Skip to main content

Comparison of security features

Security DomainCockroachDB BasicCockroachDB StandardCockroachDB AdvancedCockroachDB self-hosted EnterpriseFeature
Inter-node and node identity authentication using TLS 1.3
Client identity authentication using username/password
SQL client identity authentication using TLS 1.2/1.3
Web console authentication with third-party using OpenID Connect OIDC
SQL client identity authentication with
Client identity authentication with
for JWT authentication
for OIDC authentication
HTTP API access using login tokens
OCSP certificate revocation protocol
Encryption in transit using TLS 1.3
key exchange for TLS 1.3
Backups for AWS clusters are encrypted at rest using AWS S3’s server-side encryption
Backups for GCP clusters are encrypted at rest using Google-managed server-side encryption keys
Cockroach Labs’s proprietary storage-level implementing the Advanced Encryption Standard (AES)
Users and privileges
Role-based access control (RBAC)
based on JWT group claims
based on OIDC group claims for DB Console
Network SecuritySQL-level configuration allowed authentication attempts by IP address
Network-level Configuration of allowed IP addresses
or for GCP clusters and for AWS clusters
Non-Repudiation
CockroachDB, as a distributed SQL database, is uniquely resilient by nature. A cluster can tolerate node failures as long as the majority of nodes remain functional. See