Learn about the security measures implemented for the Cloud Databases services.
Managed Databases (also called Cloud Databases) allow you to focus on building and deploying cloud applications while OVHcloud takes care of the database infrastructure and maintenance.
Infrastructure & software
When choosing a Business and Enterprise service plan, your data is replicated across multiple nodes, ensuring high availability of your data.
Automatic daily backups
Cloud Databases services are backed up daily. Those backups are encrypted and uploaded to a remote, replicated storage backend in a different data center from the database service. In case of a catastrophic failure of one of our data centers, you can still recover your data with a maximum of 24 hours of data loss. Backup frequency and retention may vary depending on the DBMS and service plan selected.
We perform end-to-end encryption for all our Cloud Databases and backups.
In-transit encryption (transport)
All network traffic to managed database clusters is protected by TLS by default. TLS cannot be disabled.
Depending on the DBMS selected, the default version may vary but the minimum is TLS v1.1. Data that is transmitted to managed databases clusters, as well as data transmitted between nodes of your clusters, is encrypted in transit using TLS.
At-rest encryption (on disk)
At-rest encryption is a database-level protection layer to guarantee that the written files and data are encrypted while stored.
For all the database engines such as MySQL, PostgreSQL, Redis, and so on, at-rest data encryption covers both active service instances as well as service backups in cloud object storage.
Nodes: Service instances and the underlying VMs use full volume encryption using LUKS with a randomly generated ephemeral key for each instance and each volume. The key is never reused and will be trashed at the destruction of the instance, so there’s a natural key rotation with roll-forward upgrades. We use the LUKS2 default mode aes-xts-plain64:sha256 with a 512-bit key.
Backups: Backups are encrypted with a randomly generated key per file. These keys are in turn encrypted with a RSA key-encryption key-pair and stored in the header section of each backup segment. The file encryption is performed with AES-256 in CTR mode with HMAC-SHA256 for integrity protection. The RSA key pair is randomly generated for each service. The key lengths are 256-bit for block encryption, 512-bit for integrity protection, and 3072-bits for the RSA key.
The operation team in charge of the maintenance of the Cloud Databases services is constantly monitoring CVE on the different DBMS available. This monitoring is done through different channels, official mailing lists, the security community, internal security checks, etc...
Cloud Databases provide interconnection with your private network. This option allows you to connect your database to other services in your private network, isolating your service from the outside.
All database services are IPv4 restricted. By default, services are not accessible. Users can specify unique IPs or IP blocks from which the service will accept connections. IP restriction prevents all attacks from the outside of a specific information system.