Encryption

    +
    Couchbase Server uses encryption, to protect data.

    Encryption in Couchbase Server

    By means of encryption, data is encoded such that it is non-readable, other than by authorized parties who possess the appropriate means of decryption. Prior to decryption, therefore, encrypted data can be securely saved or transmitted. This ensures the privacy of user-data, and the integrity of servers and their clients.

    Couchbase Server provides extensive support for data encryption and decryption. Multiple areas of the system are affected: therefore, essential information is distributed throughout the documentation set.

    Areas of Encryption

    The principal areas of Couchbase Server encryption-support are listed below, along with links to further information.

    Encryption on the Wire

    This allows data to pass in encrypted form between nodes, between clusters, and between a cluster and its clients.

    • Node-to-Node Encryption. Network traffic between the individual nodes of a Couchbase-Server cluster can be encrypted, in order to optimize cluster-internal security. See Node-to-Node Encryption.

    • On-the-Wire Security Configuration. To support secure communications between nodes, clusters, and clients, Couchbase Server provides interfaces for the configuration of TLS and supportive cipher-suites; of cluster-internal encryption-levels; and of secure UI-access. See On-the-Wire Security for a conceptual overview, and Manage On-the-Wire Security for step-by-step configuration-instructions.

    • Secure Console Access. Administrators can connect securely to Couchbase Web Console. Non-secure access can be disabled, for extra security. See Manage Console Access.

    • X.509 Certificates. These support encrypted communications between nodes, between clusters, and between a cluster and its clients.

      • Certificates provides an overview of certificates and their management.

      • Configure Server Certificates explains the practical steps towards configuring certificates for Couchbase Server. This page also provides information on working with different versions of SSL/TLS, and on supported ciphers.

      • Configure Client Certificates describes how to create a certificate to allow a client’s secure access to Couchbase Server.

      • Enable Client-Certificate Handling explains how to configure Couchbase Server to accept communications from clients that wish to authenticate and communicate securely by means of certificates.

      • Certificate Rotation provides steps whereby server certificates can be rotated periodically, to ensure optimal security.

      • Certificate Error Handling explains how to handle errors related to certificate-based secure communication.

      • Enable Fully Secure Replications describes how certificates can be used to ensure that data is replicated securely between clusters.

      • Certificate Management API lists the REST API methods and URIs available for certificate management.

      • The ssl-manage CLI command supports management of SSL certificates.

    • Secure Ports. Services are available on secure ports. See Couchbase Server Ports.

    • General Network Security. Best practices for ensuring the security of the network are provided in Network Security Recommendations.

    Encryption at Rest

    Encryption at Rest (meaning, on disk or other storage-device) allows passwords and data in files and directories to be encrypted.

    • Data in Files and Directories. Programs are available for the encryption of data in files and directories. See Securing On-Disk Data.

    • System Secrets. Passwords, certificates, and other items essential to Couchbase-Server security can be written to disk in encrypted format. See Manage System Secrets.

    Encryption in Applications

    • Field Level Encryption. This allows fields within a document to be securely encrypted by the SDK, to support FIPS-140-2 compliance. See Field Level Encryption, for an overview.

    • Field Level Encryption from the Java SDK. Provides directions for configuring encrypted field-level communication with Couchbase Server. See Field Level Encryption from the Java SDK.