Encryption in transit
YugabyteDB Anywhere allows you to protect data in transit by using the following:
- Node-to-Node TLS to encrypt intra-node communication between YB-Master and YB-TServer nodes.
- Client-to-Node TLS to encrypt communication between a universe and clients. This includes applications, shells (ysqlsh, ycqlsh, psql, and so on), and other tools, using the YSQL and YCQL APIs.
Manage certificates
Use YugabyteDB Anywhere to manage certificates used for encryption in transit.
Enable encryption in transit
You enable Node-to-Node and Client-to-Node encryption in transit when you create a universe.
You can also enable and disable encryption in transit for an existing universe as follows:
- Navigate to your universe.
- Click Actions > Edit Security > Encryption in-Transit to open the Manage encryption in transit dialog.
- Enable or disable the Enable encryption in transit for this Universe option.
- Click Apply.
Enforce TLS versions
As TLS 1.0 and 1.1 are no longer accepted by PCI compliance, and considering significant vulnerabilities around these versions of the protocol, it is recommended that you migrate to TLS 1.2 or later versions.
You can set the TLS version for node-to-node and client-node communication. To enforce TLS 1.2, add the following flag for YB-TServer:
ssl_protocols = tls12
To enforce the minimum TLS version of 1.2, you need to specify all available subsequent versions for YB-TServer, as follows:
ssl_protocols = tls12,tls13
In addition, as the ssl_protocols
setting does not propagate to PostgreSQL, it is recommended that you specify the minimum TLS version (ssl_min_protocol_version
) for PostgreSQL by setting the following YB-TServer flag:
--ysql_pg_conf_csv="ssl_min_protocol_version='TLSv1.2'"