This document covers SingleStoreDB Cloud data encryption in transit and at rest.

Encryption in Transit

To ensure a secure connection to SingleStoreDB Cloud, SQL clients must be properly configured to require a secure connection, and to verify the supplied server certificate.

When a SingleStoreDB Cloud workspace has REQUIRE SSL enabled, users cannot connect to the workspace without using SSL. However, security can still be compromised with or without the use of SSL. Not using SSL can lead to a man-in-the-middle attack, where a would-be attacker can impersonate a server. Conversely, a secure connection can be established by using SSL, but perhaps to a server that’s using an illegitimate certificate.

To circumvent these potential issues, SingleStore supports TLS 1.2 for data in transit and for all connections to the database. Transport Layer Security (TLS) uses a combination of symmetric and asymmetric encryption which employs a pair of keys: a public key and a private key.

The SSL/TLS cipher suite used is AES128-GCM-SHA256, with SSL certificates on a one-year rotation for svc.singlestore.com and on a two-year rotation for the legacy db.memsql.com. The use of Let’s Encrypt, which will have a 90-day certificate rotation, is planned for the future.

Refer to Connect to SingleStoreDB Cloud using TLS/SSL for additional information.

Encryption at Rest

For data at rest, SingleStore uses best-practice AES-256 encryption with AWS, Azure, and GCP cloud-hosting partners. With a 256-bit key length, it is currently the strongest encryption algorithm available. In the standard edition of SingleStoreDB Cloud, the cloud provider managed key is used to encrypt all data at rest. For the dedicated edition of SingleStoreDB Cloud, a customer may use their own key, stored in their own key vault in the cloud key management service (KMS) to add an additional layer of security. Key access and use is captured using AWS CloudTrail. SingleStore cannot access the shared key material directly.

For the Data Plane, SingleStore logs all access to each SingleStoreDB Cloud workspace, and runs each workspace with audit logging enabled. The ADMIN-ONLY-INCLUDING-PARSE-FAILS audit logging level is used for completeness. Audit logs can be accessed via the Cloud Portal. In the future, SingleStore plans to provide a customer-accessible API to allow the audit logs to be collected directly.

In this section

Last modified: September 22, 2023

Was this article helpful?