Redis Documentation > Redis Enterprise Cloud > Security > Cloud database security > Transport Layer Security (TLS)

Transport Layer Security (TLS)

Transport Layer Security (TLS) uses encryption to secure network communication.

Redis Cloud Fixed, Flexible, and Annual subscriptions can use TLS to encrypt data communications between applications and Redis databases.

Use TLS with Redis Cloud

TLS is not enabled by default.

When you enable TLS, you also need to decide whether to enable client authentication, which requires that all database clients present a valid client certificate for authentication.

Client authentication is not required by Redis Cloud; however, it is strongly recommended.

Enable TLS

To enable TLS for a Redis Cloud database.

Select the Databases command from the admin console menu to open the View Databases screen and then select your database from the list.
Select the Edit icon to edit the database.
In the Access Control & Security section, enable the SSL Client Authentication setting.
Decide whether you want to enforce client authentication (also known as “mutual authentication”). By enabling client authentication, only those clients that present a valid certificate will be able to connect. If you do not want to require client authentication, skip to step 8.
To require client authentication, select Enforce client authentication.
Next, either provide an X.509 certificate containing a public key for your client or use the Generate Client Certificate button to generate one.
If you generate your certificate using the admin console, then a download will begin containing the following artifacts:
- redislabs_user.crt – the certificate’s public key.
- redislabs_user_private.key – the certificate’s private key.
- redislabs_ca.pem – the Redis Cloud CA certificate.
Select the Update button to apply your changes and enable TLS.

Note:

Once you’ve enabled TLS, all client connections to your database must use TLS. Unencrypted connections will no longer be permitted.

Connect over TLS

To connect to a Redis Cloud database over TLS, you will need:

A Redis client that supports TLS
The Redis Cloud CA certificate

Certificates

If you don’t have the Redis Cloud CA certificate, you can download it from the admin console by going to Settings and selecting the Flexible Plans CA button.

Flexible Plans CA button

If you’re requiring client authentication, you’ll also need public and private client keys. See Enabling TLS for details.

Connect with the Redis CLI

Here’s how to use the Redis CLI to connect to a TLS-enabled Redis Cloud database:

If you’re not requiring client authentication, then you need to provide the host, port, and the Redis Cloud CA certificate:

redis-cli -h redis.123.cloud.rlrcp.com -p 16257 --tls
    --cacert redislabs_ca.pem

If you’ve enabled client authentication, then you also need to provide your client’s private and public keys:

redis-cli -h redis.123.cloud.rlrcp.com -p 16257 --tls --cacert redislabs_ca.pem
    --cert redislabs_user.crt --key redislabs_user_private.key

Endpoint and port details are available from the View Database details screen.

Edit on GitHub

Updated: April 22, 2022

Download PDF

Top