Skip to main content
This page summarizes the security features available in CockroachDB Cloud:
  • CockroachDB Standard: Deployed in shared (multi-tenant) network and compute infrastructure. Storage scales automatically according to demand, but the cluster’s compute requirements are defined explicitly as part of the cluster’s configuration.
  • CockroachDB Basic: Deployed in shared (multi-tenant) network and compute infrastructure. Storage and compute scale automatically according to demand, and you are charged only for the storage and activity of your cluster.
  • CockroachDB Advanced: Deployed in dedicated network and compute infrastructure. This deployment may be distributed over multiple regions for added disaster-resilience. In addition to infrastructure isolation, Advanced clusters can be customized with advanced network, identity-management, and encryption-related security features required for high benchmark security goals such as . Refer to
The following table summarizes the CockroachDB Cloud security features and provides links to detailed documentation for each feature where applicable.
Security DomainCockroachDB BasicCockroachDB StandardCockroachDB AdvancedFeature
Inter-node and node identity authentication using TLS 1.3
Client identity authentication using a username and password
Cluster DB console authentication with third-party using OpenID Connect OIDC or SAML
SQL Client authentication with using CockroachDB Cloud as identity provider
SQL Client authentication with using customer-managed identity providers
Client identity authentication using
certificate revocation protocol
Data ProtectionEncryption-in-flight using TLS 1.3
Automatic backups for AWS clusters are encrypted-at-rest using AWS S3’s server-side encryption
Automatic backups for GCP clusters are encrypted-at-rest using Google-managed server-side encryption keys
Industry-standard encryption-at-rest provided at the infrastructure level by your chosen deployment environment, such as Google Cloud Platform (GCP), Amazon Web Services (AWS), or Microsoft Azure.
, with enabled.
SQL users with direct privilege management
SQL Role-based access control (RBAC)
Cloud Organization users with fine-grained access roles
Network Security
Network-level Configuration of allowed IP addresses
Egress Perimeter Controls
for GCP clusters
PrivateLink for AWS clusters.
Non-Repudiation
CockroachDB, as a distributed SQL database, is uniquely resilient by nature. A cluster can tolerate node failures as long as the majority of nodes remain functional. See