
spec:
  security:
    encryptionAtRest:
      managed: true
      configuration:
        enabled: true
        keyName: "my-key"
      audit:
        enabled: true
        keyName: "my-key"

      For bucket-level encryption:

      apiVersion: couchbase.com/v2
kind: CouchbaseBucket
metadata:
  name: secure-bucket
spec:
  name: secure-bucket
  memoryQuota: 512Mi
  encryptionAtRest:
    keyName: "my-key"

      Security Considerations

      When implementing encryption at rest:

      • Key Protection - Consider encrypting your data keys with a dedicated Key Encryption Key (KEK) rather than using the cluster master password

      • Key Rotation - Implement regular key rotation schedules appropriate for your security requirements

      • External Key Management - For sensitive environments, consider using AWS KMS or KMIP instead of auto-generated keys

      • Log Encryption Trade-offs - Be aware that encrypting logs prevents log streaming to monitoring systems

      Next Steps

      For detailed configuration instructions and advanced features, see: