Enable server-to-server encryption

Enable server-to-server encryption

Enable server-to-server encryption (using TLS) for intranode communication.

This page documents the preview version (v2.23). Preview includes features under active development and is for development and testing only. For production, use the stable version (v2024.1). To learn more, see Versioning.

Prerequisites

Before you can enable and use server-to-server encryption, you need to create and configure server certificates for each node of your YugabyteDB cluster. For information, see Create server certificates.

Configure YB-Master and YB-TServer nodes

To enable server-to-server encryption using TLS, start your YB-Master and YB-TServer nodes using the following flags.

Flag Node Description
use_node_to_node_encryption YB-Master, YB-TServer Set to true to enable encryption between YugabyteDB nodes. Default value is false.
allow_insecure_connections YB-Master, YB-TServer Set to false to disallow any service with unencrypted communication from joining this cluster. Default value is true. Note that this flag requires --use_node_to_node_encryption to be enabled.
certs_dir YB-Master, YB-TServer Optional. Directory containing the certificates created for this node to perform encrypted communication with the other nodes. See Create server certificates. Default for YB-Masters is <data drive>/yb-data/master/data/certs and for YB-TServers is <data drive>/yb-data/tserver/data/certs.

Start the YB-Masters

You can enable access control by starting the yb-master services with the --use_node_to_node_encryption=true flag as described above. Your command should look similar to this:

bin/yb-master                               \
    --fs_data_dirs=<data directories>       \
    --master_addresses=<master addresses>   \
    --certs_dir=/home/centos/tls/$NODE_IP   \
    --allow_insecure_connections=false      \
    --use_node_to_node_encryption=true

For information on starting YB-Master nodes for a deployment, see Start YB-Masters.

Start the YB-TServers

You can enable access control by starting the yb-tserver services using the --use_node_to_node_encryption=true flag described above. Your command should look similar to this:

bin/yb-tserver                                  \
    --fs_data_dirs=<data directories>           \
    --tserver_master_addrs=<master addresses>   \
    --certs_dir /home/centos/tls/$NODE_IP       \
    --use_node_to_node_encryption=true &

For information on starting YB-TServers for a deployment, see start YB-TServers.

Connect to the cluster

Because you have only enabled server-to-server encryption and not client-to-server encryption, you can now connect to this cluster using the YSQL shell (ysqlsh) or the YCQL shell (ycqlsh) without enabling encryption as shown here.

YSQL

$ ./bin/ysqlsh
ysqlsh (11.2-YB-2.23.0.0-b0)
Type "help" for help

yugabyte=#

YCQL

$ ./bin/ycqlsh
Connected to local cluster at 127.0.0.1:9042.
[ycqlsh 5.0.1 | Cassandra 3.9-SNAPSHOT | CQL spec 3.4.2 | Native protocol v4]
Use HELP for help.

ycqlsh>