Enable client-to-server encryption

YugabyteDB clusters can be configured to use client-to-server encryption to protect data in transit between YugabyteDB servers and clients, tools, and APIs. When enabled, Transport Layer Security (TLS), the successor to the deprecated Secure Sockets Layer (SSL), is used to ensure data protection for YSQL and YCQL only. Note that there is no planned support for YEDIS.

Prerequisites

Before you can enable client-to-server encryption, you first must enable server-to-server encryption.

Configure YB-TServer nodes

To enable client-to-server encryption for YSQL and YCQL, start your YB-TServer services with the required options described below. Your YB-Master services do not require additional configuration.

Configuration option (flag)ProcessDescription
—use_client_to_server_encryptionYB-TServerSet to true to enable encryption between the various YugabyteDB clients and the database cluster. Default value is false.
—allow_insecure_connectionsYB-TServerSet to false to disallow any client with unencrypted communication from joining this cluster. Default value is true. Note that this option requires —use_client_to_server_encryption to be enabled.
—certs_for_client_dirYB-TServerOptional. Defaults to the same directory as the server-to-server encryption. This directory should contain the configuration for the client to perform TLS communication with the cluster. Default value for YB-TServer is <data drive>/yb-data/tserver/data/certs

To enable access control, follow these steps, start the yb-tserver services with the following option (described above):

  1. --use_client_to_server_encryption=true`

This option enables both encrypted and unencrypted clients to connect to the cluster.

To prevent clients without the appropriate encryption from connecting, you must add the following option:

  1. --allow_insecure_connections=false`

Your command should look similar to this:

  1. bin/yb-tserver                                       \
  2.     --fs_data_dirs=<data directories>                \
  3.     --tserver_master_addrs=<master addresses>        \
  4.     --certs_for_client_dir /home/centos/tls/$NODE_IP \
  5.     --allow_insecure_connections=false               \
  6.     --use_client_to_server_encryption=true &

For details about starting YB-TServer nodes in manual deployments, see Start YB-TServers.