Encryption in transit

Secure intra-node and application traffic
This page documents a preview version. v2.23 Preview
Preview includes features under active development and is for development and testing only.
For production, use the latest stable version (v2024.1).

YugabyteDB Anywhere allows you to protect data in transit by using the following:

  • Node-to-Node TLS to encrypt intra-node communication between YB-Master and YB-TServer nodes.
  • Client-to-Node TLS to encrypt communication between a universe and clients. This includes applications, shells (ysqlsh, ycqlsh, psql, and so on), and other tools, using the YSQL and YCQL APIs.

Manage certificates

Use YugabyteDB Anywhere to manage certificates used for encryption in transit.

Enable encryption in transit

You enable Node-to-Node and Client-to-Node encryption in transit when you create a universe.

You can also enable and disable encryption in transit for an existing universe as follows:

  1. Navigate to your universe.
  2. Click Actions > Edit Security > Encryption in-Transit to open the Manage encryption in transit dialog.
  3. Enable or disable the Enable encryption in transit for this Universe option.
  4. Click Apply.

Enforce TLS versions

As TLS 1.0 and 1.1 are no longer accepted by PCI compliance, and considering significant vulnerabilities around these versions of the protocol, it is recommended that you migrate to TLS 1.2 or later versions.

You can set the TLS version for node-to-node and client-node communication. To enforce TLS 1.2, add the following flag for YB-TServer:

ssl_protocols = tls12

To enforce the minimum TLS version of 1.2, you need to specify all available subsequent versions for YB-TServer, as follows:

ssl_protocols = tls12,tls13

In addition, as the ssl_protocols setting does not propagate to PostgreSQL, it is recommended that you specify the minimum TLS version (ssl_min_protocol_version) for PostgreSQL by setting the following YB-TServer flag:

--ysql_pg_conf_csv="ssl_min_protocol_version='TLSv1.2'"

Learn more