DOC-12393 native encryption at rest

modules/ROOT/nav.adoc

@@ -96,6 +96,7 @@ include::third-party:partial$nav.adoc[]
  ** xref:learn:security/on-the-wire-security.adoc[On-the-Wire Security]
  ** xref:learn:security/auditing.adoc[Auditing]
  ** xref:learn:security/encryption-overview.adoc[Encryption]
+ *** xref:learn:security/native-encryption-at-rest-overview.adoc[]
 
 .Manage
 * xref:manage:management-overview.adoc[Overview]
@@ -156,6 +157,7 @@ include::third-party:partial$nav.adoc[]
    **** xref:manage:manage-security/rotate-server-certificates.adoc[Certificate Rotation]
    **** xref:manage:manage-security/handle-certificate-errors.adoc[Certificate Error Handling]
  ** xref:manage:manage-security/manage-tls.adoc[Manage On-the-Wire Security]
+ ** xref:manage:manage-security/manage-native-encryption-at-rest.adoc[]
  ** xref:manage:manage-security/manage-auditing.adoc[Manage Auditing]
  ** xref:manage:manage-security/manage-sessions.adoc[Manage Sessions]
  ** xref:manage:manage-security/manage-console-access.adoc[Manage Console Access]
@@ -444,6 +446,10 @@ include::cli:partial$cbcli/nav.adoc[]
      ***** xref:rest-api:rest-regenerate-all-certs.adoc[Regenerate All Certificates]
      ***** xref:rest-api:deprecated-security-apis/deprecated-certificate-management-apis.adoc[Deprecated Certificate Management APIs]
       ****** xref:rest-api:deprecated-security-apis/upload-retrieve-root-cert.adoc[Upload and Retrieve the Root Certificate]
+   *** xref:rest-api:security/encryption-at-rest/encryption-at-rest.adoc[]
+   **** xref:rest-api:security/encryption-at-rest/manage-encryption-keys.adoc[]
+   **** xref:rest-api:security/encryption-at-rest/manage-system-encryption-at-rest.adoc[]
+   **** xref:rest-api:security/encryption-at-rest/rotate-encryption-at-rest-key.adoc[]
 
    *** xref:rest-api:rest-authorization.adoc[Authorization API]
     **** xref:rest-api:rbac.adoc[Role-Based Access Control (RBAC)]

modules/introduction/partials/new-features-80.adoc

@@ -1,8 +1,6 @@
 [#section-new-feature-800-couchbase-cluster]
 === Couchbase Cluster
 
-
-
 https://jira.issues.couchbase.com/browse/MB-61457[MB-61457]::
 The following settings have been added to the `/pools/default/buckets` REST APIs.
 +
@@ -165,3 +163,10 @@ It is now possible to change the plan used by a repository.
 The repository first needs to be paused, and then the plan can be changed,
 and the repository resumed, where it will now execute the tasks from its new plan.
 
+=== Security
+
+https://jira.issues.couchbase.com/browse/MB-16143[MB-16143]::
+Couchbase Server Enterprise now supports native encryption at rest.
+You can encrypt bucket data, audits, and most logging and configuration information.
+You choose which buckets to encrypt and which remain unencrypted.
+See xref:learn:security/native-encryption-at-rest-overview.adoc[] for more information.

modules/learn/pages/security/authentication-domains.adoc

@@ -10,16 +10,17 @@
 Couchbase Server authenticates each user by means of one of two _authentication domains_.
 The domains are:
 
-* _Local_: Contains users defined locally.
+[#local-domain]
+* Local: Contains users defined locally.
 This includes:
 
- ** The _Full Administrator_ for Couchbase Server.
+ ** The Full Administrator for Couchbase Server.
 
- ** _Locally Defined Users_, which are explicitly created by a Couchbase Server administrator; and each feature a username and password unique within the Local domain.
+ ** Locally Defined Users, which are explicitly created by a Couchbase Server administrator; and each feature a username and password unique within the Local domain.
 
- ** _Internal Components_ within Couchbase Server that support core  functionality (for example, indexing, searching, and replicating), and run  with full administrative privileges.
+ ** Internal Components within Couchbase Server that support core  functionality (for example, indexing, searching, and replicating), and run  with full administrative privileges.
 
- ** _Generated Users_, which are created by Couchbase Server as part of the  upgrade process from pre-5.0 to 5.0 and post-5.0 versions; each in  correspondence with a legacy bucket.
+ ** Generated Users, which are created by Couchbase Server as part of the  upgrade process from pre-5.0 to 5.0 and post-5.0 versions; each in  correspondence with a legacy bucket.
 Each Generated User is assigned a _username_ that is identical to the bucket-name; and either a _password_ that is identical to the bucket's pre-5.0 password, or _no password_, if the bucket did not feature a password.
 Generated Users are created to ensure that legacy applications can continue to access legacy buckets after upgrade to 5.0 or post-5.0, with the same username-password combination being used for authentication.
 +

modules/learn/pages/security/encryption-overview.adoc

@@ -1,91 +1,91 @@
 = Encryption
-:description: pass:q[Couchbase Server uses _encryption_, to protect data.]
+:description: pass:q[Couchbase Server lets you use encryption to protect data.]
+:page-toclevels: 2
 
 [abstract]
 {description}
+You can configure network encryption for communications with clients, between nodes in the cluster, and with other clusters when using Cross-Datacenter Replication (XDCR).
+Couchbase Server supports encrypting data stored on disk to limit data exposure.
+You can also have your application store encrypted attributes in documents.
+This topic provides an overview of the encryption features in Couchbase Server.
 
-[#encryption-in-couchbase-server]
-== Encryption in Couchbase Server
-
-By means of _encryption_, data is encoded such that it is non-readable, other than by authorized parties who possess the appropriate means of _decryption_.
-Prior to decryption, therefore, encrypted data can be securely saved or transmitted.
-This ensures the privacy of user-data, and the integrity of servers and their clients.
-
-Couchbase Server provides extensive support for data encryption and decryption.
-Multiple areas of the system are affected: therefore, essential information is distributed throughout the documentation set.
-
-[#areas-of-encryption]
-== Areas of Encryption
-
-The principal areas of Couchbase Server encryption-support are listed below, along with links to further information.
 
 [#encryption-on-the-wire]
-=== Encryption on the Wire
-
-This allows data to pass in encrypted form between nodes, between clusters, and between a cluster and its clients.
+== Network Encryption
 
-* *Node-to-Node Encryption*.
-Network traffic between the individual nodes of a Couchbase-Server cluster can be encrypted, in order to optimize cluster-internal security.
-See xref:learn:clusters-and-availability/node-to-node-encryption.adoc[Node-to-Node Encryption].
+You can choose to encrypt client connections, intra-node connections, and cluster-to-cluster connections. 
+You configure each connection type separately.
+For example, you can choose to encrypt client connections, but leave connections between nodes in a cluster unencrypted.
 
-* *On-the-Wire Security Configuration*.
-To support secure communications between nodes, clusters, and clients, Couchbase Server provides interfaces for the configuration of _TLS_ and supportive _cipher-suites_; of cluster-internal encryption-levels; and of secure UI-access.
-See xref:learn:security/on-the-wire-security.adoc[On-the-Wire Security] for a conceptual overview, and xref:manage:manage-security/manage-tls.adoc[Manage On-the-Wire Security] for step-by-step configuration-instructions.
+Couchbase Server supports the following types of network encryption:
 
-* *Secure Console Access*.
-Administrators can connect securely to Couchbase Web Console.
-Non-secure access can be disabled, for extra security.
-See xref:manage:manage-security/manage-console-access.adoc[Manage Console Access].
+Node to Node::
+You can choose to encrypt all internal traffic between nodes in the cluster.
+This configuration helps limit data leakage from network intrusions.
+See xref:learn:clusters-and-availability/node-to-node-encryption.adoc[].
 
-* *X.509 Certificates*.
-These support encrypted communications between nodes, between clusters, and between a cluster and its clients.
 
-** xref:learn:security/certificates.adoc[Certificates] provides an overview of certificates and their management.
+Client Connections::
+You can make encryption optional or required for client connections. 
+See xref:manage:manage-security/configure-client-certificates.adoc#enabling-client-security[Securing Client Access with TLS].
 
-** xref:manage:manage-security/configure-server-certificates.adoc[Configure Server Certificates] explains the practical steps towards configuring certificates for Couchbase Server.
-This page also provides information on working with different versions of SSL/TLS, and on supported _ciphers_.
+Couchbase Server Web Console Access::
+You can configure the Web Console to require secure connections. 
+See xref:manage:manage-security/manage-console-access.adoc[].
 
-** xref:manage:manage-security/configure-client-certificates.adoc[Configure Client Certificates] describes how to create a certificate to allow a client's secure access to Couchbase Server.
+Secure Access to Services::
+You can configure Couchbase Server services to only use secure ports.
+See xref:install:install-ports.adoc[].
 
-** xref:manage:manage-security/enable-client-certificate-handling.adoc[Enable Client-Certificate Handling] explains how to configure Couchbase Server to accept communications from clients that wish to authenticate and communicate securely by means of certificates.
+Secure XDCR Replication::
+You can encrypt XDCR replication between Couchbase Server clusters.
+See xref:manage:manage-xdcr/enable-full-secure-replication.adoc[].
 
-** xref:manage:manage-security/rotate-server-certificates.adoc[Certificate Rotation] provides steps whereby server certificates can be _rotated_ periodically, to ensure optimal security.
+Couchbase Server TLS Support:: 
+Couchbase Server uses Transport Layer Security (TLS) with a selection of cipher-suites for network encryption.
+See the following pages for more information about Couchbase Server's TLS support:
++
+* xref:learn:security/on-the-wire-security.adoc[] provides a conceptual overview of TLS in Couchbase Server.
+* xref:manage:manage-security/manage-tls.adoc[] has step-by-step configuration instructions.
+* xref:manage:manage-security/manage-connections-and-disks.adoc[] has a general overview of network security best practices.
 
-** xref:manage:manage-security/handle-certificate-errors.adoc[Certificate Error Handling] explains how to handle errors related to certificate-based secure communication.
 
-** xref:manage:manage-xdcr/enable-full-secure-replication.adoc[Enable Fully Secure Replications] describes how certificates can be used to ensure that data is replicated securely between clusters.
+[#encryption-at-rest]
+== Encryption at Rest
 
-** xref:rest-api:rest-certificate-management.adoc[Certificate Management API] lists the REST API methods and URIs available for certificate management.
+Encryption at rest encrypts files stored on disk.
+The files you can encrypt include those that store database data, configuration, logs, and audits.
+Encrypting data at rest can help limit the exposure of confidential information from a security breach. 
 
-** The xref:cli:cbcli/couchbase-cli-ssl-manage.adoc[ssl-manage] CLI command supports management of SSL certificates.
+You have several options to encrypt your data at rest:
 
-* *Secure Ports*.
-Services are available on secure ports.
-See xref:install:install-ports.adoc[Couchbase Server Ports].
+Use the Couchbase Server native encryption at-rest feature::
+Couchbase Server Enterprise has a built-in encryption-at-rest feature where it encrypts data as it saves it to disk.
+Using the built-in encryption lets you fine-tune which data is encrypted and which it not.
+For example, you can choose to encrypt sensitive customer data, while leaving less sensitive data, such as product catalog data, unencrypted.
+By encrypting just the sensitive data in your database, you can limit the overhead of encrypting and decrypting data.
+See xref:learn:security/native-encryption-at-rest-overview.adoc[] for more information.
 
-* *General Network Security*.
-Best practices for ensuring the security of the network are provided in xref:manage:manage-security/manage-connections-and-disks.adoc[Network Security Recommendations].
+Use third-party tools::
+Third party tools such as https://cpl.thalesgroup.com/encryption/transparent-encryption[Thales CipherTrust^] (formerly known as Vormetric/Gemalto) and https://www.protegrity.com/[Protegrity^] can provide centralized encryption at rest. 
 
-[#encryption-at-rest]
-=== Encryption at Rest
+Use OS-level disk encryption::
+You can use disk encryption such as the LUKS encrypted filesystem which is available on Linux.
+See xref:manage:manage-security/manage-connections-and-disks.adoc#securing-on-disk-data[Securing On-Disk Data].
 
-Encryption _at Rest_ (meaning, on disk or other storage-device) allows passwords and data in files and directories to be encrypted.
 
-* *Data in Files and Directories*.
-Programs are available for the encryption of data in files and directories.
-See xref:manage:manage-security/manage-connections-and-disks.adoc#securing-on-disk-data[Securing On-Disk Data].
+== System Secrets
 
-* *System Secrets*.
-Passwords, certificates, and other items essential to Couchbase-Server security can be written to disk in encrypted format.
+Couchbase Server can write passwords, certificates, and other sensitive information to disk in encrypted format.
 See xref:manage:manage-security/manage-system-secrets.adoc[Manage System Secrets].
 
 [#encryption-in-applications]
-=== Encryption in Applications
+== Encryption in Applications
 
-* *Field Level Encryption*.
-This allows fields within a document to be securely encrypted by the SDK, to support FIPS-140-2 compliance.
-See xref:java-sdk:howtos:encrypting-using-sdk.adoc[Field Level Encryption], for an overview.
+Applications can use the SDK to store fields in encrypted format.
+See the SDK documentation for your development language for more information.
+For example:
 
-* *Field Level Encryption from the Java SDK*.
-Provides directions for configuring encrypted field-level communication with Couchbase Server.
-See xref:java-sdk:concept-docs:encryption.adoc[Field Level Encryption from the Java SDK].
+* Go SDK: xref:go-sdk:howtos:encrypting-using-sdk.adoc[]
+* Java SDK: xref:java-sdk:howtos:encrypting-using-sdk.adoc[]
+* Python SDK: xref:python-sdk:howtos:encrypting-using-sdk.adoc[]