Encryption (at Rest & in Transit)

CrateDB uses encrypted storage volumes to ensure that your data is securely persisted on disk.

• Encrypted volumes protect against unauthorized access to physical media or stolen drives.
• CrateDB Cloud uses industry-standard encryption mechanisms by default, with keys managed in secure key stores.
• For self-managed deployments, encryption can be configured at the storage layer (e.g., through LUKS or cloud provider volume encryption).
• Metadata, indices, and logs are included in the encryption scope, ensuring complete coverage.

This means that even if hardware or storage devices are compromised, your data remains unreadable without the correct credentials and keys.

All communication between CrateDB nodes, clients, and external services can be secured using Transport Layer Security (TLS/SSL).

• Client connections via PostgreSQL wire protocol and HTTP endpoints are protected by TLS.
• Internal node-to-node communication within a cluster can also be encrypted, securing replication and distributed queries.
• Certificate management supports both self-signed and trusted third-party certificates.
• Mutual TLS (mTLS) is available to authenticate both client and server endpoints.

This guarantees that sensitive data, credentials, and query traffic are never exposed in plain text.

• Confidentiality: Prevent unauthorized access and eavesdropping on your data streams.
• Integrity: Ensure that data in transit cannot be modified or injected by third parties.
• Compliance: Meet the encryption requirements of ISO 27001, SOC 2 Type 2, and GDPR.
• Peace of mind: Every layer from storage to API is encrypted and protected.

• Always enable TLS for all client and inter-node connections.
• Regularly rotate certificates and keys to maintain strong cryptographic hygiene.
• Use strong cipher suites and trusted certificate authorities in production environments.
• In CrateDB Cloud, encryption is enabled by default; no setup required.