Introducing Native Encryption in Turso Cloud
Avinash Sajjanshetty
Whether you're building AI agents handling private data, fintech apps, or healthcare applications, encryption at rest is a baseline requirement. We strongly belive AI agents will soon be handling all sorts of functions in the modern Enterprise, and many of these will require access to sensitive data.
To power those workloads, today, we're launching Native Encryption with a Bring-Your-Own-Key model in the Turso Cloud. With the BYOK model, every query or sync request to the Turso Cloud is encrypted with a key that you control. We never see the data. In fact, you can use different key for each of your customers or business units, providing a chain-of-trust that propagates all the way to your end users.
All databases are already encrypted-at-rest at the volume level in Turso Cloud, as part of our SOC2 standards. See our trust center for details.
BYOK-style Encryption is a great fit for:
- AI Agents: Managing fleets of trusted agents dealing with personal private data
- AI/ML applications: Training data and model outputs often contain sensitive information
- Fintech apps: Regulatory requirements and sensitive financial data
- Healthcare apps: Protecting patient data and meeting HIPAA compliance
- Privacy-focused products: User trust depends on strong data protection
#Overview
-
Data Integrity: The database file and Write-Ahead Log (WAL) are encrypted both on disk and on S3. A page is the smallest unit of data that the database reads from or writes to disk. In Turso Cloud, each 4 KiB page is encrypted individually with a unique cryptographically secure nonce. This makes it difficult for an attacker to extract data from an encrypted database.
-
AEAD Algorithms: We only support authenticated encryption with associated data (AEAD) algorithms. These provide both data protection and integrity through authentication tags that act like checksums, protecting against data tampering and corruption.
-
In-Memory Keys: Encryption keys are provided per connection and kept in memory only. They are never stored on disk anywhere in Turso Cloud.
#Encryption Algorithms
We support multiple variants of three AEAD encryption algorithms, offering different trade-offs between performance, compatibility, and compliance.
We support: AEGIS, AES-GCM, and ChaCha20-Poly1305. Refer to the documentation for further details.
#Usage
Generate a secure encryption key. The key size depends on the cipher you choose—32 bytes for 256-bit ciphers, 16 bytes for 128-bit ciphers.
openssl rand -base64 32
Store your key securely. If you lose the encryption key, you will not be able to access your encrypted database. Keys are never stored anywhere in Turso Cloud.
Create an encrypted database using the --remote-encryption-key and --remote-encryption-cipher flags:
turso db create my-secret-db \
--remote-encryption-key "YOUR_SECRET_KEY" \
--remote-encryption-cipher aegis128l
You can also upload an existing encrypted database file during creation.
Open the database with the same key:
turso db shell my-secret-db --remote-encryption-key "YOUR_SECRET_KEY"
Try opening the database without the key—you won't be able to access the data. The database is encrypted in the cloud.
#Branching and Point-in-Time Recovery
Encrypted databases support branching and point-in-time recovery (PITR). The new branch will use the same cipher algorithm and the same encryption key. During creation, specify the same encryption key that was used for the parent database.
Database encryption is available on the Enterprise plan. Check out the full documentation to get started.
#Conclusion
BYOK-style encryption, combined with the Turso Cloud ability to create billions of isolated databases, allow for highly trusted agents to be built. This means data that would otherwise not be used can now be a part of the decision making process for agents, leading to better, more relevant outcomes.
If you are interested in exploring Turso Cloud Enterprise, reach out to us to know more.