Client-to-node encryption protects data in flight from client machines to a database cluster using SSL (Secure Sockets Layer).
Client-to-node encryption protects data in flight from client machines to a database cluster using SSL (Secure Sockets Layer). It establishes a secure channel between the client and the coordinator node.
On each node under client_encryption_options:
- Enable encryption.
- Set the appropriate paths to your .keystore and .truststore files.
- Provide the required passwords. The passwords must match the passwords used when generating the keystore and truststore.
To enable client certificate authentication for two-way SSL encryption, set
require_client_auth to true. Enabling this
option allows tools like cqlsh to connect to a remote node. If only local access
is required, such as running cqlsh on a local node with SSL encryption, this
option is not required. If the options is set to true, then the truststore and
truststore password must also be included. The password used for both the
keystore and the truststore in this example is
This example uses the password cassandra
client_encryption_options: enabled: true # The path to your keystore file; ex: conf/keystore.node0 keystore: conf/keystore.node0 # The password for your keystore file keystore_password: cassandra # The next 3 lines are included if 2-way SSL is desired require_client_auth: true # The path to your trustore file; ex: conf/truststore.node0 truststore: conf/truststore.node0 # The password for your truststore file truststore_password: cassandra