Encryption at rest

Looking at the FAQ, it mentions that CockroachDB supports encryption in transport via TLS, however I am unable to find any mention of encryption at rest–that is, is the data in the database itself encrypted on disk? If not, I feel that this is a very important feature to support. You can encrypt the transport all you want, but if the data isn’t encrypted at rest, then it’s mostly for naut.

Is this currently supported? If so, how does one configure it? If not, is it planned?

At rest encryption is not currently implemented and while we do want to add it, we do not have a specific version targeted yet.

As @marc said, we are actively evaluating this functionality. In the meantime you can consider encrypting your data at the file/OS level rather than the database level.

Sorry for bumping this … but has anyone used VeraCrypt to encrypt the volume on which the cockroach data folder is stored?.. is there any potential performance issues? … I know the CPUs on Digital Ocean have AES built in which theoretically means performance hit will be minimal…but thats just in theory. Thanks

We have not evaluated volume encryption solutions. Instead, we are planning on introducing experimental encryption-at-rest in 2.0. You can find more details in the RFC.

Measuring the impact on performance (with and without AES instruction set support) is part of the process to add the feature.

1 Like