Please use the form below to provide your feedback. Because your feedback is valuable to us, the information you submit in this form is recorded in our issue tracking system (JIRA), which is publicly available. You can track the status of your feedback using the ticket number displayed in the dialog once you submit the form.

Force Encryption of Unencrypted Data

  • reference
Use these REST APIs to force Couchbase Server to encrypt existing data.

Description

When you enable encryption at rest for a bucket or a type of data, Couchbase Server begins encrypting newly written data. However, it does not encrypt existing data. These APIs let you force Couchbase Server to encrypt existing data in a bucket or all data of a specific type. See Native Encryption at Rest for more information about encryption at rest.

This method is similar to the /controller/dropEncryptionAtRestDeks endpoint, but it does not rotate the data encryption keys (DEKs) nor does it re-encrypt already-encrypted data.

HTTP Methods

This API endpoint supports the following methods:

Force Encryption of Unencrypted Bucket Data

Force the unencrypted data in a bucket to be encrypted immediately.

Encrypt Unencrypted Data in Bucket
POST /controller/forceEncryptionAtRest/bucket/{BUCKET_NAME}
Path Parameters
BUCKET_NAME

The name of the bucket whose unencrypted data you want to encrypt. This bucket must already have encryption at rest enabled.

curl Syntax

curl -sS -u $USER:$PASSWORD \
     -X POST 'http[s]://<hostname>:{PORT}/controller/forceEncryptionAtRest/bucket/{BUCKET_NAME}'
Path Parameters
USER

The name of a user who has 1 of the roles listed in Required Privileges.

PASSWORD

The password for the user.

host

Hostname or IP address of a Couchbase Server node.

port

Port number for the REST API. Defaults are 8091 for unencrypted and 18901 for encrypted connections.

BUCKET_NAME

The name of the bucket whose unencrypted data you want to encrypt. This bucket must already have encryption at rest enabled for this method to have an effect.

Required Privileges

You must have at least one of the following roles:

Responses

200 OK

The request was successful and Couchbase Server starts encrypting the data. Returns a JSON object with a timestamp of when Couchbase Server started encrypting the data. See the example in the next section for an example of the response.

This endpoint also returns 200 OK for buckets that do not have encryption at rest enabled. In this case, the request does not encrypt any data.
400 Bad Request

The request was malformed or Couchbase Server could not process it.

401 Unauthorized

The user credentials you supplied were not valid.

403 Forbidden

Your user account does not have one of the required roles to call this endpoint.

404 Not Found

The bucket named in the BUCKET_NAME path parameter does not exist.

Example

The following example demonstrates how to force Couchbase Server to encrypt the unencrypted data in a bucket named travel-sample:

curl -v -u Administrator:password
     -X POST http://localhost:8091/controller/forceEncryptionAtRest/bucket/travel-sample
     | jq

The result of request is a JSON object with a forceEncryptionDate attribute that contains the date and time when Couchbase Server started encrypting the data:

{
  "forceEncryptionDate": "2025-08-04T17:58:39Z"
}

Force Encryption of a Type of Non-bucket Data

Force the encryption of unencrypted data of one of the following types:

  • Audit

  • Configuration

  • Logging

Encrypt Unencrypted Data of a Type
POST /controller/forceEncryptionAtRest/{TYPE}
Path Parameter
TYPE

The type of data to encrypt. Can be one of the following values:

  • audit: Encrypts unencrypted audit data.

  • config: Encrypts unencrypted configuration data.

  • log: Encrypts unencrypted log data.

curl Syntax

curl -sS -u $USER:$PASSWORD \
     -X POST 'http://localhost:8091/controller/forceEncryptionAtRest/{TYPE}'
Path Parameters
USER

The name of a user who has 1 of the roles listed in Required Privileges.

PASSWORD

The password for the user.

host

Hostname or IP address of a Couchbase Server node.

port

Port number for the REST API. Defaults are 8091 for unencrypted and 18901 for encrypted connections.

TYPE

The type of data to encrypt. Must be one of the following values:

  • audit: Encrypts unencrypted audit data.

  • config: Encrypts unencrypted configuration data.

  • log: Encrypts unencrypted log data.

Required Privileges

To call this endpoint, you must have at least one of the following roles:

Responses

200 OK

The request was successful and Couchbase Server starts encrypting the data. Returns a JSON object with a timestamp of when Couchbase Server started encrypting the data. See the example in the next section for an example of the response.

This endpoint also returns 200 OK if you have not enabled encryption at rest for the type of data set by the TYPE path parameter. In this case, the request does not encrypt any data.
400 Bad Request

The request was malformed or Couchbase Server could not process it.

401 Unauthorized

The user credentials you supplied were not valid.

403 Forbidden

Your user account does not have one of the required roles to call this endpoint.

404 Not Found

The TYPE path did not contain one of the valid values: audit, config, or log.

Example

The following example demonstrates how to force Couchbase Server to encrypt unencrypted log data:

curl -sS -u Administrator:password -X POST \
     http://localhost:8091/controller/forceEncryptionAtRest/log \
     | jq

The result of request is a JSON object with a forceEncryptionDate attribute that contains the date and time when Couchbase Server started encrypting the data:

{
  "forceEncryptionDate": "2025-08-05T13:18:34Z"
}