CockroachCloud Security

A CockroachCloud cluster is single-tenant (no shared machines) running in a Virtual Private Cloud (no shared network) and has data encryption-in-flight enabled by default. Additionally, CockroachCloud provides authentication, authorization, and SQL audit logging features to secure your clusters.

The following table summarizes the CockroachCloud security features and provides links to detailed documentation for each feature where applicable.

Security feature	Description
Authentication	Inter-node and node identity authentication using TLS 1.2 Client identity authentication using TLS 1.2 or username/password
Encryption	Encryption-in-flight using TLS 1.2 Backups for AWS clusters are encrypted-at-rest using AWS S3’s server-side encryption Backups for GCP clusters are encrypted-at-rest using Google-managed server-side encryption keys All data on CockroachCloud is encrypted-at-rest using the tools provided by the cloud provider that your cluster is running in (i.e., persistent disk encryption for GCP and EBS encryption-at-rest for AWS). Because we are relying on the cloud provider's encryption implementation, we do not enable CockroachDB's internal implementation of encryption-at-rest. This means that encryption will appear to be disabled in the DB Console, since it is unaware of cloud provider encryption.
User Authorization	Users and privileges Role-based access control
Network Authorization	IP allowlisting VPC Peering for GCP clusters AWS PrivateLink for AWS clusters
Audit logging	`ALTER TABLE...EXPERIMENTAL AUDIT` to get detailed information about queries being executed against your system

Was this page helpful?

Yes

The Most Highly Evolved Database on the Planet

CockroachDB

CockroachCloud

Get to know CockroachDB

CockroachDB

CockroachCloud