TLS & Encryption
All database connections use TLS. There is no option to disable it.
Certificate Authority
FoundryDB issues certificates from Let's Encrypt. Certificates are automatically renewed before expiry — no action required.
The issuing CA chain is trusted by all major operating systems and runtimes. No custom CA installation is needed.
Verify a Certificate
# PostgreSQL
echo | openssl s_client -connect yourdb.foundrydb.com:5432 -starttls postgres 2>/dev/null \
| openssl x509 -noout -subject -issuer -dates
# MySQL
echo | openssl s_client -connect yourdb.foundrydb.com:3306 -starttls mysql 2>/dev/null \
| openssl x509 -noout -subject -issuer -dates
# MongoDB, Valkey, Kafka, OpenSearch (direct TLS)
echo | openssl s_client -connect yourdb.foundrydb.com:27017 2>/dev/null \
| openssl x509 -noout -subject -issuer -dates
TLS Ports
| Engine | Port | Protocol |
|---|---|---|
| PostgreSQL | 5432 | TLS via STARTTLS |
| PostgreSQL (PgBouncer) | 5433 | TLS via STARTTLS |
| MySQL | 3306 | TLS via STARTTLS |
| MySQL (ProxySQL) | 6033 | TLS via STARTTLS |
| MongoDB | 27017 | Direct TLS |
| Valkey | 6380 | Direct TLS |
| Kafka | 9093 | Direct TLS (SASL_SSL) |
| OpenSearch | 9200 | HTTPS |
| SQL Server (Babelfish) | 1433 | TLS |
TLS Version
All endpoints negotiate TLS 1.2 or TLS 1.3. TLS 1.0 and 1.1 are not accepted.
Client Configuration
PostgreSQL (sslmode)
| sslmode | Behaviour |
|---|---|
verify-full | Verify server cert and hostname (recommended) |
verify-ca | Verify cert but not hostname |
require | Encrypt, skip verification |
Recommended:
PGPASSWORD=secret psql "host=yourdb.foundrydb.com user=app sslmode=verify-full"
MySQL (--ssl-mode)
| ssl-mode | Behaviour |
|---|---|
VERIFY_IDENTITY | Verify cert + hostname (recommended) |
VERIFY_CA | Verify cert only |
REQUIRED | Encrypt, skip verification |
mysql -h yourdb.foundrydb.com -u app -p --ssl-mode=VERIFY_IDENTITY
MongoDB
mongodb://app:secret@yourdb.foundrydb.com:27017/defaultdb?tls=true
Valkey (redis-cli)
redis-cli -h yourdb.foundrydb.com -p 6380 --tls --user app --pass secret
Kafka
Configure ssl.truststore with the system CA bundle, and security.protocol=SASL_SSL.
security.protocol=SASL_SSL
sasl.mechanism=SCRAM-SHA-256
ssl.truststore.location=/etc/ssl/certs/ca-certificates.crt
Encryption at Rest
Storage Volumes
All storage volumes are encrypted at rest using AES-256 at the infrastructure level. This is enforced by default and cannot be disabled. Encryption covers:
- Database storage where your live data resides
- Backup storage for local backups and write-ahead logs
- System storage including the database engine
Encryption is transparent to your application with no performance impact. You can verify the status of any service:
curl -u admin:password https://api.foundrydb.com/managed-services/{id} \
| jq '.storage_encrypted'
# true
Credentials
All sensitive data stored by the platform (database passwords, API tokens, connection strings) is encrypted with AES-256-GCM before being persisted. Credentials are never stored in plaintext.
Backups
Backups are encrypted with AES-256-GCM before upload to object storage. Each backup receives a unique encryption key. Both scheduled and on-demand backups are encrypted by default.