Configuring Encryption
By default, Redpanda data is sent unencrypted. A security best practice is to enable encryption with TLS or mTLS.
For Kubernetes-specific information, see:
- Configuring TLS on Kubernetes
- Configuring Redpanda SASL on Kubernetes
- Security on Kubernetes using the Redpanda Operator
Prerequisite
TLS certificates are necessary for encryption. You can use your own certificates, either self-signed or issued by a trusted Certificate Authority, or you can use use the Redpanda prepared script to generate certificates:
bash <(curl -s https://gist.github.com/0x5d/56422a0c447e58d8ccbfa0ce1fd6bac6/raw/30404e0b3376a3724da828f1db5a3b1d29ffebf5/generate-certs.sh)
TLS
Transport Layer Security (TLS), previously SSL, provides encryption for client-server communication. This prevents third parties from accessing data transferred between the client and server.
Configure TLS
To configure TLS, in redpanda.yaml, enter:
redpanda:
rpc_server_tls: {}
kafka_api:
- address: 0.0.0.0
port: 9092
name: tls_listener
kafka_api_tls:
- name: tls_listener
key_file: server.key
cert_file: server.crt
truststore_file: ca.crt
enabled: true
require_client_auth: false
admin_api_tls: []
pandaproxy:
pandaproxy_api_tls: []
schema_registry:
schema_registry_api_tls: []
All APIs, except rpc_server_tls, support multiple listeners.
See also:
mTLS
mTLS, or 2-way TLS, is a protocol that authenticates both the server and the client. In addition to the server certificate required in TLS, mTLS requires the client to give a certificate. This involves more overhead to implement, but it can be useful for environments that require additional security and only have a small number of verified clients.
Configure mTLS
To enable mTLS, add require_client_auth set to true.
For example, for the Kafka API, in redpanda.yaml, enter:
redpanda:
kafka_api:
- address: 0.0.0.0
port: 9092
name: mtls_listener
kafka_api_tls:
- name: mtls_listener
key_file: mtls_server.key
cert_file: mtls_server.crt
truststore_file: mtls_ca.crt
enabled: true
require_client_auth: true
See also:
Configure mTLS for a Kafka API listener
To enable mTLS for a Kafka API listener, in redpanda.yaml, enter:
redpanda:
kafka_api:
# The listener declaration. `name` can have any value.
- name: internal
address: 0.0.0.0
port: 9092
advertised_kafka_api:
# The advertised listeners. `name` should match the name of a declared listener.
# The address:port here is what clients will connect to.
- name: internal
address: <host name clients use to connect to the broker>
port: 9092
kafka_api_tls:
# The listener's TLS config. `name` must match the corresponding listener's name.
- name: internal
enabled: true
require_client_auth: true
cert_file: <path to PEM-formatted cert file>
key_file: <path to PEM-formatted key file>
truststore_file: <path to PEM-formatted CA file>
See Also: Configuring Listeners
Using rpk with TLS
If you're using rpk to interact with the Kafka API using mTLS identity (for example, to manage topics or messages), pass the --tls-key, --tls-cert, and --tls-truststore flags to authenticate.
To interact with the Admin API (for example, to manage users), pass the --admin-api-tls-key, --admin-api-tls-cert, and --admin-api-tls-truststore flags.
rpk topic create test-topic \
--tls-key <path to PEM-formatted key file> \
--tls-cert <path to PEM-formatted cert file> \
--tls-truststore <path to PEM-formatted CA file>
The result:
TOPIC STATUS
test-topic OK
To check the configuration of the topic, run:
rpk topic describe test-topic <tls flags from above>
By default, rpk connects to localhost:9092 for Kafka protocol commands. If you're connecting to a remote broker or if you configured your local broker differently, use the --brokers <address:port> flag.