Encryption at Rest

Encryption at Rest

Encryption at rest refers to the encryption of data that resides on physical media. It should be used to protect the data that is stored on such media by Couchbase Server.

Protecting Physical Media

Couchbase Server uses physical media to store files and indexes. If media are stolen, data becomes vulnerable to illicit access.

Therefore, to secure such data, encrypt all important data and index storage-locations, using transparent data encryption, provided by 3rd party on-disk encryption software-vendors; which denies data-access to anyone who either does not possess an appropriate encryption-key, or is otherwise non-compliant with the configured security policy. Such encryption ensures that stored data cannot be compromised; even if the database is stolen, copied, lost, or otherwise improperly accessed.

Commonly used 3rd party encryption tools include:

Encryption Targets

The tools listed above all allow either full disk or file-level encryption to be used. If file-level is chosen, the following Couchbase directories and files should be encrypted:

  • Data and index file paths
    • Linux: /opt/couchbase/var/lib/couchbase/data
    • Windows: C:\Program Files\couchbase\server\var\lib\couchbase\data

  • Global Secondary Index file paths
    • Linux: /opt/couchbase/var/lib/couchbase/data/@2i
    • Windows: C:\Program Files\couchbase\server\var\lib\couchbase\data\@2i

  • Couchbase configuration files and directory
    • Linux: /opt/couchbase/var/lib/couchbase/data
    • Windows: C:\Program Files\couchbase\server\var\lib\couchbase\data

  • Couchbase password files
    • Linux: /opt/couchbase/var/lib/couchbase/isasl.pw and /opt/couchbase/var/lib/couchbase/config/.
    • Windows: C:\Program Files\couchbase\server\var\lib\couchbase\isasl.pw and C:\Program Files\couchbase\server\var\lib\couchbase\var\lib\config\.