Enable client-to-server encryption
AttentionThis page documents an earlier version. Go to the latest (v2.3) version.
YugabyteDB clusters can be configured to use client-to-server encryption to protect data in transit between YugabyteDB servers and clients, tools, and APIs. When enabled, Transport Layer Security (TLS), the successor to the deprecated Secure Sockets Layer (SSL), is used to ensure data protection for YSQL and YCQL only. Note that there is no planned support for YEDIS.
Before you can enable client-to-server encryption, you first must enable server-to-server encryption.
Configure YB-TServer nodes
To enable client-to-server encryption for YSQL and YCQL, start your YB-TServer services with the required flags described below. Your YB-Master services do not require additional configuration.
||YB-TServer||Optional. Defaults to the same directory as the server-to-server encryption. This directory should contain the configuration for the client to perform TLS communication with the cluster. Default value for YB-TServer is
To enable access control, follow these steps, start the
yb-tserver services with the following flag (described above):
This flag enables both encrypted and unencrypted clients to connect to the cluster.
To prevent clients without the appropriate encryption from connecting, you must add the following flag:
Your command should look similar to this:
bin/yb-tserver \ --fs_data_dirs=<data directories> \ --tserver_master_addrs=<master addresses> \ --certs_for_client_dir /home/centos/tls/$NODE_IP \ --allow_insecure_connections=false \ --use_client_to_server_encryption=true &
For details about starting YB-TServer nodes in manual deployments, see Start YB-TServers.