Encrypted data access

Encrypted data access

Couchbase Server client libraries support client-side encryption using the Secure Sockets Layer (SSL) protocol.

Encryption for data access is performed through client-server communication and view access.

SSL based client-server communication

Couchbase Server client libraries support client-side encryption using the SSL protocol by encrypting data in-flight between the client and the server. Secure client-server communication is provided with Couchbase clients released after version 2.0, and does not require configuration.

Client-server communication also allows for the cases where some of the clients communicate with the server using SSL, while the other clients do not.

To enable SSL on the client side, you need to get an SSL certificate from the Couchbase Server and then follow the steps specific to the client you are using.

To obtain the certificate, access the Couchbase Web Console, navigate to Settings > Certificate > Show certificate and copy the certificate.

Note: The certificate obtained in this case is a self-signed server generated certificate.
Note: If the Couchbase Server SSL certificate is re-generated, you must obtain a new certificate.

The following clients support SSL:

  • Java
  • .NET
  • Node.js
  • PHP
  • C
Note: The Couchbase network port 11207 is used for data communication between the client and the data nodes using SSL.

SSL based view access

A new port 18092 is established for view access: https://couchbase_server:18092

Supported ciphers

Couchbase Server uses the ciphers that are accepted by default by OpenSSL.
The default is to have high-security ciphers built in with openSSL. For example, on the MAC OS these are:
  • AES256-SHA...YES
  • AES128-SHA...YES

You can override this selection by setting the environment variable before starting Couchbase as follows:

COUCHBASE_SSL_CIPHER_LIST = < list of ciphers to accept >

Set the variable to COUCHBASE_SSL_CIPHER_LIST= MEDIUM, HIGH to include only medium- and high-security ciphers for your installation.

For example, on the MAC OS these are:
  • AES256-SHA...YES
  • AES128-SHA...YES
  • RC4-SHA...YES
  • RC4-MD5...YES
  • RC4-MD5...YES