Encryption on the Wire
Couchbase encrypts the data moving between client and server, between servers within a cluster, and between data centers.
|With 4.0, Couchbase uses the TLS protocol by default for encrypted interactions. The server supports both TLS 1.0-1.2 for XDCR. Which version it uses depends on the source and target clusters.|
Data moving between client and server needs to be protected from any attackers eavesdropping on the connection. Couchbase Server enables encrypted data access using SSL/TLS for client-server communications.
- Secure administrative access
Couchbase Server also includes support for secure administrative access, which enables administrators to administer the server securely through the browser using a public network.
- Secure data access
When you enable SSL/TLS, data in transit to and from the server is encrypted using the server certificate configured and stored in the client certificate store.
Your data has to be available all the time (24x7x365), and your applications must be able to access that data even if any of the servers in the cluster dies. To ensure high availability, Couchbase Server replicates data within the cluster and across data centers.
If you encrypt all your sensitive data in the documents, the replica copies will be transmitted as is (encrypted) and stored. For added security, it is a good security practice to use IPSec on the network that connects the Couchbase server nodes.
To protect sensitive data transmitted among data centers in different geo-locations, use the secure XDCR (Cross Datacenter Replication) feature.
Secure XDCR enables you to encrypt traffic between two data centers using an SSL/TLS connection. When you use secure XDCR, all traffic in the source and destination data centers will be encrypted. Encryption causes a slight increase in the CPU load to allow for additional CPU cycles.
It is a good security practice to rotate the XDCR certificates periodically, as per your organization’s security policy.
If you would like to force Administrators to log in to the UI over an encrypted channel, you can disable the UI over the 8091 HTTP port, so that administrators can only access the administrative web console over port 18091.
|This setting does not disable port 8091 completely since port 8091 is an important Couchbase port that also handles REST requests in addition to the Couchbase Web Console.|
To disable the Couchbase Web Console over port 8091:
curl -X POST -u Administrator:password http://127.0.0.1:8091/diag/eval \ -d 'ns_config:set(disable_ui_over_http, true)’
To re-enable the Couchbase Web Console over port 8091:
curl -X POST -u Administrator:password http://127.0.0.1:8091/diag/eval \ -d 'ns_config:set(disable_ui_over_http, false)’