Encryption: Data in Transit Node to Node

Communication between all or some nodes can be encrypted. The controlling parameter is server_encryption_options.

See generating a self-signed certificate chain using openssl section.


  1. Configure the internode_encryption, under /etc/scylla/scylla.yaml.

Available options are:

  • none (default)
  • all
  • dc: encrypts the traffic between the data centers.
  • rack: encrypts the traffic between the racks.
  • certificate - A PEM format certificate, either self-signed, or provided by a certificate authority (CA).
  • keyfile - The corresponding PEM format key for the certificate.
  • truststore - Optional path to a PEM format certificate store of trusted CA:s. If not provided, Scylla will attempt to use the system trust store to authenticate certificates.

scylla.yaml example:

    internode_encryption: <none|rack|dc|all>
    certificate: <path to PEM encoded certificate file>
    keyfile: <path to PEM encoded key for certificate>
    truststore: <optional path to PEM encoded trust store>
  1. Restart Scylla node to apply the changes.
sudo systemctl restart scylla-server
sudo service scylla-server restart
docker exec -it some-scylla supervisorctl restart scylla

(without restarting some-scylla container)