Please use the form below to provide your feedback. Because your feedback is valuable to us, the information you submit in this form is recorded in our issue tracking system (JIRA), which is publicly available. You can track the status of your feedback using the ticket number displayed in the dialog once you submit the form.

A newer version of this documentation is available.

View Latest

Encryption

    Couchbase Server uses encryption, to protect data.

    Encryption in Couchbase Server

    By means of encryption, data is encoded such that it is non-readable, other than by authorized parties who possess the appropriate means of decryption. Prior to decryption, therefore, encrypted data can be securely saved or transmitted. This ensures the privacy of user-data, and the integrity of servers and their clients.

    Couchbase Server provides extensive support for data encryption and decryption. Multiple areas of the system are affected: therefore, essential information is distributed throughout the documentation set.

    Areas of Encryption

    The principal areas of Couchbase Server encryption-support are listed below, along with links to further information.

    Encryption on the Wire

    This allows data to pass in encrypted form between nodes, between clusters, and between a cluster and its clients.

    • Node-to-Node Encryption. Network traffic between the individual nodes of a Couchbase-Server cluster can be encrypted, in order to optimize cluster-internal security. See Node-to-Node Encryption.

    • On-the-Wire Security Configuration. To support secure communications between nodes, clusters, and clients, Couchbase Server provides interfaces for the configuration of TLS and supportive cipher-suites; of cluster-internal encryption-levels; and of secure UI-access. See On-the-Wire Security for a conceptual overview, and Manage On-the-Wire Security for step-by-step configuration-instructions.

    • Secure Console Access. Administrators can connect securely to Couchbase Web Console. Non-secure access can be disabled, for extra security. See Manage Console Access.

    • X.509 Certificates. These support encrypted communications between nodes, between clusters, and between a cluster and its clients.

      • Certificates provides an overview of certificates and their management.

      • Configure Server Certificates explains the practical steps towards configuring certificates for Couchbase Server. This page also provides information on working with different versions of SSL/TLS, and on supported ciphers.

      • Configure Client Certificates describes how to create a certificate to allow a client’s secure access to Couchbase Server.

      • Enable Client-Certificate Handling explains how to configure Couchbase Server to accept communications from clients that wish to authenticate and communicate securely by means of certificates.

      • Certificate Rotation provides steps whereby server certificates can be rotated periodically, to ensure optimal security.

      • Certificate Error Handling explains how to handle errors related to certificate-based secure communication.

      • Enable Fully Secure Replications describes how certificates can be used to ensure that data is replicated securely between clusters.

      • Certificate Management API lists the REST API methods and URIs available for certificate management.

      • The ssl-manage CLI command supports management of SSL certificates.

    • Secure Ports. Services are available on secure ports. See Couchbase Server Ports.

    • General Network Security. Best practices for ensuring the security of the network are provided in Network Security Recommendations.

    Encryption at Rest

    Encryption at Rest (meaning, on disk or other storage-device) allows passwords and data in files and directories to be encrypted.

    • Data in Files and Directories. Programs are available for the encryption of data in files and directories. See Securing On-Disk Data.

    • System Secrets. Passwords, certificates, and other items essential to Couchbase-Server security can be written to disk in encrypted format. See Manage System Secrets.

    Encryption in Applications

    • Field Level Encryption. This allows fields within a document to be securely encrypted by the SDK, to support FIPS-140-2 compliance. See Field Level Encryption, for an overview.

    • Field Level Encryption from the Java SDK. Provides directions for configuring encrypted field-level communication with Couchbase Server. See Field Level Encryption from the Java SDK.