> ## Documentation Index
> Fetch the complete documentation index at: https://cockroachlabs.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# CockroachDB Security Overview

export const InternalLink = ({version, path = "", children, ...props}) => {
  let detectedVersion = version || "stable";
  if (typeof window !== 'undefined' && !version) {
    const match = window.location.pathname.match(/\/docs\/([^/]+)/);
    if (match) {
      detectedVersion = match[1];
    }
  }
  const normalizedPath = path.startsWith("/") ? path.slice(1) : path;
  return <a href={`/docs/${detectedVersion}/${normalizedPath}`} {...props}>
      {children}
    </a>;
};

## Comparison of security features

| Security Domain                                                                         | CockroachDB Basic | CockroachDB Standard | CockroachDB Advanced | CockroachDB self-hosted Enterprise                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | Feature                                                                                                                                                                                                                                                      |
| --------------------------------------------------------------------------------------- | ----------------- | -------------------- | -------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| <InternalLink path="security-reference/authentication">Authentication</InternalLink>    | ✓                 | ✓                    | ✓                    | ✓                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | Inter-node and node identity authentication using TLS 1.3                                                                                                                                                                                                    |
| ✓                                                                                       | ✓                 | ✓                    | ✓                    | Client identity authentication using username/password                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |                                                                                                                                                                                                                                                              |
| ✓                                                                                       | ✓                 | ✓                    | ✓                    | <InternalLink path="security-reference/scram-authentication">SASL/SCRAM-SHA-256 secure password-based authentication</InternalLink>                                                                                                                                                                                                                                                                                                                                                                                                           |                                                                                                                                                                                                                                                              |
|                                                                                         |                   |                      | ✓                    | SQL client identity authentication using TLS 1.2/1.3                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |                                                                                                                                                                                                                                                              |
| ✓                                                                                       | ✓                 | ✓                    | ✓                    | Web console authentication with third-party <InternalLink path="sso-db-console">Single Sign-on (SSO)</InternalLink> using [OpenID Connect OIDC](https://openid.net/connect)                                                                                                                                                                                                                                                                                                                                                                   |                                                                                                                                                                                                                                                              |
|                                                                                         |                   | ✓                    | ✓                    | SQL client identity authentication with <InternalLink path="sso-sql">JSON Web Tokens (JWT)</InternalLink>                                                                                                                                                                                                                                                                                                                                                                                                                                     |                                                                                                                                                                                                                                                              |
|                                                                                         |                   |                      | ✓                    | Client identity authentication with <InternalLink path="gssapi_authentication">GSSAPI and Kerberos</InternalLink>                                                                                                                                                                                                                                                                                                                                                                                                                             |                                                                                                                                                                                                                                                              |
|                                                                                         |                   | ✓                    | ✓                    | <InternalLink path="sso-sql#configure-user-provisioning">Automatic user provisioning</InternalLink> for JWT authentication                                                                                                                                                                                                                                                                                                                                                                                                                    |                                                                                                                                                                                                                                                              |
|                                                                                         |                   | ✓                    | ✓                    | <InternalLink path="sso-db-console#step-3-configure-user-creation">Automatic user provisioning</InternalLink> for OIDC authentication                                                                                                                                                                                                                                                                                                                                                                                                         |                                                                                                                                                                                                                                                              |
|                                                                                         |                   |                      | ✓                    | HTTP API access using login tokens                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |                                                                                                                                                                                                                                                              |
|                                                                                         |                   |                      | ✓                    | [OCSP](https://wikipedia.org/wiki/Online_Certificate_Status_Protocol) certificate revocation protocol                                                                                                                                                                                                                                                                                                                                                                                                                                         |                                                                                                                                                                                                                                                              |
| <InternalLink path="security-reference/encryption">Encryption</InternalLink>            | ✓                 | ✓                    | ✓                    | ✓                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | Encryption in transit using TLS 1.3                                                                                                                                                                                                                          |
| ✓                                                                                       | ✓                 | ✓                    | ✓                    | Backups for AWS clusters are encrypted at rest using [AWS S3’s server-side encryption](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption)                                                                                                                                                                                                                                                                                                                                                                             |                                                                                                                                                                                                                                                              |
| ✓                                                                                       | ✓                 | ✓                    | ✓                    | Backups for GCP clusters are encrypted at rest using [Google-managed server-side encryption keys](https://cloud.google.com/storage/docs/encryption/default-keys)                                                                                                                                                                                                                                                                                                                                                                              |                                                                                                                                                                                                                                                              |
| ✓                                                                                       | ✓                 | ✓                    | ✓                    | Industry-standard encryption at rest is provided at the infrastructure level by your chosen deployment environment, such as Google Cloud Platform (GCP), Amazon Web Services (AWS), or Microsoft Azure. You can learn more about [GCP persistent disk encryption](https://cloud.google.com/compute/docs/disks#pd_encryption), [AWS Elastic Block Storage](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption), or [Azure managed disk encryption](https://docs.microsoft.com/azure/virtual-machines/disk-encryption-overview). |                                                                                                                                                                                                                                                              |
|                                                                                         |                   |                      | ✓                    | Cockroach Labs's proprietary storage-level <InternalLink path="security-reference/encryption">Enterprise Encryption At Rest service</InternalLink> implementing the [Advanced Encryption Standard (AES)](https://wikipedia.org/wiki/Advanced_Encryption_Standard)                                                                                                                                                                                                                                                                             |                                                                                                                                                                                                                                                              |
| <InternalLink path="security-reference/authorization">Authorization</InternalLink>      | ✓                 | ✓                    | ✓                    | ✓                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | Users and privileges                                                                                                                                                                                                                                         |
| ✓                                                                                       | ✓                 | ✓                    | ✓                    | Role-based access control (RBAC)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |                                                                                                                                                                                                                                                              |
|                                                                                         |                   | ✓                    | ✓                    | <InternalLink path="jwt-authorization">Automatic role synchronization</InternalLink> based on JWT group claims                                                                                                                                                                                                                                                                                                                                                                                                                                |                                                                                                                                                                                                                                                              |
|                                                                                         |                   | ✓                    | ✓                    | <InternalLink path="oidc-authorization">Automatic role synchronization</InternalLink> based on OIDC group claims for DB Console                                                                                                                                                                                                                                                                                                                                                                                                               |                                                                                                                                                                                                                                                              |
| Network Security                                                                        | ✓                 | ✓                    | ✓                    | ✓                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | SQL-level configuration allowed authentication attempts by IP address                                                                                                                                                                                        |
| ✓                                                                                       | ✓                 | ✓                    | ✓                    | Network-level Configuration of allowed IP addresses                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |                                                                                                                                                                                                                                                              |
|                                                                                         | ✓                 | ✓                    | ✓                    | <InternalLink version="cockroachcloud" path="connect-to-your-cluster#gcp-private-service-connect">GCP Private Service Connect (PSC) (Preview)</InternalLink> or <InternalLink version="cockroachcloud" path="connect-to-your-cluster">VPC Peering</InternalLink> for GCP clusters and <InternalLink version="cockroachcloud" path="aws-privatelink">AWS PrivateLink</InternalLink> for AWS clusters                                                                                                                                           |                                                                                                                                                                                                                                                              |
| [Non-Repudiation](https://wikipedia.org/wiki/Non-repudiation)                           | ✓                 | ✓                    | ✓                    | ✓                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | <InternalLink path="sql-audit-logging">SQL Audit Logging</InternalLink>                                                                                                                                                                                      |
| <InternalLink path="demo-cockroachdb-resilience">Availability/Resilience</InternalLink> | ✓                 | ✓                    | ✓                    | ✓                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | CockroachDB, as a distributed SQL database, is uniquely resilient by nature. A cluster can tolerate node failures as long as the majority of nodes remain functional. See <InternalLink path="demo-cockroachdb-resilience">Disaster Recovery.</InternalLink> |
