Encryption

Couchbase Server uses encryption, to protect data.

Encryption in Couchbase Server

By means of encryption, data is encoded such that it is non-readable, other than by authorized parties who possess the appropriate means of decryption. Prior to decryption, therefore, encrypted data can be securely saved or transmitted. This ensures the privacy of user-data, and the integrity of servers and their clients.

Couchbase Server provides extensive support for data encryption and decryption. Multiple areas of the system are affected: therefore, essential information is distributed throughout the documentation set.

Areas of Encryption

The principal areas of Couchbase Server encryption-support are listed below, along with links to further information.

Encryption on the Wire

This allows data to pass in encrypted form between clusters, and between a cluster and its clients.

Secure Console Access. Administrators can connect securely to Couchbase Web Console. Non-secure access can be disabled, for extra security. See Manage Console Access.
X.509 Certificates. These support encrypted communications between clusters, and between a cluster and its clients.
- Certificates provides an overview of certificates and their management.
- Configure Server Certificates explains the practical steps towards configuring certificates for Couchbase Server. This page also provides information on working with different versions of SSL/TLS, and on supported ciphers.
- Configure Client Certificates describes how to create a certificate to allow a client’s secure access to Couchbase Server.
- Enable Client-Certificate Handling explains how to configure Couchbase Server to accept communications from clients that wish to authenticate and communicate securely by means of certificates.
- Rotate Server Certificates provides steps whereby server certificates can be rotated periodically, to ensure optimal security.
- Handle Certificate Errors explains how to handle errors related to certificate-based secure communication.
- Enable Fully Secure Replications describes how certificates can be used to ensure that data is replicated securely between clusters.
- Encryption On-the-Wire API lists the REST API methods and URIs available for certificate management. Also see Using REST for Encrypted Access.
- The ssl-manage CLI command supports management of SSL certificates.
Secure Ports. Services are available on secure ports. See Network and Firewall Requirements.
General Network Security. Best practices for ensuring the security of the network are provided in Network Security Recommendations.

Encryption at Rest

Encryption at Rest (meaning, on disk or other storage-device) allows passwords and data in files and directories to be encrypted.

Data in Files and Directories. Programs are available for the encryption of data in files and directories. See Securing On-Disk Data.
System Secrets. Passwords, certificates, and other items essential to Couchbase-Server security can be written to disk in encrypted format. See Manage System Secrets.

Encryption in Applications

Field Level Encryption. This allows fields within a document to be securely encrypted by the SDK, to support FIPS-140-2 compliance. See Field Level Encryption, for an overview.
Field Level Encryption from the Java SDK. Provides directions for configuring encrypted field-level communication with Couchbase Server. See Field Level Encryption from the Java SDK.