Enterprise security is a key factor in reducing cost-of-ownership and getting new solutions into production efficiently. With CockroachDB v26.1, available as of February 3rd in CockroachDB Cloud and February 18th for CockroachDB self-hosted, we are introducing security improvements that help organizations integrate CockroachDB more seamlessly with their existing security infrastructure.
Instead of just “quick authentication,” organizations need to prevent the oversharing of sensitive data to AI models. CockroachDB enables fine-grained data governance and zero-trust access for AI agents, so you can easily implement row-level security and strict authorization policies. This ensures AI agents only access data they are explicitly permitted to see, while guaranteeing data sovereignty by pinning data to specific jurisdictions to meet compliance laws like GDPR.
What’s new in CockroachDB v26.1 for security and compliance? 
Top-level updates of CockroachDB v26.1 build on the capabilities of this secure, compliant cloud database. These updates focus on database security, identity-aware access, and compliance controls required by regulated enterprises:
HIPAA & PCI/DSS Compliance – With expanded HIPAA and PCI/DSS compliance participation, organizations using CockroachDB Cloud Advanced on Azure now operate a HIPAA- and PCI-compliant database environment. This deeper Azure integration makes certification for compliance-centered applications easier.
JWT/OpenID Connect Integration – CockroachDB now further strengthens database identity and access management (IAM). It automatically synchronizes user role memberships based on group claims from your identity provider (IdP), eliminating manual role management for SSO users. When users authenticate via OpenID Connect (OIDC) for DB Console or JSON Web Token (JWT) for SQL clients, CockroachDB automatically grants roles that match their IdP groups and revokes roles that no longer apply. This is similar to what was already available with LDAP/AD integration for CockroachDB.
Additionally, JWT authentication now supports automatic user provisioning, creating SQL users on their first login without requiring pre-configuration. This streamlines onboarding for organizations managing users through external identity providers like Ory, Okta, Google, Entra AD, or Keycloak.
New unified CMEK UI – With an enhanced unified Customer-Managed Encryption Keys (CMEK) management user interface, database administrators can streamline key management experiences and minimize operational complexity across the different cloud providers. The unified CMEK UI simplifies encryption key management for cloud databases, reducing operational overhead. It also improves usability by making it easier to enable CMEK, monitor encryption status, and audit compliance.
Ability to disable root SQL user – Our users migrating off of Oracle must maintain compliance with critical customer requirements. With CockroachDB v26.1 you can disable the root SQL user to match Oracle Data Vault functionality, providing administrators a similar level of restricted access for privileged users as they have with Oracle Data Vault.
Native FIPS 140-3 Support – We migrated to FIPS 140-3 using Go 1.24’s native support. This approach eliminates the performance overhead previously caused by delegating operations to external OpenSSL libraries, positioning CockroachDB to meet September 2026 compliance mandates early.
Built for enterprise security and compliance at scale
v26.1 further elevates CockroachDB into a strategic asset for data architects and security teams, providing you with a security and compliance control plane, not just a data store. It drives resilient, secure, compliant data operations, so enterprises can implement quickly, with confidence in their security and compliance postures.
There are even more improvements in CockroachDB v26.1, read the release notes to learn more.
Try CockroachDB Now
We’re currently offering $400 in free credits for new CockroachDB Cloud organizations. These credits allow you to easily get started with CockroachDB. For example, you can try deploying multi-region Standard clusters with up to 12 vCPUs for 10 days, or with up to 4 vCPUs for the full 30 days. Learn more about the terms here.
Get started on CockroachDB Cloud today.
You can also get a free 30-day trial of CockroachDB Enterprise on self-hosted environments. Get quick and easy access to our full suite of enterprise features, with no initial financial commitment.
Get started CockroachDB self-hosted today.
David Bressler is Staff Product Marketer for Cockroach Labs. He has worked in 26 countries, is an accomplished public speaker, and graduated with distinction with an MBA from NYU.
