How to Secure Clusters Limited Availability

Managed Databases are currently in limited availability. Learn more.

Data in your managed cluster is encrypted at rest using the LUKS (Linux Unified Key Setup) specification and in transit with SSL. However, you can take additional steps to ensure that your data is safe in several ways.

SSL Modes

By default, you are not permitted to transmit data unencrypted (meaning SSL is required). This prevents eavesdropping on administrative usernames and passwords as well as the data itself as it is transmitted. However, it doesn’t protect against Man in the middle (MITM) attacks or impersonation. These additional checks are possible, but can affect performance and so are not set by default.

The table below links to database-specific SSL Mode documentation.

Database Additional Modes
PostgreSQL verify-ca, verify-full

Restrict Incoming Connections

You can greatly decrease the likelihood of a security breach by restricting what DigitalOcean resources or external IP addresses are allowed to access a node in your cluster. This prevents brute force password and denial-of-service attacks from any server not explicitly permitted to communicate with your cluster.

Typically, you’d allow only application servers and connections from administrator’s local machines. Users would access the public-facing site, and that server would in turn authenticate and manage database connections.

When you set a restriction from a node’s Settings page it will automatically detect and add the IP address of the machine you’re using. Your local IP address may change from time to time, and when it does, you would be denied access to the node from you local machine. You can fix that by visiting the control panel and adding the new IP address.

You can also choose Droplets, Kubernetes clusters, or use tags to add resources. At this time, DigitalOcean Cloud Firewalls are not yet supported.