> ## Documentation Index
> Fetch the complete documentation index at: https://cockroachlabs.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# CockroachDB Security Overview

export const InternalLink = ({version, path = "", children, ...props}) => {
  let detectedVersion = version || "stable";
  if (typeof window !== 'undefined' && !version) {
    const match = window.location.pathname.match(/\/docs\/([^/]+)/);
    if (match) {
      detectedVersion = match[1];
    }
  }
  const normalizedPath = path.startsWith("/") ? path.slice(1) : path;
  return <a href={`/docs/${detectedVersion}/${normalizedPath}`} {...props}>
      {children}
    </a>;
};

## Ways to Use CockroachDB

### CockroachDB Cloud

CockroachDB Cloud provides fast and easy access (including a *free* tier) to CockroachDB as a web service, hosted by Cockroach Labs. Clusters run in multi-tenant Google Cloud Platform (GCP) or Amazon Web Services (AWS) environments with shared compute and networking resources.

CockroachDB Advanced offers a single-tenant cluster running in its own Virtual Private Cloud (VPC). Compute and networking resources are isolated. CockroachDB Advanced provides additional security-enhancing features such as single sign-on (SSO) and SQL audit logging.

[Sign up for a CockroachDB Cloud account!](https://www.cockroachlabs.com/get-started-cockroachdb)

<Note>
  CockroachDB Dedicated clusters comply with the Payment Card Industry Data Security Standard (PCI DSS). Compliance is certified by a PCI Qualified Security Assessor (QSA).

  To achieve compliance with PCI DSS on a CockroachDB Dedicated cluster, you must enable all required features in your CockroachDB Cloud organization and your cluster, and you must take additional steps to ensure that your organization's applications and procedures comply with PCI DSS. For details, refer to [PCI DSS Compliance in CockroachDB Dedicated advanced](https://cockroachlabs.com/docs/cockroachcloud/pci-dss).

  To learn more about achieving PCI DSS compliance with CockroachDB Dedicated, contact your Cockroach Labs account team.
  Learn more: <InternalLink path="satori-integration">Integrate CockroachDB Advanced with Satori</InternalLink>
</Note>

### Self-Hosted

CockroachDB self-hosted here refers to the situation of a user deploying and operating their own cluster.

Enterprise refers to an ongoing license relationship with Cockroach Labs. In this situation the customer maintains full control over their data, compute, and network resources while benefiting from the expertise of Cockroach Labs' Enterprise Support staff.

For more information, see the <InternalLink path="licensing-faqs">licensing FAQ</InternalLink>

## Comparison of security features

| Security Domain                                                                               | Basic | Standard | Advanced | self-hosted Enterprise                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | Feature                                                                                                                                                                                                                                                            |
| --------------------------------------------------------------------------------------------- | ----- | -------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| <InternalLink path="security-reference/authentication">Authentication</InternalLink>          | ✓     | ✓        | ✓        | ✓                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | Inter-node and node identity authentication using TLS 1.3                                                                                                                                                                                                          |
| ✓                                                                                             | ✓     | ✓        | ✓        | Client identity authentication using username/password                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |                                                                                                                                                                                                                                                                    |
| ✓                                                                                             | ✓     | ✓        | ✓        | <InternalLink path="security-reference/scram-authentication">SASL/SCRAM-SHA-256 secure password-based authentication</InternalLink>                                                                                                                                                                                                                                                                                                                                                                                                           |                                                                                                                                                                                                                                                                    |
|                                                                                               |       |          | ✓        | SQL client identity authentication using TLS 1.2/1.3                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |                                                                                                                                                                                                                                                                    |
| ✓                                                                                             | ✓     | ✓        | ✓        | Web console authentication with third-party <InternalLink path="sso-db-console">Single Sign-on (SSO)</InternalLink> using [OpenID Connect OIDC](https://openid.net/connect)                                                                                                                                                                                                                                                                                                                                                                   |                                                                                                                                                                                                                                                                    |
|                                                                                               |       |          | ✓        | Client identity authentication with <InternalLink path="gssapi_authentication">GSSAPI and Kerberos</InternalLink>                                                                                                                                                                                                                                                                                                                                                                                                                             |                                                                                                                                                                                                                                                                    |
|                                                                                               |       |          | ✓        | HTTP API access using login tokens                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |                                                                                                                                                                                                                                                                    |
|                                                                                               |       |          | ✓        | [OCSP](https://wikipedia.org/wiki/Online_Certificate_Status_Protocol) certificate revocation protocol                                                                                                                                                                                                                                                                                                                                                                                                                                         |                                                                                                                                                                                                                                                                    |
| <InternalLink path="security-reference/encryption">Encryption</InternalLink>                  | ✓     | ✓        | ✓        | ✓                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | Encryption in transit using TLS 1.3                                                                                                                                                                                                                                |
| ✓                                                                                             | ✓     | ✓        | ✓        | Backups for AWS clusters are encrypted at rest using [AWS S3’s server-side encryption](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption)                                                                                                                                                                                                                                                                                                                                                                             |                                                                                                                                                                                                                                                                    |
| ✓                                                                                             | ✓     | ✓        | ✓        | Backups for GCP clusters are encrypted at rest using [Google-managed server-side encryption keys](https://cloud.google.com/storage/docs/encryption/default-keys)                                                                                                                                                                                                                                                                                                                                                                              |                                                                                                                                                                                                                                                                    |
| ✓                                                                                             | ✓     | ✓        | ✓        | Industry-standard encryption at rest is provided at the infrastructure level by your chosen deployment environment, such as Google Cloud Platform (GCP), Amazon Web Services (AWS), or Microsoft Azure. You can learn more about [GCP persistent disk encryption](https://cloud.google.com/compute/docs/disks#pd_encryption), [AWS Elastic Block Storage](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption), or [Azure managed disk encryption](https://docs.microsoft.com/azure/virtual-machines/disk-encryption-overview). |                                                                                                                                                                                                                                                                    |
|                                                                                               |       |          | ✓        | Cockroach Labs's proprietary storage-level <InternalLink path="security-reference/encryption">Enterprise Encryption At Rest service</InternalLink> implementing the [Advanced Encryption Standard (AES)](https://wikipedia.org/wiki/Advanced_Encryption_Standard)                                                                                                                                                                                                                                                                             |                                                                                                                                                                                                                                                                    |
| <InternalLink path="security-reference/authorization">Authorization</InternalLink>            | ✓     | ✓        | ✓        | ✓                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | Users and privileges                                                                                                                                                                                                                                               |
| ✓                                                                                             | ✓     | ✓        | ✓        | Role-based access control (RBAC)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |                                                                                                                                                                                                                                                                    |
| Network Security                                                                              | ✓     | ✓        | ✓        | ✓                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | SQL-level configuration allowed authentication attempts by IP address                                                                                                                                                                                              |
| ✓                                                                                             | ✓     | ✓        | ✓        | Network-level Configuration of allowed IP addresses                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |                                                                                                                                                                                                                                                                    |
|                                                                                               | ✓     | ✓        | ✓        | <InternalLink version="cockroachcloud" path="connect-to-your-cluster#gcp-private-service-connect">GCP Private Service Connect (PSC) (Preview)</InternalLink> or <InternalLink version="cockroachcloud" path="connect-to-your-cluster">VPC Peering</InternalLink> for GCP clusters and <InternalLink version="cockroachcloud" path="aws-privatelink">AWS PrivateLink</InternalLink> for AWS clusters                                                                                                                                           |                                                                                                                                                                                                                                                                    |
| [Non-Repudiation](https://wikipedia.org/wiki/Non-repudiation)                                 | ✓     | ✓        | ✓        | ✓                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | <InternalLink path="sql-audit-logging">SQL Audit Logging</InternalLink>                                                                                                                                                                                            |
| <InternalLink path="demo-fault-tolerance-and-recovery">Availability/Resilience</InternalLink> | ✓     | ✓        | ✓        | ✓                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | CockroachDB, as a distributed SQL database, is uniquely resilient by nature. A cluster can tolerate node failures as long as the majority of nodes remain functional. See <InternalLink path="demo-fault-tolerance-and-recovery">Disaster Recovery.</InternalLink> |
