Comparison of security features
| Security Domain | CockroachDB Basic | CockroachDB Standard | CockroachDB Advanced | CockroachDB self-hosted Enterprise | Feature |
|---|---|---|---|---|---|
| ✓ | ✓ | ✓ | ✓ | Inter-node and node identity authentication using TLS 1.3 | |
| ✓ | ✓ | ✓ | ✓ | Client identity authentication using username/password | |
| ✓ | ✓ | ✓ | ✓ | ||
| ✓ | SQL client identity authentication using TLS 1.2/1.3 | ||||
| ✓ | ✓ | ✓ | ✓ | Web console authentication with third-party using OpenID Connect OIDC | |
| ✓ | ✓ | SQL client identity authentication with | |||
| ✓ | Client identity authentication with | ||||
| ✓ | ✓ | for JWT authentication | |||
| ✓ | ✓ | for OIDC authentication | |||
| ✓ | HTTP API access using login tokens | ||||
| ✓ | OCSP certificate revocation protocol | ||||
| ✓ | ✓ | ✓ | ✓ | Encryption in transit using TLS 1.3 | |
| ✓ | ✓ | ✓ | ✓ | key exchange for TLS 1.3 | |
| ✓ | ✓ | ✓ | ✓ | Backups for AWS clusters are encrypted at rest using AWS S3’s server-side encryption | |
| ✓ | ✓ | ✓ | ✓ | Backups for GCP clusters are encrypted at rest using Google-managed server-side encryption keys | |
| ✓ | ✓ | ✓ | ✓ | ||
| ✓ | Cockroach Labs’s proprietary storage-level implementing the Advanced Encryption Standard (AES) | ||||
| ✓ | ✓ | ✓ | ✓ | Users and privileges | |
| ✓ | ✓ | ✓ | ✓ | Role-based access control (RBAC) | |
| ✓ | ✓ | based on JWT group claims | |||
| ✓ | ✓ | based on OIDC group claims for DB Console | |||
| Network Security | ✓ | ✓ | ✓ | ✓ | SQL-level configuration allowed authentication attempts by IP address |
| ✓ | ✓ | ✓ | ✓ | Network-level Configuration of allowed IP addresses | |
| ✓ | ✓ | ✓ | or for GCP clusters and for AWS clusters | ||
| Non-Repudiation | ✓ | ✓ | ✓ | ✓ | |
| ✓ | ✓ | ✓ | ✓ | CockroachDB, as a distributed SQL database, is uniquely resilient by nature. A cluster can tolerate node failures as long as the majority of nodes remain functional. See |

