Compose Encryption

Documenting the types of encryption Compose deployments support

Encryption at Rest

All Compose Hosted and Compose Enterprise deployments have encryption at rest. All of Compose's servers have volume-level encryption enabled.

Further Encryption Options

Because Compose is a managed service, it is possible for Compose operators to see data. We recommend that if you are storing personal information that you encrypt information before storing it in the database or by using extensions or features to enable encryption on the database itself. For example, the pgcrypto extension provides cryptographic functions for PostgreSQL to encrypt the data you are storing. We also have an article about getting started with application-level encryption with an example in Ruby with MongoDB.

While these methods may impact usability or performance, it is good practice to ensure that personal information is protected with encryption.

Encryption in Transit

All Compose deployment types offer TLS/SSL encryption for your data in transit.

Supported Versions

TLS 1.2


TLS 1.0, TLS 1.1

Support for TLS 1.0 and 1.1 is discontinued entirely as of March 01, 2018. More information can be found on the Compose blog, TLS 1.0 and 1.1 Retirement.

Unsupported Versions

No TLS 1.0 or 1.1 (as of March 2018)
No SSL (v2, v3 -- or other variations)
No RC4 or other weak cipher suites

Cipherscan results

For reference and verification, these are the results of running cipherscan against a Compose deployment:


prio  ciphersuite                  protocols              pfs                 curves
1     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                ECDH,P-256,256bits  prime256v1
2     ECDHE-RSA-AES256-SHA384      TLSv1.2                ECDH,P-256,256bits  prime256v1
3     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
4     AES256-GCM-SHA384            TLSv1.2                None                None
5     AES256-SHA256                TLSv1.2                None                None
6     AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
7     CAMELLIA256-SHA              TLSv1,TLSv1.1,TLSv1.2  None                None
8     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,P-256,256bits  prime256v1
9     ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,P-256,256bits  prime256v1
10    ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
11    AES128-GCM-SHA256            TLSv1.2                None                None
12    AES128-SHA256                TLSv1.2                None                None
13    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
14    SEED-SHA                     TLSv1,TLSv1.1,TLSv1.2  None                None
15    CAMELLIA128-SHA              TLSv1,TLSv1.1,TLSv1.2  None                None

Certificate: untrusted, 2048 bits, sha512WithRSAEncryption signature
TLS ticket lifetime hint: 300
OCSP stapling: not supported
Cipher ordering: server
Curves ordering: server - fallback: no
Server supports secure renegotiation
Server supported compression methods: NONE
TLS Tolerance: yes

Updated 29/November/2017