A CockroachDB Dedicated cluster is single-tenant (no shared machines) running in a Virtual Private Cloud (no shared network) and has data encryption-in-flight enabled by default. Additionally, CockroachDB Dedicated provides authentication, authorization, and SQL audit logging features to secure your clusters.
CockroachDB Serverless provides multi-tenant clusters running on GCP or AWS machines. They have similar encryption, authentication, and user authorization capabilities to CockroachDB Dedicated, but machines and networks are shared.
The following table summarizes the CockroachDB Cloud security features and provides links to detailed documentation for each feature where applicable.
|Authentication||✓||✓||Inter-node and node identity authentication using TLS 1.3|
|✓||✓||Client identity authentication using username/password|
|Certificate protocol||✓||OCSP certificate revocation protocol|
|Encryption||✓||✓||Encryption-in-flight using TLS 1.3|
|✓||✓||Backups for AWS clusters are encrypted-at-rest using AWS S3’s server-side encryption|
|✓||✓||Backups for GCP clusters are encrypted-at-rest using Google-managed server-side encryption keys|
|✓||✓||All data on CockroachDB Cloud is encrypted-at-rest using the tools provided by the cloud provider that your cluster is running in (i.e., persistent disk encryption for GCP and EBS encryption-at-rest for AWS). Because we are relying on the cloud provider's encryption implementation, we do not enable CockroachDB's internal implementation of encryption-at-rest. This means that encryption will appear to be disabled in the DB Console, since the console is unaware of cloud provider encryption.|
|User Authorization||✓||✓||Users and privileges|
|✓||✓||Role-based access control|
|Network Authorization||✓||IP allowlisting|
|✓||Private Clusters (Preview) whose clusters nodes have no public IP addresses|
|✓||VPC Peering for GCP clusters and AWS PrivateLink for AWS clusters|
|Cluster API||✓||HTTP API access using login tokens|