Data security
This page details the data security properties of KV, including:
- Encryption-at-rest (EAR).
- Encryption-in-transit (EIT).
- Cloudflare’s compliance certifications.
Encryption at Rest
All values stored in KV are encrypted at rest. Encryption and decryption are automatic, do not require user configuration to enable, and do not impact the effective performance of KV.
Values are only decrypted by the process executing your Worker code or responding to your API requests.
Encryption keys are managed by Cloudflare and securely stored in the same key management systems we use for managing encrypted data across Cloudflare internally.
Objects are encrypted using AES-256 ↗, a widely tested, highly performant and industry-standard encryption algorithm. KV uses GCM (Galois/Counter Mode) as its preferred mode.
Encryption in Transit
Data transfer between a Cloudflare Worker, and/or between nodes within the Cloudflare network and KV is secured using the same Transport Layer Security ↗ (TLS/SSL).
API access via the HTTP API or using the wrangler command-line interface is also over TLS/SSL (HTTPS).
Compliance
To learn more about Cloudflare’s adherence to industry-standard security compliance certifications, refer to Cloudflare’s Trust Hub ↗.