Database Encryption
Database Encryption in Transit
Aptible Databases are configured to allow connecting with SSL. Where possible, they are also configured to require SSL to ensure data is encrypted in transit. See the documentation for your supported Database type for details on how it’s configured.
Trusted Certificates
Most supported database types use our wildcard*.aptible.in certificate for SSL / TLS termination and most clients should be able to use the local trust store to verify the validity of this certificate without issue. Depending on your client, you may still need to enable an option for force verification. Please see your client documentation for further details.
Aptible CA Signed Certificates
While most Database types leverage the*.aptible.in certificate as above, other types (MySQL and PostgreSQL) have ways of revealing the private key as the provided default aptible user’s permission set, so they cannot use this certificate without creating a security risk. In these cases, Deploy uses a Certificate Authority unique to each environment in order to a generate a server certificate for each of your databases.
The documentation for your supported Database type will specify if it uses such a certificate: currently this applies to MySQL and PostgreSQL databases only.
In order to perform certificate verification for these databases, you will need to provide the CA certificate to your client. To retrieve the CA certificate required to verify the server certificate for your database, use the aptible environment:ca_cert command to retrieve the CA certificate for you environment(s).