Data Security

This section explains the general concepts of data security such as access management, auditing, data encryption, and other data security measures taken for Exasol deployment on public clouds.

General Concepts

Authentication Methods

In order to access the database, users must be authenticated. Exasol provides the following authentication methods:

  • Authenticate by Password: Database users can be authenticated using passwords. You can create a database user authenticated by a password. The database checks the user's password at the time of login. For more information, see CREATE USER.
  • LDAP/AD: LDAP authentication can be used for database users.
    • For database users, there are two steps you need to consider:
      • Add the LDAP server URL to the database instance
      • Create the user according to the LDAP DN string.
    • You can find the corresponding steps in the CREATE USER section. In addition, refer to this Exasol Knowledge Base article that provides you with examples for synchronization of users between LDAP and Exasol.
  • OpenID: Database users can be authenticated using OpenID. You can create database user authenticated by OpenID using CREATE USER or modify an existing user using ALTER USER. The database checks the OpenID parameters specified in the database and verifies the access token or refresh token for user authentication. For more information, see Authentication using OpenID.

Multi-factor authentication (MFA) can be used if it is supported by the authentication provider. For more information, refer to the authentication provider’s documentation.

Access Management

Exasol provides you with the following options for access management:

  • Database Level: Exasol provides system privileges and object level privileges. You can use the privileges to define the access to the database and its objects. For more information about system and object privileges, see Privileges.
  • Row Level: You can use this feature to protect table rows based on ownership (tenant protection) or user roles. For more information, see row-level-security-lua on GitHub.
  • Cluster Level: Exasol separates the classical DBA role (SYS user who has all rights within a database instance) from the role of a cluster administrator that manages a cluster . For such operational tasks, you can create and manage users.

For more information, see Access Management.


Exasol allows you to have auditing for sessions and SQL command execution. The auditing doesn't require any transaction log or any database schema modification. Therefore, it doesn't have any performance impact on the system. Exasol's auditing captures the following:

  • All sessions with information such as driver, client, host, and operating system user.
  • All executed SQL statements with information such as CPU, network, and hard disk read/write.

For more information, see Auditing.

Data Encryption

Exasol uses different data encryption algorithms to secure the data when it transferred through the network or when it is stored on a disk.

  • Data in-motion: The encryption when data is transferred through a network. Exasol uses TLS encryption for JDBC, ODBC, ADO.NET, CLI, and WebSockets. To enforce encryption on the database use the parameter -forceProtocolEncryption=1. As long as encryption is supported, this parameter will force the connection to be encrypted. To know how to upload a TLS certificate, see Upload TLS Certificate.
  • Data at-rest: The encryption when data is stored on a disk. Exasol uses AES-256, a LUKS enhanced version of cryptsetup, for OS and storage disk encryption. If a license server is encrypted, it needs a LUKS passphrase to be accessible after each boot. For a data node, the passphrase is stored and the data node is automatically unlocked during the boot. For permanently deleting data from a disk, Linux tool shred is used (7 iterations and final zero overwrite to hide shredding).

The encryption key is set when a node is created. To change the encryption key later, you must change the encryption key and then install the node again. All data on the node will be deleted.

Security in Public Clouds

Exasol provides enterprise-level security in public clouds such as AWS:

  • Exasol is always deployed in the customer's cloud account, which means that you always have full control over your data.
  • Exasol can be deployed using existing VPCs and subnets to cater to your security requirements or with new networking components.
  • Security groups only require minimum modification for ports. They can be restricted further to be only accessible from your company network.
  • Encryption in-motion and at-rest are enforced in all public clouds for data protection.
  • Support for Identity and Access Management (IAM) is available to specify who has access to the resources.
  • You can configure if resources should be accessible through public IPs or not.

Security with Third-party Tools

Exasol provides integration with some third-party tools for additional security of your data. For more information, see Data Protection.