A newer version of this documentation is available.

View Latest


      Couchbase Server uses encryption, to protect data.

      Encryption in Couchbase Server

      By means of encryption, data is encoded such that it is non-readable, other than by authorized parties who possess the appropriate means of decryption. Prior to decryption, therefore, encrypted data can be securely saved or transmitted. This ensures the privacy of user-data, and the integrity of servers and their clients.

      Couchbase Server provides extensive support for data encryption and decryption. Multiple areas of the system are affected: therefore, essential information is distributed throughout the documentation set.

      Areas of Encryption

      The principal areas of Couchbase Server encryption-support are listed below, along with links to further information.

      Encryption on the Wire

      This allows data to pass in encrypted form between nodes, between clusters, and between a cluster and its clients.

      • Node-to-Node Encryption. Network traffic between the individual nodes of a Couchbase-Server cluster can be encrypted, in order to optimize cluster-internal security. See Node-to-Node Encryption.

      • TLS Configuration. To support secure communications between nodes, clusters, and clients, Couchbase Server provides interfaces for the configuration of TLS and supportive cipher-suites. See Manage TLS.

      • Secure Console Access. Administrators can connect securely to Couchbase Web Console. Non-secure access can be disabled, for extra security. See Manage Console Access.

      • X.509 Certificates. These support encrypted communications between nodes, between clusters, and between a cluster and its clients.

      • Secure Ports. Services are available on secure ports. See Network and Firewall Requirements.

      • General Network Security. Best practices for ensuring the security of the network are provided in Network Security Recommendations.

      Encryption at Rest

      Encryption at Rest (meaning, on disk or other storage-device) allows passwords and data in files and directories to be encrypted.

      • Data in Files and Directories. Programs are available for the encryption of data in files and directories. See Securing On-Disk Data.

      • System Secrets. Passwords, certificates, and other items essential to Couchbase-Server security can be written to disk in encrypted format. See Manage System Secrets.

      Encryption in Applications

      • Field Level Encryption. This allows fields within a document to be securely encrypted by the SDK, to support FIPS-140-2 compliance. See Field Level Encryption, for an overview.

      • Field Level Encryption from the Java SDK. Provides directions for configuring encrypted field-level communication with Couchbase Server. See Field Level Encryption from the Java SDK.