A newer version of this documentation is available.

View Latest

Encryption on the wire

Couchbase encrypts the data moving between client and server, between servers within a cluster, and between data centers.

Data moving between client and server

With 4.0, Couchbase uses the TLS protocol by default for encrypted interactions. The server supports both TLS 1.0-1.2 for XDCR. Which version it uses depends on the source and target clusters.

Data moving between client and server needs to be protected from any attackers eavesdropping on the connection. Couchbase Server enables encrypted data access using SSL/TLS for client-server communications.

Secure administrative access

Couchbase Server also includes support for secure administrative access, which enables administrators to administer the server securely through the browser using a public network.

Secure data access

When you enable SSL/TLS, data in transit to and from the server is encrypted using the server certificate configured and stored in the client certificate store.

Data moving between servers within a cluster

Your data has to be available all the time (24x7x365) and your applications must be able to access that data even if any of the servers in the cluster dies. To ensure high availability, Couchbase Server replicates data within the cluster and across data centers.

If you encrypt all your sensitive data in the documents, the replica copies will be transmitted as is (encrypted) and stored. For added security, it is a good security practice to use IPSec on the network that connects the Couchbase server nodes.

Data moving between data centers

To protect sensitive data transmitted among data centers in different geo-locations, use the secure XDCR (Cross Datacenter Replication) feature.

Secure XDCR enables you to encrypt traffic between two data centers using an SSL/TLS connection. When you use secure XDCR, all traffic in the source and destination data centers will be encrypted. Encryption causes a slight increase in the CPU load to allow for additional CPU cycles.

It is a good security practice to rotate the XDCR certificates periodically, as per your organization’s security policy.