Encryption at Rest

Encryption at Rest

Encryption-at-rest refers to encryption of data that is not "moving, which applies to the sensitive data stored on the physical media of the server., such as drives.

On disk, Couchbase stores data in the form of files for each vBucket and indexes. As a best practices you can take several precautions to help secure the overall system such as encrypting confidential assets, and building a firewall around the cluster. However, in a scenario where the physical media are stolen, a malicious party can just open and browse the data stored in these files.

To secure the host machine where you installed Couchbase Server, encrypt the important data and indexes storage locations using transparent data encryption. These encryption technologies, offered by 3rd party on-disk encryption software vendors, prevent anyone who has no encryption keys (or is outside the configured security policy) from looking at the data. Keep in mind that this kind of protection must be planned in advance.

The sample 3rd party encryption tools are:

You can use full disk encryption or the file level encryption. When your sensitive data in Couchbase is encrypted at-rest on disk, it cannot be compromised if your database is stolen, copied, lost, or improperly accessed.

The following data locations and files should be encrypted:

  • Data and index file paths
    • Linux: /opt/couchbase/var/lib/couchbase/data
    • Windows: C:\Program Files\couchbase\server\var\lib\couchbase\data
  • Global Secondary Index file paths
    • Linux: /opt/couchbase/var/lib/couchbase/data/@2i
    • Windows: C:\Program Files\couchbase\server\var\lib\couchbase\data\@2i
  • Couchbase configuration files and directory
    • Linux: /opt/couchbase/var/lib/couchbase/data
    • Windows: C:\Program Files\couchbase\server\var\lib\couchbase\data
  • Couchbase password files
    • Linux: /opt/couchbase/var/lib/couchbase/isasl.pw and /opt/couchbase/var/lib/couchbase/config/.
    • Windows: C:\Program Files\couchbase\server\var\lib\couchbase\isasl.pw and C:\Program Files\couchbase\server\var\lib\couchbase\var\lib\config\.