Manage in-transit encryption

This page explains how manage in-transit encryption for your cluster.

For an overview of in-transit encryption for Memorystore for Redis Cluster, see About in-transit encryption.

You can only enable in-transit encryptions when you initially create your Memorystore cluster. In-transit encryption cannot be disabled for clusters created in this way.

Create an instance with in-transit encryption

Console

Follow the steps at Create a Memorystore for Redis Cluster instance.

gcloud

To create a Redis cluster that has in-transit encryption run the create command:

gcloud redis clusters create INSTANCE_ID \
--region=REGION_ID \
--network=NETWORK \
--replica-count=REPLICA_COUNT \
--node-type=NODE_TYPE \
--shard-count=SHARD_COUNT \
--transit-encryption-mode=server-authentication

Replace the following:

  • INSTANCE_ID is the ID of the Memorystore for Redis Cluster instance you're creating. Your instance ID must be 1 to 63 characters and use only lowercase letters, numbers, or hyphens. It must start with a lowercase letter and end with a lowercase letter or number.

  • REGION_ID is the region where you want the instance placed.

  • NETWORK is the network used to create your instance. It must use the format: projects/NETWORK_PROJECT_ID/global/networks/NETWORK_ID. The network ID used here must match the network ID used by the service connection policy. Otherwise, the create operation fails.

  • REPLICA_COUNT is your desired number of replicas (per shard). Accepted values are 0, 1, and 2.

  • NODE_TYPE is your chosen node type. Accepted values are:

    • redis-shared-core-nano
    • redis-standard-small
    • redis-highmem-medium
    • redis-highmem-xlarge

    For more details on node types and cluster configurations, see Cluster and node specification.

  • SHARD_COUNT determines the number of shards in your instance. Shard count determines the total memory capacity for storing cluster data. To see more details about cluster specification, see Cluster and node specification.

For example:

gcloud redis clusters create my-instance \
--region=us-central1 \
--network=projects/my-project-335118/global/networks/default \
--replica-count=1 \
--node-type=redis-highmem-medium \
--shard-count=3 \
--transit-encryption-mode=server-authentication

Download the certificate authorities

If in-transit encryption is enabled on your cluster, you see the certificates of the Certificate Authorities when you run the get-cluster-certificate-authority command:

gcloud redis clusters get-cluster-certificate-authority INSTANCE_ID

Replace the following:

  • INSTANCE_ID is the ID of your Memorystore for Redis Cluster instance.

The response body includes certificates for all applicable Certificate Authorities.

Install Certificate Authorities on your client

You must install your cluster's Certificate Authorities on the connecting client. CA installation can vary depending on the client type. The steps below explain how to install a CA on a Compute Engine Linux VM.

  1. Connect with SSH to your Compute Engine Linux client.

  2. Create a file called server_ca.pem in your client:

    sudo vim /tmp/server_ca.pem

  3. Download Certificate Authorities and paste them into the previously created server_ca.pem file.

    The text of the CAs must be formatted correctly. Your server_ca.pem file should look something like this:

    -----BEGIN CERTIFICATE-----
MIIDnTCCAoWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBhTEtMCsGA1UELhMkNzYx
NTc4OGMtMTI2Yi00Nzk0LWI2MWMtY2YxOWE2Y2Y1ZjNiMTEwLwYDVQQDEyhHb29n
bGUgQ2xvdWQgTWVtb3J5c3RvcmUgUmVkaXMgU2VydmVyIENBMRQwEgYDVQQKEwtH
b29nbGUsIEluYzELMAkGA1UEBhMCVVMwHhcNMjAwOTE3MjEzNDE1WhcNMzAwOTE1
MjEzNTE1WjCBhTEtMCsGA1UELhMkNzYxNTc4OGMtMTI2Yi00Nzk0LWI2MWMtY2Yx
OWE2Y2Y1ZjNiMTEwLwYDVQQDEyhHb29nbGUgQ2xvdWQgTWVtb3J5c3RvcmUgUmVk
aXMgU2VydmVyIENBMRQwEgYDVQQKEwtHb29nbGUsIEluYzELMAkGA1UEBhMCVVMw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyDKmDHZm6tzMhNtKOnp8H
8+zTv1qA6OkBToVqCjKTTMGO18ovNtAAMjbGvclLuJNLbA2WTTWVttHen6Cn82h0
3gG9HMk9AwK1cVT7gW072h++TRsYddIRlwnSweRWL8jUX+PNt7CjFqH+sma/Hb1m
CktHdBOa897JiYHrMVNTcpS8SFwwz05yHUTEVGlHdkvlaJXfHLe6keCMABLyjaMh
1Jl4gZI2WqLMV680pJusK6FI6q/NmqENFc9ywMEg395lHTK9w9e014WIXg0q7sU3
84ChVVS2yYOMEUWeov4Qx6XeVfA4ss5t7OCqsMQkvslkE90mJZcVvhBj3QvTH9Rz
AgMBAAGjFjAUMBIGA1UdEwEB/wQIMAYBAf8CAQAwDQYJKoZIhvcNAQELBQADggEB
AJkn+MDE4V10DZn4uEc0s0Mg4FEMC1fDewmDYwSNnxRlzfEi+wAX2AaqrJ4m4Qa7
xIyuSYxArEOY6QeyJyw7/06dom8aAv4aO2p8hE04Ih6QwaTMFIlT2Jf6TidVd3eT
wfjwFJVoJ+dgxsaCv2uMFZWee5aRHmKzj9LhqPwpWnTs9Q/qmOheUNoe2/1i8yvn
662M7RZMR7fZH6ETsdz5w1nPXXiRqJ7K0EGKoPNjMlYK3/U1X3sazI4tpMNgTdxG
rnNh9Sd9REMBmDCPj9dUI9k4hQX4yQZp96fnLT6cet22OPajEKnpzyqJs1s4iX/g
lEtWs4V/YBhKA56CW6ASZS8=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDnTCCAoWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBhTEtMCsGA1UELhMkYjg4
ZTUzYTMtODdmNC00N2VhLWJjN2MtYTdhMzM4NmIwZmU4MTEwLwYDVQQDEyhHb29n
bGUgQ2xvdWQgTWVtb3J5c3RvcmUgUmVkaXMgU2VydmVyIENBMRQwEgYDVQQKEwtH
b29nbGUsIEluYzELMAkGA1UEBhMCVVMwHhcNMjAwOTE4MjEzMTI3WhcNMzAwOTE2
MjEzMjI3WjCBhTEtMCsGA1UELhMkYjg4ZTUzYTMtODdmNC00N2VhLWJjN2MtYTdh
MzM4NmIwZmU4MTEwLwYDVQQDEyhHb29nbGUgQ2xvdWQgTWVtb3J5c3RvcmUgUmVk
aXMgU2VydmVyIENBMRQwEgYDVQQKEwtHb29nbGUsIEluYzELMAkGA1UEBhMCVVMw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEO4Zs/So5DA6wtftkAElD
8BVREob4gby2mGBYAtd3JJQKFC+zIqCf2DhrWihrCeXhsdsZqJUF16E3MsCCWS2T
UWt6T37zObU2fzKmb7X+TSw1tunIUcIXwWzoMhqdGrIvfI9guMbF+KssQIjDMs9M
G/hY6cY1NB5THOxXqcxzYrwSKB1EE160EDz4RgKAYQhw7AyVOBBAbWqA5pTEDuUy
qpsz+NFpKYTwaeTpzil0xIl0JJS3DOd4G7ZnMG2wFT2j3wt+P0SkAPuOWgmX82iO
gGmKoaCh3KcICie/rZRTfsRPjMm+yswRQRDeLB5eoMmH+gbUInVZU0qOJ/7gOYEb
AgMBAAGjFjAUMBIGA1UdEwEB/wQIMAYBAf8CAQAwDQYJKoZIhvcNAQELBQADggEB
AF4xlEbwLUK5VjoKlJBtKXLYrYcW+AbQLhZQFP8exE8bOW7p39h+5J0nl3ItPxu6
97BCt1P5TFisba8pBxaExiDsYmjKQrhtizMkzl5h9hGksOgoLlAqaaxfA97+Q9Tq
5gaYChESur/159Z3jiM47obKoZmHfgSgr//7tjII7yZxUGhOjIVffv/fEa4aixqM
0yH1V1s8hWHZeui2VFrHmTxY20IH9ktyedjSUgnFXzsEH6sbR18p0wBZqyrrtURs
DaUIeoOHfHgEJM8k/wphSJI0V6pMC6nax2JhexLTRiUsiGTLRDe3VtsdWqS2DLa9
9DmrfdF0eFrfWw3VRNLwwXg=
-----END CERTIFICATE-----

    Your file, as seen in the previous example, should use the following guidelines:

    • Copy the entire Certificate Authority including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.

    • Make sure that the text of the CAs are completely left justified. There should be no spaces in front of any line of the CAs.

    • Each Certificate Authority should be added on a new line. No blank lines should exist between CAs.

Configure your client for in-transit encryption

The client that you use to connect to the cluster must support TLS or use a third-party sidecar to enable TLS.

If your client supports TLS, configure it to point to your Redis instance's IP, port 6379, and the file containing the Certificate Authority. If you choose to use a sidecar, we recommend using Stunnel.

Securely connect to a Memorystore cluster using Stunnel and telnet

For instructions on using Stunnel to enable in-transit encryption on a Compute Engine client, see Securely connect to a Memorystore instance using Stunnel and telnet.

Manage Certificate Authority rotation

You should install all downloadable Certificate Authorities on clients accessing your cluster.

Installing the new CAs, in addition to the previous CAs, once they become available is the simplest form of ensuring that you have the necessary CAs when the Certificate Authority rotation event occurs.

All you need to do to make sure that you have the required CA is to make sure that the CAs saved in your client file match those shown when downloading Certificate Authorities. Both new CAs and old CAs are active during rotation to ensure minimal downtime.

Code sample for connecting to an instance that uses in-transit encryption

To view a code sample on how to set up a client library to connect to an instance that uses in-transit encryption, see In-transit encryption client library code sample.