A newer version of this documentation is available.

View Latest


    It is more important than ever for organizations to secure their infrastructure to prevent unauthorized access and to ensure compliance to regulatory standards such as PCI-DSS and HIPAA. Couchbase Server offers security mechanisms that help protect against threats and breaches.

    Authentication and Authorization

    Couchbase verifies the identity of administrators and applications using both SASL and non-SASL authentication methods, including challenge-response authentication mechanism (CRAM) based on the HMAC-MD5 algorithm. Couchbase Server also supports LDAP authentication for administrators connecting to Couchbase through the Couchbase Web Console.

    • Applications are authorized for buckets to which they have access.

    • Administrators have different authorization and privileges based on their roles. RBAC for Administrators requires configuration with LDAP, so that the administrator’s user ID in LDAP can be mapped by the Full Administrator to one or more fixed administrative roles.


    • Data in motion: Couchbase Server supports end-to-end SSL traffic both from applications to clusters and between clusters (XDCR). This encryption covers both data packets and administration traffic.

    • Data at rest: Couchbase works with LUKS-based disk encryption on Linux, Bitlocker Drive Encryption on Windows Server 2008 and 2012, and with Vormetric Data Security platform, which does disk and file-level (encryption at rest) and application-level encryption.


    Auditing empowers authorized users to monitor the actions carried out by administrators in the Couchbase Server cluster. This capability is essential for achieving regulatory compliance and is often critical for adhering to internal security policies.

    For more information about security mechanisms in Couchbase Server, see Security in Couchbase.