Documenting the types of encryption Compose deployments support
Encryption at Rest
All Compose Hosted and Compose Enterprise deployments have encryption at rest. All of Compose's servers have volume-level encryption enabled.
Further Encryption Options
Because Compose is a managed service, it is possible for Compose operators to see data. We recommend that if you are storing personal information that you encrypt information before storing it in the database or by using extensions or features to enable encryption on the database itself. For example, the pgcrypto extension provides cryptographic functions for PostgreSQL to encrypt the data you are storing. We also have an article about getting started with application-level encryption with an example in Ruby with MongoDB.
While these methods may impact usability or performance, it is good practice to ensure that personal information is protected with encryption.
Encryption in Transit
All Compose deployment types offer TLS/SSL encryption for your data in transit.
TLS 1.0, TLS 1.1
Support for TLS 1.0 and 1.1 is discontinued entirely as of March 01, 2018. More information can be found on the Compose blog, TLS 1.0 and 1.1 Retirement.
No TLS 1.0 or 1.1 (as of March 2018)
No SSL (v2, v3 -- or other variations)
No RC4 or other weak cipher suites
For reference and verification, these are the results of running cipherscan against a Compose deployment:
Target: aws-us-east-1-portal.8.dblayer.com:10770 prio ciphersuite protocols pfs curves 1 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime256v1 2 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime256v1 3 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime256v1 4 AES256-GCM-SHA384 TLSv1.2 None None 5 AES256-SHA256 TLSv1.2 None None 6 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 None None 7 CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 None None 8 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime256v1 9 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime256v1 10 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime256v1 11 AES128-GCM-SHA256 TLSv1.2 None None 12 AES128-SHA256 TLSv1.2 None None 13 AES128-SHA TLSv1,TLSv1.1,TLSv1.2 None None 14 SEED-SHA TLSv1,TLSv1.1,TLSv1.2 None None 15 CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 None None Certificate: untrusted, 2048 bits, sha512WithRSAEncryption signature TLS ticket lifetime hint: 300 OCSP stapling: not supported Cipher ordering: server Curves ordering: server - fallback: no Server supports secure renegotiation Server supported compression methods: NONE TLS Tolerance: yes
Updated over 4 years ago