Data security
This page details the data security properties of Durable Objects, including:
- Encryption-at-rest (EAR).
- Encryption-in-transit (EIT).
- Cloudflare’s compliance certifications.
All Durable Object data, including metadata, is encrypted at rest. Encryption and decryption are automatic, do not require user configuration to enable, and do not impact the effective performance of Durable Objects.
Encryption keys are managed by Cloudflare and securely stored in the same key management systems we use for managing encrypted data across Cloudflare internally.
Encryption at rest is implemented using the Linux Unified Key Setup (LUKS) disk encryption specification and AES-256 ↗, a widely tested, highly performant and industry-standard encryption algorithm.
Data transfer between a Cloudflare Worker, and/or between nodes within the Cloudflare network and Durable Objects is secured using the same Transport Layer Security ↗ (TLS/SSL).
API access via the HTTP API or using the wrangler command-line interface is also over TLS/SSL (HTTPS).
To learn more about Cloudflare’s adherence to industry-standard security compliance certifications, visit the Cloudflare Trust Hub ↗.