Ways to Use CockroachDB
CockroachDB Cloud
CockroachDB Serverless provides fast and easy access (including a free tier) to CockroachDB as a web service, hosted by Cockroach Labs. Clusters run in multi-tenant Google Cloud Platform (GCP) or Amazon Web Services (AWS) environments with shared compute and networking resources.
CockroachDB Dedicated offers a single-tenant cluster running in its own Virtual Private Cloud (VPC). Compute and networking resources are isolated. Additional security-enhancing features such as single-sign on (SSO) and SQL audit logging are available.
Sign up for a CockroachDB Cloud account!
Self-Hosted
Cockroach Labs maintains CockroachDB as an open-source core, which is available to operate under a number of different licensing options, including several free options.
CockroachDB self-hosted here refers to the situation of a user deploying and operating their own cluster.
Enterprise refers to an ongoing paid license relationship with Cockroach Labs. This license unlocks advanced features (see below). In this situation the customer maintains full control over their data, compute, and network resources while benefiting from the expertise of the Cockroach Labs' Enterprise Support staff.
- See the list of Enterprise features
- Read the licensing FAQ
- Contact our sales team for further questions about Enterprise
Comparison of security features
Security Domain | CockroachDB Serverless | CockroachDB Dedicated | CockroachDB self-hosted | Enterprise | Feature |
---|---|---|---|---|---|
Authentication | ✓ | ✓ | ✓ | ✓ | Inter-node and node identity authentication using TLS 1.3 |
✓ | ✓ | ✓ | ✓ | Client identity authentication using username/password | |
✓ | ✓ | Client identity authentication using TLS 1.2/1.3 | |||
✓ | Client identity authentication with third-party Single Sign On (SSO) using OpenID Connect OIDC | ||||
✓ | Client identity authentication with GSSAPI and Kerberos | ||||
✓ | HTTP API access using login tokens | ||||
✓ | OCSP certificate revocation protocol | ||||
Encryption | ✓ | ✓ | ✓ | ✓ | Encryption-in-flight using TLS 1.3 |
✓ | ✓ | ✓ | ✓ | Backups for AWS clusters are encrypted-at-rest using AWS S3’s server-side encryption | |
✓ | ✓ | ✓ | ✓ | Backups for GCP clusters are encrypted-at-rest using Google-managed server-side encryption keys | |
✓ | ✓ | ✓ | ✓ | Industry-standard encryption-at-rest provided at the infrastructure level by your chosen deployment environment, such as Google Cloud Platform (GCP), Amazon Web Services (AWS), or Microsoft Azure. You can learn more about GCP persistent disk encryption, AWS Elastic Block Storage, or Azure managed disk encryption. | |
✓ | Cockroach Labs' proprietary storage-level encryption-at-rest service implementing the Advanced Encryption Standard (AES) | ||||
Authorization | ✓ | ✓ | ✓ | ✓ | Users and privileges |
✓ | ✓ | ✓ | ✓ | Role-based access control (RBAC) | |
Network Security | ✓ | ✓ | ✓ | ✓ | SQL-level configuration allowed authentication attempts by IP address |
✓ | ✓ | ✓ | Network-level Configuration of allowed IP addresses | ||
✓ | ✓ | ✓ | VPC Peering for GCP clusters and AWS PrivateLink for AWS clusters | ||
Non-Repudiation | ✓ | ✓ | ✓ | ✓ | SQL Audit Logging |
Availability/Resilience | ✓ | ✓ | ✓ | ✓ | CockroachDB, as a distributed SQL database, is uniquely resilient by nature. A cluster can tolerate node failures as long as the majority of nodes remain functional. See Disaster Recovery. |