You hold the keys. Each database can be encrypted with its own unique key that only you control. Turso never sees or stores your encryption keys. Encryption works seamlessly with both remote queries and sync.
- Page-level encryption: Each 4 KiB page is encrypted individually with a unique nonce
- AEAD algorithms: Support for AEGIS-256, AES-GCM, and ChaCha20Poly1305
- Data integrity: Built-in authentication tags prevent tampering and corruption
- In-memory keys: Encryption keys are never stored on disk
AI Agents
Manage a fleet of trusted agents that deal with personal private data
Fintech Applications
Meet regulatory requirements for sensitive financial data
Privacy-Focused Products
Build user trust with strong data protection
Healthcare Apps
Protect patient data and meet HIPAA compliance
AI/ML Applications
Secure training data and model outputs
What’s Encrypted
Encrypted
- The database file and Write-Ahead Log (WAL) file on disk and on S3.
Generate an Encryption Key
Generate a secure encryption key in base64 format. The key size depends on the cipher you choose:- 256-bit (32 bytes)
- 128-bit (16 bytes)
For AEGIS-256 variants and AES-256-GCM:Output example:
Create an Encrypted Database
1
Launch with encryption
Use the Replace
--remote-encryption-key, --remote-encryption-cipher flags and specify your cipher and key in database creation command:YOUR_SECRET_KEY with the key you generated above. You can also set the TURSO_DB_REMOTE_ENCRYPTION_KEY environment variable instead of passing the flag each time.2
Create and insert data
Use
--remote-encryption-key flag to start the shell, create a table and insert some data:3
Verify encryption
Exit the shell (type You won’t be able to access the data. The database is encrypted in the cloud.
.quit) and try to open the database without the key:Upload Existing Database
To upload an existing encrypted database, provide the cipher and key flags during creation:Branching and Point-in-Time Recovery (PITR)
Encrypted databases support branching, and point-in-time recovery (PITR). The new branch will use the same cipher algorithm and the same encryption key. During creation you need to specify the same encryption key that was used for the parent database:Supported Ciphers
Turso Cloud supports multiple variants of three AEAD encryption algorithms, offering different trade-offs between performance and compatibility.AES-GCM
NIST-approved standard for compliance requirements. Widely supported across industries.| Cipher | Key Size | Cipher Code | Use Case |
|---|---|---|---|
| AES-128-GCM | 128-bit (16 bytes) | aes128gcm | Compliance with 128-bit requirements |
| AES-256-GCM | 256-bit (32 bytes) | aes256gcm | Maximum security for compliance |
ChaCha20-Poly1305
| Cipher | Key Size | Cipher Code | Use Case |
|---|---|---|---|
| ChaCha20-Poly1305 | 256-bit (32 bytes) | chacha20poly1305 | Alternative for AES |
AEGIS
Modern, high-performance cipher family optimized for speed. Recommended for most use cases.| Cipher | Key Size | Cipher Code | Use Case |
|---|---|---|---|
| AEGIS-128L | 128-bit (16 bytes) | aegis128l | Balanced performance, 128-bit security |
| AEGIS-128X2 | 128-bit (16 bytes) | aegis128x2 | 2x parallel processing |
| AEGIS-128X4 | 128-bit (16 bytes) | aegis128x4 | 4x parallel processing, maximum speed |
| AEGIS-256 | 256-bit (32 bytes) | aegis256 | Balanced 256-bit security |
| AEGIS-256X2 | 256-bit (32 bytes) | aegis256x2 | 2x parallel processing, 256-bit |
| AEGIS-256X4 | 256-bit (32 bytes) | aegis256x4 | 4x parallel, maximum speed & security |
Choosing a cipher:
- Use
aegis128lfor 128 bit encryption,aegis256for 256 bit encryption (default recommendation) - For AES, use
aes128gcmfor 128 bit encryption,aes256gcmorchacha20poly1305for 256 bit encryption
Future Work
Future encryption features in development:- Encrypt existing databases: Migrate unencrypted databases to encrypted format
- Key rotation: Update encryption keys without data loss