Skip to main content
All databases are encrypted-at-rest at the volume level in the Turso Cloud, as part of our SOC2 standards. See our trust center for details. For Enterprise customers, there is the option to encrypt the databases with a key that you provide (Native Encryption), as described below. Native Encryption happens at the server level, making sure that nobody has access to your data at any time. In fact, because it is possible to encrypt different databases with different keys, it is possible for you to use different keys for different customers’ databases. If the keys themselves are provided by your customers, Native Encryption offers your customers the guarantee that not even you can have access to their data. Turso Cloud native encryption for data at rest uses industry-standard AEAD algorithms. Each database page is encrypted individually, ensuring data integrity and security across all environments. Native encryption is available on the Enterprise plan.
You hold the keys. Each database can be encrypted with its own unique key that only you control. Turso never sees or stores your encryption keys. Encryption works seamlessly with both remote queries and sync.
  • Page-level encryption: Each 4 KiB page is encrypted individually with a unique nonce
  • AEAD algorithms: Support for AEGIS-256, AES-GCM, and ChaCha20Poly1305
  • Data integrity: Built-in authentication tags prevent tampering and corruption
  • In-memory keys: Encryption keys are never stored on disk
Turso Cloud with native encryption is perfect for:

AI Agents

Manage a fleet of trusted agents that deal with personal private data

Fintech Applications

Meet regulatory requirements for sensitive financial data

Privacy-Focused Products

Build user trust with strong data protection

Healthcare Apps

Protect patient data and meet HIPAA compliance

AI/ML Applications

Secure training data and model outputs

What’s Encrypted

Encrypted

  • The database file and Write-Ahead Log (WAL) file on disk and on S3.

Generate an Encryption Key

Generate a secure encryption key in base64 format. The key size depends on the cipher you choose:
For AEGIS-256 variants and AES-256-GCM:
openssl rand -base64 32
Output example:
YUfkdsD2SJe4KzTB8n6CjwCgs1YIW6k1xxMEguRuI5s=
Store your key securely! If you lose the encryption key, you will not be able to access your encrypted database. Keys are never stored anywhere in the Turso Cloud.

Create an Encrypted Database

1

Launch with encryption

Use the --remote-encryption-key, --remote-encryption-cipher flags and specify your cipher and key in database creation command:
turso db create my-secret-db --remote-encryption-key "YOUR_SECRET_KEY" --remote-encryption-cipher aegis128l
Replace YOUR_SECRET_KEY with the key you generated above. You can also set the TURSO_DB_REMOTE_ENCRYPTION_KEY environment variable instead of passing the flag each time.
2

Create and insert data

Use --remote-encryption-key flag to start the shell, create a table and insert some data:
turso db shell my-secret-db --remote-encryption-key "YOUR_SECRET_KEY"

CREATE TABLE secrets (id INT, data TEXT);
INSERT INTO secrets VALUES (1, 'sensitive information');
INSERT INTO secrets VALUES (2, 'confidential data');
3

Verify encryption

Exit the shell (type .quit) and try to open the database without the key:
turso db shell my-secret-db
You won’t be able to access the data. The database is encrypted in the cloud.

Upload Existing Database

To upload an existing encrypted database, provide the cipher and key flags during creation: 
turso db create my-secret-db --remote-encryption-key "YOUR_SECRET_KEY" --remote-encryption-cipher aegis128l --from-file my-db.db

Branching and Point-in-Time Recovery (PITR)

Encrypted databases support branching, and point-in-time recovery (PITR). The new branch will use the same cipher algorithm and the same encryption key. During creation you need to specify the same encryption key that was used for the parent database: 
turso db create my-secret-db-fork --remote-encryption-key "YOUR_SECRET_KEY" --from-db my-secret-db

Rekeying

Rekeying is not supported yet. However, you can export the database and create a new one with a different cipher and key: 
turso db export my-secret-db --remote-encryption-key "YOUR_SECRET_KEY"
turso db create my-new-secret-db --remote-encryption-key "YOUR_NEW_SECRET_KEY" --remote-encryption-cipher aegis256 --from-file my-secret-db.db

Supported Ciphers

Turso Cloud supports multiple variants of three AEAD encryption algorithms, offering different trade-offs between performance and compatibility.

AES-GCM

NIST-approved standard for compliance requirements. Widely supported across industries.
CipherKey SizeCipher CodeUse Case
AES-128-GCM128-bit (16 bytes)aes128gcmCompliance with 128-bit requirements
AES-256-GCM256-bit (32 bytes)aes256gcmMaximum security for compliance

ChaCha20-Poly1305

CipherKey SizeCipher CodeUse Case
ChaCha20-Poly1305256-bit (32 bytes)chacha20poly1305Alternative for AES

AEGIS

Modern, high-performance cipher family optimized for speed. Recommended for most use cases.
CipherKey SizeCipher CodeUse Case
AEGIS-128L128-bit (16 bytes)aegis128lBalanced performance, 128-bit security
AEGIS-128X2128-bit (16 bytes)aegis128x22x parallel processing
AEGIS-128X4128-bit (16 bytes)aegis128x44x parallel processing, maximum speed
AEGIS-256256-bit (32 bytes)aegis256Balanced 256-bit security
AEGIS-256X2256-bit (32 bytes)aegis256x22x parallel processing, 256-bit
AEGIS-256X4256-bit (32 bytes)aegis256x44x parallel, maximum speed & security
Choosing a cipher:
  • Use aegis128l for 128 bit encryption, aegis256 for 256 bit encryption (default recommendation)
  • For AES, use aes128gcm for 128 bit encryption, aes256gcm or chacha20poly1305 for 256 bit encryption

Future Work

Future encryption features in development:
  • Encrypt existing databases: Migrate unencrypted databases to encrypted format
  • Key rotation: Update encryption keys without data loss