Comparison of security features
| Security Domain | CockroachDB Basic | CockroachDB Standard | CockroachDB Advanced | CockroachDB self-hosted Enterprise | Feature |
|---|---|---|---|---|---|
| ✓ | ✓ | ✓ | ✓ | Inter-node and node identity authentication using TLS 1.3 | |
| ✓ | ✓ | ✓ | ✓ | Client identity authentication using username/password | |
| ✓ | ✓ | ✓ | ✓ | ||
| ✓ | SQL client identity authentication using TLS 1.2/1.3 | ||||
| ✓ | ✓ | ✓ | ✓ | Web console authentication with third-party using OpenID Connect OIDC | |
| ✓ | ✓ | SQL client identity authentication with | |||
| ✓ | Client identity authentication with | ||||
| ✓ | ✓ | for JWT authentication | |||
| ✓ | ✓ | for OIDC authentication | |||
| ✓ | HTTP API access using login tokens | ||||
| ✓ | OCSP certificate revocation protocol | ||||
| ✓ | ✓ | ✓ | ✓ | Encryption in transit using TLS 1.3 | |
| ✓ | ✓ | ✓ | ✓ | Backups for AWS clusters are encrypted at rest using AWS S3’s server-side encryption | |
| ✓ | ✓ | ✓ | ✓ | Backups for GCP clusters are encrypted at rest using Google-managed server-side encryption keys | |
| ✓ | ✓ | ✓ | ✓ | Industry-standard encryption at rest is provided at the infrastructure level by your chosen deployment environment, such as Google Cloud Platform (GCP), Amazon Web Services (AWS), or Microsoft Azure. You can learn more about GCP persistent disk encryption, AWS Elastic Block Storage, or Azure managed disk encryption. | |
| ✓ | Cockroach Labs’s proprietary storage-level implementing the Advanced Encryption Standard (AES) | ||||
| ✓ | ✓ | ✓ | ✓ | Users and privileges | |
| ✓ | ✓ | ✓ | ✓ | Role-based access control (RBAC) | |
| ✓ | ✓ | based on JWT group claims | |||
| ✓ | ✓ | based on OIDC group claims for DB Console | |||
| Network Security | ✓ | ✓ | ✓ | ✓ | SQL-level configuration allowed authentication attempts by IP address |
| ✓ | ✓ | ✓ | ✓ | Network-level Configuration of allowed IP addresses | |
| ✓ | ✓ | ✓ | or for GCP clusters and for AWS clusters | ||
| Non-Repudiation | ✓ | ✓ | ✓ | ✓ | |
| ✓ | ✓ | ✓ | ✓ | CockroachDB, as a distributed SQL database, is uniquely resilient by nature. A cluster can tolerate node failures as long as the majority of nodes remain functional. See |

