Skip to main content
Version: 3.14

Encrypt Wire Communications

ScalarDB can encrypt wire communications by using Transport Layer Security (TLS). This document explains the configurations for wire encryption in ScalarDB.

The wire encryption feature encrypts:

  • The communications between the ScalarDB Cluster node and clients.
  • The communications between all the ScalarDB Cluster nodes (the cluster's internal communications).

This feature uses TLS support in gRPC. For details, see the official gRPC Security Policy.

note

Enabling wire encryption between the ScalarDB Cluster nodes and the underlying databases in production environments is strongly recommended. For instructions on how to enable wire encryption between the ScalarDB Cluster nodes and the underlying databases, please refer to the product documentation for your underlying databases.

Configurations​

This section describes the available configurations for wire encryption.

Enable wire encryption in the ScalarDB Cluster nodes​

To enable wire encryption in the ScalarDB Cluster nodes, you need to set scalar.db.cluster.tls.enabled to true.

NameDescriptionDefault
scalar.db.cluster.tls.enabledWhether wire encryption (TLS) is enabled.false

You also need to set the following configurations:

NameDescriptionDefault
scalar.db.cluster.tls.ca_root_cert_pemThe custom CA root certificate (PEM data) for TLS communication.
scalar.db.cluster.tls.ca_root_cert_pathThe custom CA root certificate (file path) for TLS communication.
scalar.db.cluster.tls.override_authorityThe custom authority for TLS communication. This doesn't change what host is actually connected. This is intended for testing, but may safely be used outside of tests as an alternative to DNS overrides. For example, you can specify the hostname presented in the certificate chain file that you set for scalar.db.cluster.node.tls.cert_chain_path.
scalar.db.cluster.node.tls.cert_chain_pathThe certificate chain file used for TLS communication.
scalar.db.cluster.node.tls.private_key_pathThe private key file used for TLS communication.

To specify the certificate authority (CA) root certificate, you should set either scalar.db.cluster.tls.ca_root_cert_pem or scalar.db.cluster.tls.ca_root_cert_path. If you set both, scalar.db.cluster.tls.ca_root_cert_pem will be used.

Enable wire encryption on the client side​

To enable wire encryption on the client side by using the ScalarDB Cluster Java client SDK, you need to set scalar.db.cluster.tls.enabled to true.

NameDescriptionDefault
scalar.db.cluster.tls.enabledWhether wire encryption (TLS) is enabled.false

You also need to set the following configurations:

NameDescriptionDefault
scalar.db.cluster.tls.ca_root_cert_pemThe custom CA root certificate (PEM data) for TLS communication.
scalar.db.cluster.tls.ca_root_cert_pathThe custom CA root certificate (file path) for TLS communication.
scalar.db.cluster.tls.override_authorityThe custom authority for TLS communication. This doesn't change what host is actually connected. This is intended for testing, but may safely be used outside of tests as an alternative to DNS overrides. For example, you can specify the hostname presented in the certificate chain file that you set for scalar.db.cluster.node.tls.cert_chain_path.

To specify the CA root certificate, you should set either scalar.db.cluster.tls.ca_root_cert_pem or scalar.db.cluster.tls.ca_root_cert_path. If you set both, scalar.db.cluster.tls.ca_root_cert_pem will be used.