You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: v2.1/encryption.md
+16-3
Original file line number
Diff line number
Diff line change
@@ -72,18 +72,31 @@ and encrypted.
72
72
73
73
There are a number of considerations to keep in mind when running with encryption.
74
74
75
+
### Deployment configuration
76
+
77
+
To prevent key leakage, production deployments should:
78
+
79
+
* use encrypted swap, or disable swap entirely
80
+
* disable core files
81
+
82
+
CockroachDB attempts to disable core files at startup when encryption is requested, but it may fail.
83
+
84
+
### Key handling
85
+
75
86
Key management is the most dangerous aspect of encryption. The following rules should be kept in mind:
76
87
77
88
* make sure only the unix user running the `cockroach` process has access to the keys
78
89
* do not store the keys on the same partition/drive as the cockroach data. It is best to load keys at run time from a separate system (eg: keywhiz, vault)
79
90
* rotate store keys frequently (every few weeks to months)
80
91
* keep the data key rotation period low (default is one week)
81
92
93
+
### Other recommendations
94
+
82
95
A few other recommendations apply for best security practices:
83
96
84
-
* do not switch from encrypted to plaintext, this leaks data keys. Once transitioned to plaintext, all data must be considered reachable.
85
-
* do not copy the encrypted files as the data keys are not easily available.
86
-
* if encryption is desired, start a node with it enabled from first run without ever running in plaintext.
97
+
* do not switch from encrypted to plaintext, this leaks data keys. When plaintext is selected, all previously encrypted data must be considered reachable
98
+
* do not copy the encrypted files as the data keys are not easily available
99
+
* if encryption is desired, start a node with it enabled from first run without ever running in plaintext
87
100
88
101
Note that backups taken with the [`BACKUP`](backup.html) statement are not encrypted (whether you are using this feature or not). If you want encrypted backups, you will need to encrypt your backup files using your preferred encryption method.
0 commit comments