Encryption

When you store sensitive data in your ArangoDB database, you want to protect that data under all circumstances. At runtime you will protect it with SSL transport encryption and strong authentication, but when the data is already on disk, you also need protection. That is where the Encryption feature comes in.

The Encryption feature of ArangoDB will encrypt all data that ArangoDB is storing in your database before it is written to disk.

The data is encrypted with AES-256-CTR, which is a strong encryptionalgorithm, that is very suitable for multi-processor environments. This means that your data is safe, but your database is still fast, even under load.

Most modern CPU’s have builtin support for hardware AES encryption, which makes it even faster.

Note: The Encryption feature requires the RocksDB storage engine.

That means:

• Transport your keys safely to your server(s). There are various tools for managing secrets like this (e.g. vaultproject.io).
• Store a copy of your key offline in a safe place. If you lose your key, there is NO way to get your data back.

To activate encryption of your database, you need to supply anencryption key to the server.

Make sure to pass this option the very first time you start yourdatabase. You cannot encrypt a database that already exists.

Note: You also have to activate the rocksdb storage engine.

Pass the following option to arangod:

Encryption key generated by a program

Pass the following option to arangod:

The program path-to-my-generator output the encryption on standardoutput and exit.

The encryption keyfile must contain 32 bytes of random data.

You can create it with a command line this.

For security, it is best to create these keys offline (away from your database servers) anddirectly store them in you secret management tool.