Encryption in transit
YugabyteDB Managed uses TLS 1.2 for communicating with clusters, and digital certificates to verify the identity of clusters. Using TLS with a digital certificate encrypts the data in transit to ensure a secure connection to your cluster, and prevents man in the middle (MITM) attacks, impersonation attacks, and eavesdropping.
Whether you are connecting to your cluster from a client shell or an application, YugabyteDB Managed clusters require a TLS/SSL connection.
Download your cluster certificate
YugabyteDB Managed clusters are provisioned with a private key and a certificate signed by the Yugabyte Private Certificate Authority (CA). The cluster CA certificate is used to verify the identity of the cluster when you connect to it from an application or client. The certificate is provided in a file called root.crt, which incorporates the certificate chain (intermediate and root CAs). To use this certificate, you download it to your computer, and add the file path of the certificate to the connection string you use to connect to the cluster.
Connections using YCQL require the use of the certificate. You can connect to a cluster using YSQL without a certificate, although where possible, the certificate should be used.
To download the certificate to the computer that will be connecting to the cluster, do the following:
- In YugabyteDB Managed, select your cluster, and click Connect.
- Click YugabyteDB Client Shell or Connect to your Application.
- Click Download CA Cert to download the cluster root.crt certificate to your computer.
SSL modes in YSQL
If you are connecting to a cluster using YSQL, the ysqlsh
shell command and application connection string generated by YugabyteDB Managed use the verify-full
SSL mode by default to verify the cluster’s identity. verify-full
requires the use of the cluster CA certificate.
Connections using SSL mode disable
will fail. You can use other SSL modes to connect to clusters as described in the following table.
sslmode | MITM protection | Notes |
---|---|---|
allow | No | Effectively works as require (always uses the SSL connection without verification). |
prefer | No | Effectively works as require (always uses the SSL connection without verification). |
require | No | Uses the SSL connection without verification. You do not need to provide the sslrootcert parameter. |
verify-ca | Yes | Uses the SSL connection and verifies that the server certificate is issued by a trusted certificate authority (CA). Requires the sslrootcert parameter with the path to the cluster CA certificate. |
verify-full | Yes | Uses the SSL connection and verifies that the server certificate is issued by a trusted CA and that the requested server host name matches that in the certificate. Requires the sslrootcert parameter with the path to the cluster CA certificate. |
If you don't provide an SSL mode, the connection defaults to prefer
.
For information on SSL modes, refer to Protection Provided in Different Modes in the PostgreSQL documentation.
SSL connections in YCQL
Connections to your cluster using YCQL require SSL and the cluster CA certificate.
The generated ycqlsh
shell command uses the --ssl
option and sets the SSL_CERTFILE environment variable. You set SSL_CERTFILE to the path of the cluster certificate.