Upstash has a set of features to help you secure your data. We will list them and at the end of the section we will list the best practises to improve security of database.
TLS is an optional feature which you can enable while creating your database. Once TLS is enabled, the data transfer between the client and database is encrypted. We strongly recommend enabling TLS for production databases.
With Redis ACL, you can improve security by restricting a user’s access to commands and keys, so that untrusted clients have no access and trusted clients have just the minimum required access level to the database. Moreover it improves operational safety, so that clients or users accessing Redis are not allowed to damage the data or the configuration due to errors or mistakes. Check Redis ACL documentation. If you are using the REST API, you can still benefit from ACLs as explained here
When you create a database, a secure password is generated. Upstash keeps the password encrypted. Use environment variables or your provider’s secret management system (e.g. AWS Secrets Manager, Vercel Secrets) to keep them. Do not use them hardcoded in your code. If your password is leaked, reset the password using Upstash console.
Encryption at Rest
Encryption at REST encrypts the block storage where your data is persisted and stored. It is enabled by default for Enterprise databases.
Application Level Encryption
Client side encryption can be used to encrypt data through application lifecycle. Client-side encryption is used to help protect data in use. This comes with some limitations. Operations that must operate on the data, such as increments, comparisons, and searches will not function properly. You can write client-side encryption logic directly in your own application or use functions built into clients such as the Java Lettuce cipher codec. We have plans to support encryption in our SDKs.
We can restrict the access to your database to a set of IP addresses which will have access to your database. This is quite a strong way to secure your database, but it has some limitations. For example you can not know the IP addresses in serverless platforms such AWS Lambda and Vercel functions.
TLS Mutual Authentication
mTLS ensures two-way authentication where both client and server authenticate each other at the same time in the authentication protocol. No client can assess the database without the certificate. The user downloads uses the certificate for their client.
VPC Peering enables you to connect to Upstash from your own VPC using private IP. Database will not be accessible from the public network. Database and your application can run in the same subnet which also minimizes data transfer costs. VPC Peering is only available for Enterprise databases.
AWS Private link provides private connectivity between Upstash Database and your Redis client inside AWS infrastructure. Private link is only available for Enterprise databases.