Skip to main content
Version: 22.2

Configuring Encryption

By default, Redpanda data is sent unencrypted. A security best practice is to enable encryption with TLS or mTLS.

For Kubernetes-specific information, see:


TLS certificates are necessary for encryption. You can use your own certificates, either self-signed or issued by a trusted Certificate Authority, or you can use use the Redpanda prepared script to generate certificates:

bash <(curl -s


Transport Layer Security (TLS), previously SSL, provides encryption for client-server communication. This prevents third parties from accessing data transferred between the client and server.

Configure TLS

To configure TLS, in redpanda.yaml, enter:

rpc_server_tls: {}
- address:
port: 9092
name: tls_listener
- name: tls_listener
key_file: server.key
cert_file: server.crt
truststore_file: ca.crt
enabled: true
require_client_auth: false
admin_api_tls: []
pandaproxy_api_tls: []
schema_registry_api_tls: []

All APIs, except rpc_server_tls, support multiple listeners.

See also:


mTLS, or 2-way TLS, is a protocol that authenticates both the server and the client. In addition to the server certificate required in TLS, mTLS requires the client to give a certificate. This involves more overhead to implement, but it can be useful for environments that require additional security and only have a small number of verified clients.

Configure mTLS

To enable mTLS, add require_client_auth set to true.

For example, for the Kafka API, in redpanda.yaml, enter:

- address:
port: 9092
name: mtls_listener
- name: mtls_listener
key_file: mtls_server.key
cert_file: mtls_server.crt
truststore_file: mtls_ca.crt
enabled: true
require_client_auth: true

See also:

Configure mTLS for a Kafka API listener

To enable mTLS for a Kafka API listener, in redpanda.yaml, enter:


# The listener declaration. `name` can have any value.
- name: internal
port: 9092

# The advertised listeners. `name` should match the name of a declared listener.
# The address:port here is what clients will connect to.
- name: internal
address: <host name clients use to connect to the broker>
port: 9092

# The listener's TLS config. `name` must match the corresponding listener's name.
- name: internal
enabled: true
require_client_auth: true
cert_file: <path to PEM-formatted cert file>
key_file: <path to PEM-formatted key file>
truststore_file: <path to PEM-formatted CA file>

See Also: Configuring Listeners

Using rpk with TLS

If you're using rpk to interact with the Kafka API using mTLS identity (for example, to manage topics or messages), pass the --tls-key, --tls-cert, and --tls-truststore flags to authenticate.

To interact with the Admin API (for example, to manage users), pass the --admin-api-tls-key, --admin-api-tls-cert, and --admin-api-tls-truststore flags.

 rpk topic create test-topic \
--tls-key <path to PEM-formatted key file> \
--tls-cert <path to PEM-formatted cert file> \
--tls-truststore <path to PEM-formatted CA file>

The result:

test-topic OK

To check the configuration of the topic, run:

rpk topic describe test-topic <tls flags from above>

By default, rpk connects to localhost:9092 for Kafka protocol commands. If you're connecting to a remote broker or if you configured your local broker differently, use the --brokers <address:port> flag.

Suggested reading

What do you like about this doc?

Optional: Share your email address if we can contact you about your feedback.

Let us know what we do well: