Please use the form below to provide your feedback. Because your feedback is valuable to us, the information you submit in this form is recorded in our issue tracking system (JIRA), which is publicly available. You can track the status of your feedback using the ticket number displayed in the dialog once you submit the form.

Encryption

      +
      Couchbase Server lets you use encryption to protect data. You can configure network encryption for communications with clients, between nodes in the cluster, and with other clusters when using Cross-Datacenter Replication (XDCR). Couchbase Server supports encrypting data stored on disk to limit data exposure. You can also have your application store encrypted attributes in documents. This topic provides an overview of the encryption features in Couchbase Server.

      Network Encryption

      You can choose to encrypt client connections, intra-node connections, and cluster-to-cluster connections. You configure each connection type separately. For example, you can choose to encrypt client connections, but leave connections between nodes in a cluster unencrypted.

      Couchbase Server supports the following types of network encryption:

      Node to Node

      You can choose to encrypt all internal traffic between nodes in the cluster. This configuration helps limit data leakage from network intrusions. See Node-to-Node Encryption.

      Client Connections

      You can make encryption optional or required for client connections. See Securing Client Access with TLS.

      Couchbase Server Web Console Access

      You can configure the Web Console to require secure connections. See Manage Console Access.

      Secure Access to Services

      You can configure Couchbase Server services to only use secure ports. See Couchbase Server Ports.

      Secure XDCR Replication

      You can encrypt XDCR replication between Couchbase Server clusters. See Enable Fully Secure Replications.

      Couchbase Server TLS Support

      Couchbase Server uses Transport Layer Security (TLS) with a selection of cipher-suites for network encryption. See the following pages for more information about Couchbase Server’s TLS support:

      Encryption at Rest

      Encryption at rest encrypts files stored on disk. The files you can encrypt include those that store database data, configuration, logs, and audits. Encrypting data at rest can help limit the exposure of confidential information from a security breach.

      You have several options to encrypt your data at rest:

      Use the Couchbase Server native encryption at-rest feature

      Couchbase Server Enterprise has a built-in encryption-at-rest feature where it encrypts data as it saves it to disk. Using the built-in encryption lets you fine-tune which data is encrypted and which it not. For example, you can choose to encrypt sensitive customer data, while leaving less sensitive data, such as product catalog data, unencrypted. By encrypting just the sensitive data in your database, you can limit the overhead of encrypting and decrypting data. See Native Encryption at Rest for more information.

      Use third-party tools

      Third party tools such as Thales CipherTrust (formerly known as Vormetric/Gemalto) and Protegrity can provide centralized encryption at rest.

      Use OS-level disk encryption

      You can use disk encryption such as the LUKS encrypted filesystem which is available on Linux. See Securing On-Disk Data.

      System Secrets

      Couchbase Server can write passwords, certificates, and other sensitive information to disk in encrypted format. See Manage System Secrets.

      Encryption in Applications

      Applications can use the SDK to store fields in encrypted format. See the SDK documentation for your development language for more information. For example: