Security: Overview

RavenDB uses X.509 certificate-based authentication. X.509 certificates are standardized, secured and widely used in many applications. They allow you to use TLS/SSL and HTTPS which keeps your communications encrypted and secured.

The idea of authentication in RavenDB is based on a fact that the server holds a server certificate, which is either signed by a trusted SSL Certificate Authority or self-signed. The server certificate is used by an administrator to generate client certificates with assigned permissions. Client certificates can be used for authentication, and authorization is granted according to the assigned permissions.

In the Studio, administrators can use the Certificates View to easily manage their certificates. It can be used to generate client certificates, register existing client certificates, import and export server certificates, rename, assign permissions and more.

Read more:

• Manual Certificate Configuration
• Certificate Management
• Client Certificate Usage
• Certificate Renewal & Rotation
• Let's Encrypt Certificates
• Common Errors & FAQ

Authorization in RavenDB is based on the same X.509 certificates.

Every client certificate is associated with a security clearance and access permissions per database.

Read more:

• Security Clearance & Permissions

RavenDB offers full database encryption using libsodium, a well-known battle tested encryption library.

Encryption is implemented at the storage level, with XChaCha20-Poly1305 authenticated encryption using 256 bit keys.

When database encryption is on, all the features of a database are automatically encrypted - documents, indexes and every piece of data that is written to disk.

Read more:

• Encryption at Rest
• Database Encryption
• Server Store Encryption
• Secret Key Management