{"id":9680,"date":"2021-09-09T00:00:41","date_gmt":"2021-09-09T07:00:41","guid":{"rendered":"https:\/\/www.couchbase.com\/blog\/?p=9680"},"modified":"2025-06-13T20:45:57","modified_gmt":"2025-06-14T03:45:57","slug":"at-rest-data-security-with-luks-encryption","status":"publish","type":"post","link":"https:\/\/www.couchbase.com\/blog\/at-rest-data-security-with-luks-encryption\/","title":{"rendered":"Secure Your Data at Rest with LUKS Disk Encryption in Couchbase"},"content":{"rendered":"<p><strong>Couchbase now supports LUKS disk encryption<\/strong> to secure your data at rest. How secure is LUKS?<\/p>\n<p>Couchbase 7.0 puts a big focus on security, debuting support for both <a href=\"https:\/\/www.couchbase.com\/blog\/introducing-rbac-security-for-collections\/?ref=blog\" target=\"_blank\" rel=\"noopener\">role-based access control (RBAC) for Scopes and Collections<\/a>, and encryption of at-rest data via Linux Unified Key Setup (<a href=\"https:\/\/access.redhat.com\/documentation\/en-us\/red_hat_enterprise_linux\/7\/html\/security_guide\/sec-encryption#sec-Using_LUKS_Disk_Encryption\/?ref=hello-from-couchbase\" target=\"_blank\" rel=\"noopener\">LUKS<\/a>).<\/p>\n<p>Disk encryption is a vital part of any organization&#8217;s data security strategy and compliance with PCI DSS, FIPS, FISMA, GDPR and other regulatory standards.<\/p>\n<p>So, is LUKS encryption secure? In this post we\u2019ll start with an overview of security options for the three stages of documents in a Couchbase Server cluster \u2013 data in process, data in transit and data at rest (see the table below) \u2013 then delve into the specifics of data-at-rest security via LUKS on-disk encryption.<\/p>\n<table>\n<caption><strong>Encryption Options for 3 Document Stages<\/strong><\/caption>\n<tbody>\n<tr>\n<td><strong>Stage<\/strong><\/td>\n<td><strong>Description<\/strong><\/td>\n<td><strong>Use Case<\/strong><\/td>\n<td><strong>Encryption Options in Couchbase<\/strong><\/td>\n<\/tr>\n<tr>\n<td>Data in Process<\/td>\n<td>Active data, in-system memory<\/td>\n<td>Documents that are in use<\/td>\n<td>Field-level encryption at the application layer<\/td>\n<\/tr>\n<tr>\n<td>Data in Transit<\/td>\n<td>Data that is moving between systems<\/td>\n<td>Replication, cross data center replication (XDCR)<\/td>\n<td>TLS encryption, <a href=\"https:\/\/www.couchbase.com\/blog\/x-509-certificate-based-authentication\/?ref=blog\" target=\"_blank\" rel=\"noopener\">X.509 certificates<\/a><\/td>\n<\/tr>\n<tr>\n<td>Data at Rest<\/td>\n<td>Data that is not in active use<\/td>\n<td>Buckets on the disk of an offline machine<\/td>\n<td>Various options, including LUKS and support for third-party solutions such as <a href=\"https:\/\/cpl.thalesgroup.com\/encryption\/vormetric-data-security-platform\/?ref=hello-from-couchbase\" target=\"_blank\" rel=\"noopener\">Thales Vormetric<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>Why Use Data-at-Rest Encryption?<\/h2>\n<p>Data-at-rest encryption protects locked or offline storage systems and prevents the data from being read without the appropriate authority and access. Data encrypted at rest does not remain protected while a device is online, unlocked and operational. For that, you must use one of the other encryption methods mentioned in the table above.<\/p>\n<p>The following are common scenarios for encryption of data at rest:<\/p>\n<ul>\n<li style=\"list-style-type: none\">\n<ul>\n<li>To protect confidential or personally identifiable information against any possible data breach<\/li>\n<li>By default in devices such as smartphones (often called full-disk encryption)<\/li>\n<li>In environments such as the cloud, where multiple users access the same underlying hardware<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<div class=\"wp-block-spacer\" style=\"height: 15px\" aria-hidden=\"true\"><\/div>\n<h2>LUKS Disk Encryption<\/h2>\n<p>LUKS is a fully open source tool that is the de facto standard for disk encryption in Linux environments.<\/p>\n<p>It is included in all Couchbase-certified Linux operating systems and supported by the respective OS vendors. LUKS sits in the kernel layer and encrypts storage at the disk-block level, allowing users to transparently deploy any file system on top of this block-level encryption. LUKS can encrypt storage partitions, which can be presented from a single drive, multi-disk RAID arrays, Logical Volume Manager (LVM) and even file-backed partitions.<\/p>\n<h3>What Is LUKS Encryption Good for\u2026<\/h3>\n<p>LUKS is flexible and offers a range of cipher suites.<\/p>\n<p>By default in a Red Hat 8 Linux environment, LUKS uses a highly secure 512-bit AES (Advanced Encryption Standard) key. Encrypted LUKS volumes contain multiple key slots, allowing users to add backup keys or passphrases, plus use features such as key revocation and protection for bad passphrases using Argon2.<\/p>\n<h3>&#8230;and What Is It Not Good for?<\/h3>\n<p>LUKS is not a good option for Couchbase instances deployed on non-Linux platforms, such as MacOS and Windows. It is also not well-suited for customers who do not have an active operating system\u2013vendor support contract.<\/p>\n<p>Standard OS-provided encryption technologies, such as Microsoft Encrypted File System (EFS) or <a href=\"https:\/\/docs.couchbase.com\/server\/current\/manage\/manage-security\/manage-connections-and-disks.html?ref=blog#securing-on-disk-data\u200b\u200b\" target=\"_blank\" rel=\"noopener\">Couchbase&#8217;s third-party encryption-at-rest partners<\/a> are a better option if your organization does not use Linux or does not have an OS-vendor support contract.<\/p>\n<h2>Using LUKS Security to Encrypt Your Couchbase Data at Rest<\/h2>\n<p>You have several ways to implement LUKS in a Linux environment \u2013 most commonly using `dm-crypt`(part of the kernel-level device mapper infrastructure) and the `cryptsetup` command-line utility to set up `dm-crypt` targets.<\/p>\n<p>In the code sample that follows, I&#8217;ll show you an example of commands I&#8217;ve used on my Ubuntu 16 Couchbase Server cluster to set up a disk with LVM. Then I\u2019ll show you how to deploy an LUKS encrypted logical volume and mount it as the data directory for a Couchbase Server node. This ensures that if your Couchbase Server is ever breached, the confidential data in your Couchbase Buckets will not be accessible to unauthorized users.<\/p>\n<p><em>The steps provided here before the General Availability (GA) release of Couchbase Server 7.0 and may change at release time or with future upgrades. Always <a href=\"https:\/\/docs.couchbase.com\/server\/current\/manage\/manage-security\/manage-connections-and-disks.html?ref=blog#securing-on-disk-data\" target=\"_blank\" rel=\"noopener\">consult the Couchbase documentation on security for the most up-to-date product information<\/a>.<\/em><\/p>\n<p>Use the following steps on a Couchbase Server node before adding it to a cluster and loading data into the Buckets. <strong>Note: These steps will erase anything currently residing on the target disk, so use caution and ensure that you are writing to the correct device.<\/strong><\/p>\n<p><strong>1.<\/strong> Install the `lvm` and `cryptsetup` utility.<\/p>\n<pre class=\"\">sudo apt-get install lvm2 cryptsetup\r\n<\/pre>\n<div class=\"wp-block-spacer\" style=\"height: 15px\" aria-hidden=\"true\"><\/div>\n<p><strong>2.<\/strong> Configure the drive (`\/dev\/sdb`) and create a new primary partition to use LVM.<\/p>\n<pre class=\"\">$ sudo fdisk \/dev\/sdb\r\n\r\nCommand (m for help): n\r\nPartition type\r\np primary (0 primary, 0 extended, 4 free)\r\ne extended (container for logical partitions)\r\nSelect (default p): p\r\nPartition number (1-4, default 1): 1\r\nFirst sector (2048-2097151, default 2048):\r\nLast sector, +sectors or +size{K,M,G,T,P} (2048-2097151, default 2097151):\r\n\r\nCreated a new partition 1 of type 'Linux' and of size 1023 MiB.\r\n\r\nCommand (m for help): t\r\nSelected partition 1\r\n\r\nPartition type (type L to list all types): 8e\r\nChanged type of partition 'Linux' to 'Linux LVM'.\r\n\r\nCommand (m for help): p\r\nDisk \/dev\/sdb: 1 GiB, 1073741824 bytes, 2097152 sectors\r\nUnits: sectors of 1 * 512 = 512 bytes\r\nSector size (logical\/physical): 512 bytes \/ 512 bytes\r\nI\/O size (minimum\/optimal): 512 bytes \/ 512 bytes\r\nDisklabel type: dos\r\nDisk identifier: 0x980c1049\r\n\r\nDevice Boot Start End Sectors Size Id Type\r\n\/dev\/sdb1 2048 2097151 2095104 1023M 8e Linux LVM\r\n\r\nCommand (m for help): w\r\nThe partition table has been altered.\r\nCalling ioctl() to re-read partition table.\r\nSyncing disks.\r\n<\/pre>\n<div class=\"wp-block-spacer\" style=\"height: 15px\" aria-hidden=\"true\"><\/div>\n<p><strong>3.<\/strong> Configure LVM to use `\/dev\/sdb1` as a physical volume.<\/p>\n<pre class=\"\">$ sudo pvcreate \/dev\/sdb1\r\nPhysical volume \"\/dev\/sdb1\" successfully created\r\n<\/pre>\n<div class=\"wp-block-spacer\" style=\"height: 15px\" aria-hidden=\"true\"><\/div>\n<p><strong>4.<\/strong> Create a volume group in which the physical volume will reside. We will name this `couchbase`.<\/p>\n<pre class=\"\">$ sudo vgcreate couchbase \/dev\/sdb1\r\nVolume group \"couchbase\" successfully created\r\n<\/pre>\n<div class=\"wp-block-spacer\" style=\"height: 15px\" aria-hidden=\"true\"><\/div>\n<p><strong>5.<\/strong> Create a 500MB logical volume named `cbdata` in the `couchbase` volume group.<\/p>\n<pre class=\"\">$ sudo lvcreate -L 500M -n cbdata \/dev\/couchbase\r\nLogical volume \"cbdata\" created.\r\n<\/pre>\n<div class=\"wp-block-spacer\" style=\"height: 15px\" aria-hidden=\"true\"><\/div>\n<p><strong>6.<\/strong> Use the `cryptsetup` utility to encrypt the `cbdata` logical volume.<\/p>\n<pre class=\"\">$ sudo cryptsetup --verbose --verify-passphrase luksFormat \/dev\/couchbase\/cbdata\r\n\r\nWARNING!\r\n========\r\nThis will overwrite data on \/dev\/couchbase\/cbdata irrevocably.\r\n\r\nAre you sure? (Type uppercase yes): YES\r\nEnter passphrase:\r\nVerify passphrase:\r\nCommand successful.\r\n<\/pre>\n<div class=\"wp-block-spacer\" style=\"height: 15px\" aria-hidden=\"true\"><\/div>\n<p><strong>7.<\/strong> Unlock the encrypted `cbdata` logical volume and make this accessible as a device named `cbdata-luks`.<\/p>\n<pre class=\"\">$ sudo cryptsetup luksOpen \/dev\/couchbase\/cbdata cbdata-luks\r\nEnter passphrase for \/dev\/couchbase\/cbdata:\r\n<\/pre>\n<div class=\"wp-block-spacer\" style=\"height: 15px\" aria-hidden=\"true\"><\/div>\n<p><strong>8.<\/strong> Write a filesystem on top of the `cbdata-luks` device.<\/p>\n<pre class=\"\">$ sudo mkfs.ext4 \/dev\/mapper\/cbdata-luks\r\nmke2fs 1.42.13 (17-May-2015)\r\nCreating filesystem with 509952 1k blocks and 127512 inodes\r\nFilesystem UUID: a26d318b-afdd-45ca-857a-063899183ffd\r\nSuperblock backups stored on blocks:\r\n8193, 24577, 40961, 57345, 73729, 204801, 221185, 401409\r\n\r\nAllocating group tables: done\r\nWriting inode tables: done\r\nCreating journal (8192 blocks): done\r\nWriting superblocks and filesystem accounting information: done\r\n<\/pre>\n<div class=\"wp-block-spacer\" style=\"height: 15px\" aria-hidden=\"true\"><\/div>\n<p><strong>9.<\/strong> Create a directory at `\/couchbase-data` to mount the filesystem, which will be used for the Couchbase data directory, then mount the filesystem.<\/p>\n<pre class=\"\">$ sudo mkdir \/couchbase-data\r\n$ sudo mount \/dev\/mapper\/cbdata-luks \/couchbase-data\r\n<\/pre>\n<div class=\"wp-block-spacer\" style=\"height: 15px\" aria-hidden=\"true\"><\/div>\n<p><strong>10.<\/strong> Now we have a LUKS encrypted storage device mounted at `\/couchbase-data`, which we use as the target for the Couchbase Server data directory. Verify this with the `mount` and `cryptsetup` commands like so:<\/p>\n<pre class=\"\">$ mount\r\n\u2026\r\n\/dev\/mapper\/cbdata-luks on \/couchbase-data type ext4 (rw,relatime,data=ordered)\r\n<\/pre>\n<pre class=\"\">$ sudo cryptsetup status \/dev\/mapper\/cbdata-luks\r\n\/dev\/mapper\/cbdata-luks is active and is in use.\r\ntype: LUKS1\r\ncipher: aes-xts-plain64\r\nkeysize: 256 bits\r\ndevice: \/dev\/mapper\/couchbase-cbdata\r\noffset: 4096 sectors\r\nsize: 1019904 sectors\r\nmode: read\/write\r\n<\/pre>\n<div class=\"wp-block-spacer\" style=\"height: 15px\" aria-hidden=\"true\"><\/div>\n<h2>Learn More about Couchbase 7.0<\/h2>\n<p>Ready to delve deeper into Couchbase 7.0 and all its features? Check out these resources:<\/p>\n<p><strong>Documentation<\/strong><\/p>\n<p><a href=\"https:\/\/docs.couchbase.com\/server\/7.0\/introduction\/whats-new.html?ref=blog\" target=\"_blank\" rel=\"noopener\">What&#8217;s new in version 7.0<\/a><\/p>\n<p><a href=\"https:\/\/docs.couchbase.com\/server\/7.0\/release-notes\/relnotes.html?ref=blog\" target=\"_blank\" rel=\"noopener\">Couchbase 7.0 release notes<\/a><\/p>\n<p><strong>Related blog posts<\/strong><\/p>\n<p><a href=\"https:\/\/www.couchbase.com\/blog\/scopes-and-collections-for-modern-multi-tenant-applications-couchbase-7-0\/?ref=blog\" target=\"_blank\" rel=\"noopener\">How Scopes &amp; Collections Simplify Multi-Tenant App Deployments on Couchbase<\/a><\/p>\n<p><a href=\"https:\/\/www.couchbase.com\/blog\/couchbase-transactions-with-n1ql\/?ref=blog\" target=\"_blank\" rel=\"noopener\">The N1QL Query Language Now Supports Distributed ACID Transactions<\/a><\/p>\n<p><strong>Downloads and Support<\/strong><\/p>\n<p>Enterprise Edition customer support is available via your regular support channels. <a href=\"https:\/\/www.couchbase.com\/forums\/?ref=blog\" target=\"_blank\" rel=\"noopener\">Community support is available through the Couchbase Forums<\/a><\/p>\n<div class=\"wp-block-spacer\" style=\"height: 30px\" aria-hidden=\"true\"><\/div>\n<div style=\"text-align: center\"><strong>Test the security of Couchbase for yourself&lt;br\/ &gt;<a href=\"https:\/\/www.couchbase.com\/downloads\/?ref=blog\" target=\"_blank\" rel=\"noopener\">Give Couchbase 7 a test drive<\/a><\/strong><\/div>\n<div class=\"wp-block-spacer\" style=\"height: 15px\" aria-hidden=\"true\"><\/div>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Couchbase now supports LUKS disk encryption to secure your data at rest. How secure is LUKS? Couchbase 7.0 puts a big focus on security, debuting support for both role-based access control (RBAC) for Scopes and Collections, and encryption of at-rest [&hellip;]<\/p>\n","protected":false},"author":1864,"featured_media":11899,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[1815,1816,9415,9336,1813,9375],"tags":[1733,1685,9262],"ppma_author":[8928],"class_list":["post-9680","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-best-practices-and-tutorials","category-couchbase-server","category-xdcr","category-scopes-and-collections","category-security","category-upgrades","tag-compliance","tag-red-hat","tag-tls-encryption"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>How Secure is LUKS? Encryption + Security at Couchbase<\/title>\n<meta name=\"description\" content=\"Get an overview of security options in a Couchbase Server cluster and delve into the specifics of data-at-rest security via LUKS on-disk encryption.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.couchbase.com\/blog\/at-rest-data-security-with-luks-encryption\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Secure Your Data at Rest with LUKS Disk Encryption in Couchbase\" \/>\n<meta property=\"og:description\" content=\"Get an overview of security options in a Couchbase Server cluster and delve into the specifics of data-at-rest security via LUKS on-disk encryption.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.couchbase.com\/blog\/at-rest-data-security-with-luks-encryption\/\" \/>\n<meta property=\"og:site_name\" content=\"The Couchbase Blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-09-09T07:00:41+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-14T03:45:57+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2020\/12\/luks-disk-encryption-data-at-rest-couchbase-server-7-0-social.jpeg\" \/>\n\t<meta property=\"og:image:width\" content=\"800\" \/>\n\t<meta property=\"og:image:height\" content=\"418\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Ian McCloy, Director Product Management\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2020\/12\/luks-disk-encryption-data-at-rest-couchbase-server-7-0-social.jpeg\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ian McCloy, Director Product Management\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"TechArticle\",\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/at-rest-data-security-with-luks-encryption\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/at-rest-data-security-with-luks-encryption\\\/\"},\"author\":{\"name\":\"Ian McCloy, Director Product Management, Couchbase\",\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/#\\\/schema\\\/person\\\/7e8c834bce5128ad6cd764cd1c4cea19\"},\"headline\":\"Secure Your Data at Rest with LUKS Disk Encryption in Couchbase\",\"datePublished\":\"2021-09-09T07:00:41+00:00\",\"dateModified\":\"2025-06-14T03:45:57+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/at-rest-data-security-with-luks-encryption\\\/\"},\"wordCount\":992,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/at-rest-data-security-with-luks-encryption\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/wp-content\\\/uploads\\\/sites\\\/1\\\/2020\\\/12\\\/luks-disk-encryption-data-at-rest-couchbase-server-7-0.jpeg\",\"keywords\":[\"compliance\",\"Red Hat\",\"TLS encryption\"],\"articleSection\":[\"Best Practices and Tutorials\",\"Couchbase Server\",\"Cross Data Center Replication (XDCR)\",\"Scopes and Collections\",\"Security\",\"Upgrades\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/at-rest-data-security-with-luks-encryption\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/at-rest-data-security-with-luks-encryption\\\/\",\"url\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/at-rest-data-security-with-luks-encryption\\\/\",\"name\":\"How Secure is LUKS? Encryption + Security at Couchbase\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/at-rest-data-security-with-luks-encryption\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/at-rest-data-security-with-luks-encryption\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/wp-content\\\/uploads\\\/sites\\\/1\\\/2020\\\/12\\\/luks-disk-encryption-data-at-rest-couchbase-server-7-0.jpeg\",\"datePublished\":\"2021-09-09T07:00:41+00:00\",\"dateModified\":\"2025-06-14T03:45:57+00:00\",\"description\":\"Get an overview of security options in a Couchbase Server cluster and delve into the specifics of data-at-rest security via LUKS on-disk encryption.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/at-rest-data-security-with-luks-encryption\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/at-rest-data-security-with-luks-encryption\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/at-rest-data-security-with-luks-encryption\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/wp-content\\\/uploads\\\/sites\\\/1\\\/2020\\\/12\\\/luks-disk-encryption-data-at-rest-couchbase-server-7-0.jpeg\",\"contentUrl\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/wp-content\\\/uploads\\\/sites\\\/1\\\/2020\\\/12\\\/luks-disk-encryption-data-at-rest-couchbase-server-7-0.jpeg\",\"width\":1200,\"height\":628,\"caption\":\"Learn about LUKS disk encryption for securing data at rest, now available in Couchbase Server 7.0\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/at-rest-data-security-with-luks-encryption\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Secure Your Data at Rest with LUKS Disk Encryption in Couchbase\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/\",\"name\":\"The Couchbase Blog\",\"description\":\"Couchbase, the NoSQL Database\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/#organization\",\"name\":\"The Couchbase Blog\",\"url\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/04\\\/admin-logo.png\",\"contentUrl\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/04\\\/admin-logo.png\",\"width\":218,\"height\":34,\"caption\":\"The Couchbase Blog\"},\"image\":{\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/#\\\/schema\\\/person\\\/7e8c834bce5128ad6cd764cd1c4cea19\",\"name\":\"Ian McCloy, Director Product Management, Couchbase\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/41f65bee70b5e03e46ae996303a13060d366d405ecb235ff5493d4f1ac3a6f3d?s=96&d=mm&r=g97dd714a3242521ce9dcea0d96550c5f\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/41f65bee70b5e03e46ae996303a13060d366d405ecb235ff5493d4f1ac3a6f3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/41f65bee70b5e03e46ae996303a13060d366d405ecb235ff5493d4f1ac3a6f3d?s=96&d=mm&r=g\",\"caption\":\"Ian McCloy, Director Product Management, Couchbase\"},\"description\":\"Ian McCloy is the Director of the Platform and Security Product Management Group for Couchbase and lives in the United Kingdom. His dedicated team is responsible for the Reliability, Availability, Serviceability and Security architecture of Couchbase Server and the SaaS Database, Capella. This team also own cloud-native platforms like the Couchbase Kubernetes Autonomous Operator. Ian has a vast range of experience as a Software Engineer, Technical Support Engineer, Quality Assurance Engineer and Systems Administrator. Ian has led global technical teams for the majority of his 20 year professional career and holds several patents in the areas of information security, virtualisation and hardware design. https:\\\/\\\/www.linkedin.com\\\/in\\\/ianmccloy\\\/\",\"sameAs\":[\"https:\\\/\\\/www.linkedin.com\\\/in\\\/ianmccloy\\\/\"],\"url\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/author\\\/ian-mccloycouchbase-com\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"How Secure is LUKS? Encryption + Security at Couchbase","description":"Get an overview of security options in a Couchbase Server cluster and delve into the specifics of data-at-rest security via LUKS on-disk encryption.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.couchbase.com\/blog\/at-rest-data-security-with-luks-encryption\/","og_locale":"en_US","og_type":"article","og_title":"Secure Your Data at Rest with LUKS Disk Encryption in Couchbase","og_description":"Get an overview of security options in a Couchbase Server cluster and delve into the specifics of data-at-rest security via LUKS on-disk encryption.","og_url":"https:\/\/www.couchbase.com\/blog\/at-rest-data-security-with-luks-encryption\/","og_site_name":"The Couchbase Blog","article_published_time":"2021-09-09T07:00:41+00:00","article_modified_time":"2025-06-14T03:45:57+00:00","og_image":[{"width":800,"height":418,"url":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2020\/12\/luks-disk-encryption-data-at-rest-couchbase-server-7-0-social.jpeg","type":"image\/jpeg"}],"author":"Ian McCloy, Director Product Management","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2020\/12\/luks-disk-encryption-data-at-rest-couchbase-server-7-0-social.jpeg","twitter_misc":{"Written by":"Ian McCloy, Director Product Management","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"TechArticle","@id":"https:\/\/www.couchbase.com\/blog\/at-rest-data-security-with-luks-encryption\/#article","isPartOf":{"@id":"https:\/\/www.couchbase.com\/blog\/at-rest-data-security-with-luks-encryption\/"},"author":{"name":"Ian McCloy, Director Product Management, Couchbase","@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/7e8c834bce5128ad6cd764cd1c4cea19"},"headline":"Secure Your Data at Rest with LUKS Disk Encryption in Couchbase","datePublished":"2021-09-09T07:00:41+00:00","dateModified":"2025-06-14T03:45:57+00:00","mainEntityOfPage":{"@id":"https:\/\/www.couchbase.com\/blog\/at-rest-data-security-with-luks-encryption\/"},"wordCount":992,"commentCount":0,"publisher":{"@id":"https:\/\/www.couchbase.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.couchbase.com\/blog\/at-rest-data-security-with-luks-encryption\/#primaryimage"},"thumbnailUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2020\/12\/luks-disk-encryption-data-at-rest-couchbase-server-7-0.jpeg","keywords":["compliance","Red Hat","TLS encryption"],"articleSection":["Best Practices and Tutorials","Couchbase Server","Cross Data Center Replication (XDCR)","Scopes and Collections","Security","Upgrades"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.couchbase.com\/blog\/at-rest-data-security-with-luks-encryption\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.couchbase.com\/blog\/at-rest-data-security-with-luks-encryption\/","url":"https:\/\/www.couchbase.com\/blog\/at-rest-data-security-with-luks-encryption\/","name":"How Secure is LUKS? Encryption + Security at Couchbase","isPartOf":{"@id":"https:\/\/www.couchbase.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.couchbase.com\/blog\/at-rest-data-security-with-luks-encryption\/#primaryimage"},"image":{"@id":"https:\/\/www.couchbase.com\/blog\/at-rest-data-security-with-luks-encryption\/#primaryimage"},"thumbnailUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2020\/12\/luks-disk-encryption-data-at-rest-couchbase-server-7-0.jpeg","datePublished":"2021-09-09T07:00:41+00:00","dateModified":"2025-06-14T03:45:57+00:00","description":"Get an overview of security options in a Couchbase Server cluster and delve into the specifics of data-at-rest security via LUKS on-disk encryption.","breadcrumb":{"@id":"https:\/\/www.couchbase.com\/blog\/at-rest-data-security-with-luks-encryption\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.couchbase.com\/blog\/at-rest-data-security-with-luks-encryption\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.couchbase.com\/blog\/at-rest-data-security-with-luks-encryption\/#primaryimage","url":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2020\/12\/luks-disk-encryption-data-at-rest-couchbase-server-7-0.jpeg","contentUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2020\/12\/luks-disk-encryption-data-at-rest-couchbase-server-7-0.jpeg","width":1200,"height":628,"caption":"Learn about LUKS disk encryption for securing data at rest, now available in Couchbase Server 7.0"},{"@type":"BreadcrumbList","@id":"https:\/\/www.couchbase.com\/blog\/at-rest-data-security-with-luks-encryption\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.couchbase.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Secure Your Data at Rest with LUKS Disk Encryption in Couchbase"}]},{"@type":"WebSite","@id":"https:\/\/www.couchbase.com\/blog\/#website","url":"https:\/\/www.couchbase.com\/blog\/","name":"The Couchbase Blog","description":"Couchbase, the NoSQL Database","publisher":{"@id":"https:\/\/www.couchbase.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.couchbase.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.couchbase.com\/blog\/#organization","name":"The Couchbase Blog","url":"https:\/\/www.couchbase.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2023\/04\/admin-logo.png","contentUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2023\/04\/admin-logo.png","width":218,"height":34,"caption":"The Couchbase Blog"},"image":{"@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/7e8c834bce5128ad6cd764cd1c4cea19","name":"Ian McCloy, Director Product Management, Couchbase","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/41f65bee70b5e03e46ae996303a13060d366d405ecb235ff5493d4f1ac3a6f3d?s=96&d=mm&r=g97dd714a3242521ce9dcea0d96550c5f","url":"https:\/\/secure.gravatar.com\/avatar\/41f65bee70b5e03e46ae996303a13060d366d405ecb235ff5493d4f1ac3a6f3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/41f65bee70b5e03e46ae996303a13060d366d405ecb235ff5493d4f1ac3a6f3d?s=96&d=mm&r=g","caption":"Ian McCloy, Director Product Management, Couchbase"},"description":"Ian McCloy is the Director of the Platform and Security Product Management Group for Couchbase and lives in the United Kingdom. His dedicated team is responsible for the Reliability, Availability, Serviceability and Security architecture of Couchbase Server and the SaaS Database, Capella. This team also own cloud-native platforms like the Couchbase Kubernetes Autonomous Operator. Ian has a vast range of experience as a Software Engineer, Technical Support Engineer, Quality Assurance Engineer and Systems Administrator. Ian has led global technical teams for the majority of his 20 year professional career and holds several patents in the areas of information security, virtualisation and hardware design. https:\/\/www.linkedin.com\/in\/ianmccloy\/","sameAs":["https:\/\/www.linkedin.com\/in\/ianmccloy\/"],"url":"https:\/\/www.couchbase.com\/blog\/author\/ian-mccloycouchbase-com\/"}]}},"acf":[],"authors":[{"term_id":8928,"user_id":1864,"is_guest":0,"slug":"ian-mccloycouchbase-com","display_name":"Ian McCloy, Director Product Management","avatar_url":"https:\/\/secure.gravatar.com\/avatar\/41f65bee70b5e03e46ae996303a13060d366d405ecb235ff5493d4f1ac3a6f3d?s=96&d=mm&r=g","0":null,"1":"","2":"","3":"","4":"","5":"","6":"","7":"","8":""}],"_links":{"self":[{"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/posts\/9680","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/users\/1864"}],"replies":[{"embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/comments?post=9680"}],"version-history":[{"count":0,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/posts\/9680\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/media\/11899"}],"wp:attachment":[{"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/media?parent=9680"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/categories?post=9680"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/tags?post=9680"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/ppma_author?post=9680"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}