Back to Documentation

Encryption

Enterprise-grade encryption to protect your data at rest and in transit

Overview

DB24x7 employs multiple layers of encryption to ensure your database infrastructure and sensitive data remain secure. We use industry-standard encryption algorithms and best practices to protect your data both when it's stored and when it's being transmitted.

Data at Rest

AES-256 encryption for stored data

Data in Transit

TLS 1.3 for all network communications

Key Management

Secure key rotation and storage

Data at Rest Encryption

All data stored in DB24x7 is encrypted at rest using AES-256 encryption, the same standard used by governments and financial institutions worldwide.

What is Encrypted

Database Data

All database tables, indexes, and stored procedures are encrypted on disk.

Backups

All automated and manual backups are encrypted using the same AES-256 standard.

Logs and Metadata

Query logs, audit logs, and system metadata are encrypted to protect sensitive information.

Temporary Files

Any temporary files created during query execution or data processing are encrypted.

Snapshots

Point-in-time snapshots and replicas are fully encrypted.

AES-256 Encryption Standard

Advanced Encryption Standard (AES) with 256-bit keys is a symmetric encryption algorithm that provides:

  • Military-grade security approved by the NSA for classified information
  • Resistance to all known practical attacks with current computing power
  • Fast encryption and decryption performance
  • Compliance with FIPS 140-2, HIPAA, PCI-DSS, and other security standards

Automatic Encryption

Encryption at rest is enabled by default for all DB24x7 instances. No configuration is required on your part. All data is automatically encrypted when written to disk and decrypted when read.

Storage Layer Encryption

We implement encryption at multiple storage layers for defense in depth:

Database-Level Encryption

Each database is encrypted with its own unique encryption key, providing isolation between databases.

Volume-Level Encryption

Storage volumes are encrypted at the disk level using platform-native encryption (AWS EBS, Azure Disk Encryption).

Data in Transit Encryption

All data transmitted to and from DB24x7 is encrypted using Transport Layer Security (TLS) 1.3, the latest and most secure version of the TLS protocol.

TLS 1.3 Benefits

Faster Handshakes

Reduced latency with 1-RTT and 0-RTT connection establishment

Stronger Security

Removal of weak cipher suites and outdated cryptographic algorithms

Perfect Forward Secrecy

Session keys cannot be compromised even if long-term keys are exposed

Encrypted Handshake

More handshake data is encrypted, reducing metadata exposure

Protected Connections

Web Dashboard

All web traffic uses HTTPS with TLS 1.3. HTTP connections are automatically upgraded to HTTPS.

Database Connections

Client connections to databases are encrypted using SSL/TLS. Unencrypted connections are rejected by default.

API Requests

All API endpoints require HTTPS. API keys are transmitted securely over encrypted connections.

Internal Communication

Communication between DB24x7 services is encrypted using mutual TLS (mTLS) for authentication.

Configuring TLS for Database Connections

To connect to your database with TLS encryption:

PostgreSQL Example
psql "postgresql://[email protected]:5432/dbname?sslmode=require"
MySQL Example
mysql --host=host.db24x7.com \
      --user=user \
      --password \
      --ssl-mode=REQUIRED \
      dbname

Certificate Verification

For production environments, we recommend using sslmode=verify-full (PostgreSQL) or --ssl-mode=VERIFY_IDENTITY (MySQL) to verify the server's certificate against trusted certificate authorities.

Key Management

Proper key management is critical to maintaining the security of encrypted data. DB24x7 uses a hierarchical key management system with automatic rotation.

Key Hierarchy

1

Master Key

Root key stored in a hardware security module (HSM) or key management service (KMS). Never leaves the secure environment.

2

Data Encryption Keys (DEK)

Unique keys for each database, encrypted by the master key. Used for actual data encryption/decryption operations.

3

Key Encryption Keys (KEK)

Intermediate keys that encrypt data encryption keys, providing an additional layer of security.

Automatic Key Rotation

DB24x7 automatically rotates encryption keys to minimize the impact of potential key compromise:

  • Master keys are rotated annually or on-demand through the dashboard
  • Data encryption keys are rotated every 90 days by default
  • Key rotation is performed without downtime using dual-key encryption
  • Old keys are retained for decryption of existing data and backups
  • All key operations are logged in audit logs

Key Storage and Protection

Hardware Security Modules

Master keys are stored in FIPS 140-2 Level 3 certified HSMs that provide tamper-resistant key storage.

Managed Key Services

Integration with AWS KMS, Azure Key Vault, and Google Cloud KMS for enterprise key management.

Customer-Managed Keys (BYOK)

Enterprise customers can bring their own encryption keys (BYOK) for additional control over data encryption. This allows you to maintain full control over key lifecycle and access policies.

Enterprise Feature

Customer-managed keys are available on Enterprise plans. Contact our sales team to enable this feature for your organization.

Benefits

Complete Control

You own and manage the encryption keys used for your data

Revocation Capability

Instantly revoke access to your data by disabling keys

Compliance Requirements

Meet regulatory requirements for key management control

Audit Trail

Complete visibility into key usage through your KMS logs

Setup Process

  1. Create a customer master key (CMK) in your KMS provider
  2. Grant DB24x7 service account permissions to use the CMK
  3. Navigate to Settings Organization Security Encryption
  4. Enable "Customer-Managed Keys"
  5. Enter your CMK ARN or identifier
  6. Verify the configuration
  7. Choose whether to encrypt existing databases or only new ones
  8. Confirm and apply the settings

Supported KMS Providers

AWS KMS

Amazon Web Services Key Management Service

Azure Key Vault

Microsoft Azure Key Vault

Google Cloud KMS

Google Cloud Key Management Service

Important: Key Availability

If you disable or delete your customer-managed key, DB24x7 will not be able to decrypt your data. Ensure you have proper key backup and recovery procedures in place. We recommend enabling automatic key rotation in your KMS.

Compliance and Certifications

Our encryption implementation meets or exceeds requirements for major compliance frameworks:

SOC 2 Type II

Annual audits verify security controls including encryption

GDPR Compliant

Encryption meets EU data protection requirements

HIPAA Eligible

Suitable for protected health information (PHI)

PCI-DSS Level 1

Meets payment card industry encryption standards

Related Documentation

Authentication

Secure access control and identity management

Audit Logs

Monitor encryption key usage and access