TOPICS
LANGUAGE

Peer-to-Peer Encryption

Note: This section applies only to FaunaDB Enterprise.

Setting up peer-to-peer encryption is done primarily through the faunadb.yml file. Below you will find all the requirements and instructions for getting encryption up and running.

  1. Dependencies
  2. Enable encryption
  3. Verify it worked

Dependencies

First, ensure that you have installed the unrestricted Java Cryptography Extension policy files on each node in your FaunaDB Enterprise cluster. Download the JCE policy files for Java 8.

SSL can be configured to use standard PEM files or a Java keystore and truststore. Both methods will require an SSL key and trust certificate. Creating these is beyond the scope of this document.

Enable Encryption

Enabling encryption between nodes in FaunaDB comes down to the peer_encryption_level setting in faunadb.yml. peer_encryption_level determines when encrypted peer connections are used:

  • all - All peer connections are encrypted.
  • dc - Peer connections between replicas are encrypted, but peer connections within a replica are not.
  • none - Peer encryption is disabled.

PEM Based Encryption

The private key file must contain the private key and signed certificate.

Add the following settings to your faunadb.yml configuration:

  • peer_encryption_level: Either all, dc, or none. (Default dc).
  • peer_encryption_trust_file: The path to the trust certificate.
  • peer_encryption_key_file: The path to the private SSL key.
  • peer_encryption_password: The password used to lock the private key. (Note: this can also be set as an environment variable FAUNADB_PEER_ENCRYPTION_PASSWORD)

Keystore/Truststore Based Encryption

Add the following settings to your faunadb.yml configuration:

  • peer_encryption_level: Either all, dc, or none. (Default dc).
  • peer_encryption_trust_store: The path to the truststore.
  • peer_encryption_key_store: The path to the keystore.
  • peer_encryption_password: The password used to lock the keystore. (Note: this can also be set as an environment variable FAUNADB_PEER_ENCRYPTION_PASSWORD)

Enabling Encryption in a Running Cluster

In order for the FaunaDB Enterprise cluster to remain available while enabling encryption, all nodes must first have knowledge of the SSL certificate before encryption is turned on.

To enable encryption on a running FaunaDB Enterprise cluster:

  1. Update the faunadb.yml file on each node in the cluster using one of the previous methods.
  2. Ensure peer_encryption_level is set to “none”
  3. Restart all nodes in the cluster. This will reload the configuration.
  4. Update the faunadb.yml file on each node in the cluster with your desired peer_encryption_level setting.
  5. Restart all nodes in the cluster again.

Verify Encryption

To verify encryption is enabled, block inter-datacenter access to the unsecured storage port of one node and attempt to ping all nodes from another:

$ curl 'localhost:8443/ping?scope=all'