v2025.1 STS Stable release with standard-term support v2.25 Preview Preview release - not for production v2024.2 LTS Stable release with long-term support v2024.1 STS Stable release with standard-term support v2.20 LTS Stable release with long-term support Unsupported versions

Enable encryption in transit

Enable encryption (using TLS) for client- and server-server communication

Prerequisites

Before you can enable and use server-to-server (inter node) and client-to-server encryption, you need to create and configure server certificates for each node of your YugabyteDB cluster. For information, see Create server certificates.

Configure YB-Master and YB-TServer nodes

To enable server-to-server and client-to-server TLS encryption, start your YB-Master and YB-TServer nodes using the following flags.

Configuration flag Description
use_node_to_node_encryption Set to true to enable encryption between YugabyteDB nodes. Default is false.
use_client_to_server_encryption Set to true to enable encryption between clients and the database cluster. Default is false.
allow_insecure_connections Set to false to disallow any service with unencrypted communication from joining this cluster. Default is true. Note that this flag requires --use_node_to_node_encryption or --use_client_to_server_encryption to be enabled.
certs_dir Optional. Directory containing the certificates created for this node to perform encrypted communication with the other nodes. Default for YB-Masters is <data drive>/yb-data/master/data/certs and for YB-TServers is <data drive>/yb-data/tserver/data/certs.
certs_for_client_dir Optional. Directory containing the configuration for the client to perform TLS communication with the cluster. Defaults to the same directory as the node-to-node encryption (certs_dir).

Start the YB-Masters

You can enable encryption in transit by starting the yb-master services with the following flags:

bin/yb-master                               \
    --fs_data_dirs=<data directories>       \
    --master_addresses=<master addresses>   \
    --certs_dir=/home/centos/tls/$NODE_IP   \
    --allow_insecure_connections=false      \
    --use_node_to_node_encryption=true      \
    --use_client_to_server_encryption=true

For information on starting YB-Master nodes for a deployment, see Start YB-Masters.

Start the YB-TServers

You can enable encryption in transit by starting the yb-tserver services with the following flags:

bin/yb-tserver                                  \
    --fs_data_dirs=<data directories>           \
    --tserver_master_addrs=<master addresses>   \
    --certs_dir /home/centos/tls/$NODE_IP       \
    --allow_insecure_connections=false          \
    --use_node_to_node_encryption=true          \
    --use_client_to_server_encryption=true

For information on starting YB-TServers for a deployment, see start YB-TServers.