ArangoDB Enterprise: Security
Enhanced Encryption Control
ArangoDB Community Edition supports the use of SSL/TLS to encrypt communications with the database and between database instances in a cluster.
Enterprise Edition users have the option of taking this a step further with Enhanced Encryption. This allows you to configure ArangoDB to only use TLS 1.2, ensuring that your databases always use the highest-level of security standards in your production environments.
Encryption at Rest
When you store sensitive data in your ArangoDB database, you want to protect that data under all circumstances. At runtime, you will protect it with SSL transport encryption and strong authentication, but when the data is already on disk, you also need protection. That is where the Encryption feature comes in.
The Encryption feature of ArangoDB will encrypt all data that ArangoDB is storing in your database before it is written to disk.
The data is encrypted with AES-256-CTR, which is a strong encryption algorithm, that is very suitable for multi-processor environments. This means that your data is safe, but your database is still fast, even under load.
Most modern CPU’s have built-in support for hardware AES encryption, which makes it even faster. Read more here.
Note: The Encryption feature requires the RocksDB storage engine.
With this feature, ArangoDB takes another big step towards HIPPA compliance.
Enhanced Authentication with LDAP
Normally, users are defined and managed in ArangoDB itself. Starting with the Enterprise Edition 3.2, you can use an external server to manage your users with LDAP. We have implemented a common schema which can be extended.
In terms of both compliance and forensic analysis of data breaches, auditing is an important tool. ArangoDB audit logs provide an irrefutable record of actions taken, whether they are generated by a database, directory, or operating system.
The ArangoDB audit log records the following actions:
- Database creation and deletion
- Collection creation and deletion
- Index creation and deletion
- Read access to documents
- Query alterations
Encrypted backup and restore
This feature allows to create an encrypted backup using
arangodump. We use AES256 for the encryption. The encryption key can be read from a file or from a generator program. It works in single server and cluster mode. Together with the encryption at rest, this allows to keep all your sensible data encrypted whenever it is not in memory.
Here is an example for encrypted backup:
arangodump --collection "secret" dump --encryption.keyfile ~/SECRET-KEY
As you can see, in order to create an encrypted backup, simply add the
--encryption.keyfile option when invoking
arangodump. Needless to say, restore is equally easy using
The key must be exactly 32 bytes long (this is a requirement of the AES block cypher we are using). For details see the documentation in the manual.
Note that encrypted backups can be used together with the already existing RocksDB encryption-at-rest feature, but they can also be used for the MMFiles engine, which does not have encryption-at-rest.
Want to know more? Let us show you the power of ArangoDB Enterprise Edition and how we can contribute to your project with our 20+ years of database experience. Request a demo or an introduction call wit us.