CockroachDB Cloud Security

A CockroachDB Dedicated cluster is single-tenant (no shared machines) running in a Virtual Private Cloud (no shared network) and has data encryption-in-flight enabled by default. Additionally, CockroachDB Dedicated provides authentication, authorization, and SQL audit logging features to secure your clusters.

CockroachDB Serverless provides multi-tenant clusters running on GCP or AWS machines. They have similar encryption, authentication, and user authorization capabilities to CockroachDB Dedicated, but machines and networks are shared.

The following table summarizes the CockroachDB Cloud security features and provides links to detailed documentation for each feature where applicable.

Security feature Serverless Dedicated Description
Authentication Inter-node and node identity authentication using TLS 1.3
Client identity authentication using username/password
  OIDC authentication
Certificate protocol   OCSP certificate revocation protocol
Encryption Encryption-in-flight using TLS 1.3
Backups for AWS clusters are encrypted-at-rest using AWS S3’s server-side encryption
Backups for GCP clusters are encrypted-at-rest using Google-managed server-side encryption keys
All data on CockroachDB Cloud is encrypted-at-rest using the tools provided by the cloud provider that your cluster is running in (i.e., persistent disk encryption for GCP and EBS encryption-at-rest for AWS). Because we are relying on the cloud provider's encryption implementation, we do not enable CockroachDB's internal implementation of encryption-at-rest. This means that encryption will appear to be disabled in the DB Console, since the console is unaware of cloud provider encryption.
User Authorization Users and privileges
Role-based access control
Network Authorization   IP allowlisting
  VPC Peering for GCP clusters and AWS PrivateLink for AWS clusters
Cluster API   HTTP API access using login tokens

Yes No

Yes No