| title | CockroachDB Security Overview |
|---|---|
| summary | An comparison of CockroachDB Cloud's Security Features |
| toc | true |
| docs_area | reference.security |
| Security Domain | CockroachDB {{ site.data.products.basic }} | CockroachDB {{ site.data.products.standard }} | CockroachDB {{ site.data.products.advanced }} | CockroachDB {{ site.data.products.core }} {{ site.data.products.enterprise }} | Feature |
| Authentication | ✓ | ✓ | ✓ | ✓ | Inter-node and node identity authentication using TLS 1.3 |
| ✓ | ✓ | ✓ | ✓ | Client identity authentication using username/password | |
| ✓ | ✓ | ✓ | ✓ | SASL/SCRAM-SHA-256 secure password-based authentication | |
| ✓ | SQL client identity authentication using TLS 1.2/1.3 | ||||
| ✓ | ✓ | ✓ | ✓ | Web console authentication with third-party Single Sign-on (SSO) using OpenID Connect OIDC | |
| ✓ | ✓ | SQL client identity authentication with JSON Web Tokens (JWT) | |||
| ✓ | Client identity authentication with GSSAPI and Kerberos | ||||
| ✓ | ✓ | Automatic user provisioning for JWT authentication | |||
| ✓ | ✓ | Automatic user provisioning for OIDC authentication | |||
| ✓ | HTTP API access using login tokens | ||||
| ✓ | OCSP certificate revocation protocol | ||||
| Encryption | ✓ | ✓ | ✓ | ✓ | Encryption in transit using TLS 1.3 |
| ✓ | ✓ | ✓ | ✓ | Post-quantum cryptography (PQC) key exchange for TLS 1.3 | |
| ✓ | ✓ | ✓ | ✓ | Backups for AWS clusters are encrypted at rest using AWS S3’s server-side encryption | |
| ✓ | ✓ | ✓ | ✓ | Backups for GCP clusters are encrypted at rest using Google-managed server-side encryption keys | |
| ✓ | ✓ | ✓ | ✓ | Industry-standard encryption at rest is provided at the infrastructure level by your chosen deployment environment, such as Google Cloud Platform (GCP), Amazon Web Services (AWS), or Microsoft Azure. You can learn more about GCP persistent disk encryption, AWS Elastic Block Storage, or Azure managed disk encryption. | |
| ✓ | Cockroach Labs's proprietary storage-level {{ site.data.products.enterprise }} Encryption At Rest service implementing the Advanced Encryption Standard (AES) | ||||
| Authorization | ✓ | ✓ | ✓ | ✓ | Users and privileges |
| ✓ | ✓ | ✓ | ✓ | Role-based access control (RBAC) | |
| ✓ | ✓ | Automatic role synchronization based on JWT group claims | |||
| ✓ | ✓ | Automatic role synchronization based on OIDC group claims for DB Console | |||
| Network Security | ✓ | ✓ | ✓ | ✓ | SQL-level configuration allowed authentication attempts by IP address |
| ✓ | ✓ | ✓ | ✓ | Network-level Configuration of allowed IP addresses | |
| ✓ | ✓ | ✓ | GCP Private Service Connect (PSC) (Preview) or VPC Peering for GCP clusters and AWS PrivateLink for AWS clusters | ||
| Non-Repudiation | ✓ | ✓ | ✓ | ✓ | SQL Audit Logging |
| Availability/Resilience | ✓ | ✓ | ✓ | ✓ | CockroachDB, as a distributed SQL database, is uniquely resilient by nature. A cluster can tolerate node failures as long as the majority of nodes remain functional. See Disaster Recovery. |