Encryption: Data in Transit Node to Node

Communication between all or some nodes can be encrypted. The controlling parameter is server_encryption_options.

To build a self-signed certificate chain, see generating a self-signed certificate chain using openssl.


  1. Configure the internode_encryption, under /etc/scylla/scylla.yaml.

    Available options are:

    • none (default)

    • all

    • dc: encrypts the traffic between the data centers.

    • rack: encrypts the traffic between the racks.

    • certificate - A PEM format certificate, either self-signed, or provided by a certificate authority (CA).

    • keyfile - The corresponding PEM format key for the certificate.

    • truststore - Optional path to a PEM format certificate store of trusted CA:s. If not provided, Scylla will attempt to use the system trust store to authenticate certificates.

    scylla.yaml example:

        internode_encryption: <none|rack|dc|all>
        certificate: <path to PEM encoded certificate file>
        keyfile: <path to PEM encoded key for certificate>
        truststore: <optional path to PEM encoded trust store>
  2. Restart Scylla node to apply the changes.

    sudo systemctl restart scylla-server
    sudo service scylla-server restart
    docker exec -it some-scylla supervisorctl restart scylla

    (without restarting some-scylla container)

Once internode_encryption or client_encryption_options is enabled (by being set to something other than none), the SSL / TLS certificates and key files specified in scylla.yaml will continue to be monitored and reloaded if modified on disk. When the files are updated, Scylla reloads them and uses them for subsequent connections.