In the security section, we will review the security features in RavenDB and explain how to manage your secured server or cluster.
RavenDB uses X.509 certificate-based authentication. X.509 certificates are standardized, secured and widely used in many applications. They allow you to use TLS/SSL and HTTPS which keeps your communications encrypted and secured.
The idea of authentication in RavenDB is based on a fact that the server holds a server certificate, which is either signed by a trusted SSL Certificate Authority or self-signed. The server certificate is used by an administrator to generate client certificates with assigned permissions. Client certificates can be used for authentication, and authorization is granted according to the assigned permissions.
RavenDB does not use PKI infrastructure to trust certificates and uses a more strict approach. It will allow access to client certificates which are explicitly registered in the RavenDB server or certificates which have the same issuer and Public Key Pinning Hash as a certificate which is already trusted. Registering a certificate means one of the following:
- The certificate was generated by the server
- The certificate was registered explicitly by an administrator.
- The certificate was registered implicitly for having the same Public Key Pinning Hash as a registered certificate.
In any case, it must appear in the certificates view in the studio. Visit the Certificate Management section for more information.
In the Studio, administrators can use the Certificates View to easily manage their certificates. It can be used to generate client certificates, register existing client certificates, import and export server certificates, rename, assign permissions and more.
- Manual Certificate Configuration
- Certificate Management
- Client Certificate Usage
- Certificate Renewal & Rotation
- Let's Encrypt Certificates
- Common Errors & FAQ
Authorization in RavenDB is based on the same X.509 certificates.
Every client certificate is associated with a security clearance and access permissions per database.
RavenDB offers full database encryption using libsodium, a well-known battle tested encryption library.
Encryption is implemented at the storage level, with XChaCha20-Poly1305 authenticated encryption using 256 bit keys.
When database encryption is on, all the features of a database are automatically encrypted - documents, indexes and every piece of data that is written to disk.