CockroachDB Security Overview

On this page Carat arrow pointing down
CockroachDB v22.1 is no longer supported. For more details, see the Release Support Policy.

Ways to Use CockroachDB

CockroachDB Cloud

CockroachDB Serverless provides fast and easy access (including a free tier) to CockroachDB as a web service, hosted by Cockroach Labs. Clusters run in multi-tenant Google Cloud Platform (GCP) or Amazon Web Services (AWS) environments with shared compute and networking resources.

CockroachDB Dedicated offers a single-tenant cluster running in its own Virtual Private Cloud (VPC). Compute and networking resources are isolated. Additional security-enhancing features such as single-sign on (SSO) and SQL audit logging are available.

Sign up for a CockroachDB Cloud account!


CockroachDB Dedicated clusters comply with the Payment Card Industry Data Security Standard (PCI DSS). Compliance is certified by a PCI Qualified Security Assessor (QSA).

To achieve compliance with PCI DSS on a CockroachDB Dedicated cluster, you must ensure that any information related to payments or other personally-identifiable information (PII) is encrypted, tokenized, or masked before being written to CockroachDB. You can implement this data protection from within the customer application or through a third-party intermediary solution such as Satori.

To learn more about achieving PCI DSS compliance with CockroachDB Dedicated, contact your Cockroach Labs account team.

Learn more: Integrate CockroachDB Dedicated with Satori


Cockroach Labs maintains CockroachDB as an open-source core, which is available to operate under a number of different licensing options, including several free options.

CockroachDB Self-Hosted here refers to the situation of a user deploying and operating their own cluster.

Enterprise refers to an ongoing paid license relationship with Cockroach Labs. This license unlocks advanced features (see below). In this situation the customer maintains full control over their data, compute, and network resources while benefiting from the expertise of the Cockroach Labs' Enterprise Support staff.

Comparison of security features

Security Domain CockroachDB Serverless CockroachDB Dedicated CockroachDB Self-Hosted Enterprise Feature
Authentication Inter-node and node identity authentication using TLS 1.3
Client identity authentication using username/password
SASL/SCRAM-SHA-256 secure password-based authentication
    SQL client identity authentication using TLS 1.2/1.3
  Web console authentication with third-party Single Sign On (SSO) using OpenID Connect OIDC
      Client identity authentication with GSSAPI and Kerberos
      HTTP API access using login tokens
      OCSP certificate revocation protocol
Encryption Encryption in transit using TLS 1.3
Backups for AWS clusters are encrypted at rest using AWS S3’s server-side encryption
Backups for GCP clusters are encrypted at rest using Google-managed server-side encryption keys
Industry-standard encryption at rest is provided at the infrastructure level by your chosen deployment environment, such as Google Cloud Platform (GCP), Amazon Web Services (AWS), or Microsoft Azure. You can learn more about GCP persistent disk encryption, AWS Elastic Block Storage, or Azure managed disk encryption.
      Cockroach Labs' proprietary storage-level Enterprise Encryption At Rest service implementing the Advanced Encryption Standard (AES)
Authorization Users and privileges
Role-based access control (RBAC)
Network Security SQL-level configuration allowed authentication attempts by IP address
  Network-level Configuration of allowed IP addresses
  VPC Peering for GCP clusters and AWS PrivateLink for AWS clusters
Non-Repudiation SQL Audit Logging
Availability/Resilience CockroachDB, as a distributed SQL database, is uniquely resilient by nature. A cluster can tolerate node failures as long as the majority of nodes remain functional. See Disaster Recovery.

Yes No
On this page

Yes No