In the security section, we will review the security features in RavenDB and explain how to manage your secured server or cluster.
RavenDB uses X.509 certificate-based authentication.
X.509 certificates are standardized, secured and widely used in many applications. They allow you to use TLS/SSL and HTTPS which keeps your communications encrypted and secured.
The idea of authentication in RavenDB is based on a fact that the server holds a server certificate, which is either signed by a trusted SSL Certificate Authority or self-signed. The server certificate is used by an administrator to generate client certificates with assigned permissions. Client certificates can be used for authentication, and authorization is granted according to the assigned permissions.
RavenDB will allow access only to client certificates which are explicitly registered in the server and will not trust any other certificates (even if existing PKI infrastructure allows them). Registering a certificate means one of two things: either the certificate was generated by the server or it was uploaded by an administrator. In any case, it must appear in the certificates view in the studio. Visit the Certificate Management section for more information.
In the Studio, administrators can use the Certificates View to easily manage their certificates. It can be used to generate client certificates, register existing client certificates, import and export server certificates, rename, assign permissions and more.
Authorization in RavenDB is based on the same X.509 certificates.
Every client certificate is associated with a security clearance and access permissions per database.
RavenDB offers full database encryption using libsodium, a well-known battle tested encryption library.
Encryption is implemented at the storage level, with XChaCha20-Poly1305 authenticated encryption using 256 bit keys.
When database encryption is on, all the features of a database are automatically encrypted - documents, indexes and every piece of data that is written to disk.