Redis server has an option to enable in transit encryption. This capability can help protect your data when it is moving from one location to another. However by the time this article written, by default redis-cli does not have an option to enable TLS connection to the redis-server. So if you install default redis-cli for your distro, you cannot establish connection to redis-server with in transit TLS encryption enabled.
user@127.0.0.1:~# redis-cli --tls
Unrecognized option or bad number of args for: '--tls'
Workaround
In this section we will cover how to enable tls option for redis-cli in Ubuntu 16.04.6 Xenial LTS. Other Ubuntu version usually have similar package name for it’s dependency. Please adjust accordingly if you find any disrepancy in it.
We can compile redis-cli from source and enable tls option using following steps
- Install dependencies
# update package information from repo
sudo apt update
# install build dependencies
sudo apt install -y build-essential pkg-config libssl-dev tcl libjemalloc-dev wget
- Download and extract the
redis-clisource file
# download the package
wget http://download.redis.io/redis-stable.tar.gz
# extract the package
tar xvzf redis-stable.tar.gz
# go inside the extracted directory
cd redis-stable
- Build with
tlsenabled
# remove previously generated build files
make distclean
# build with tls option
make BUILD_TLS=yes
- (optional) Replace default installed
redis-cliin$PATHwith the one we build
# backup the binary to home directory
mkdir -p ~/redis-cli-backup
sudo mv `which redis-cli` ~/redis-cli-backup
# create symbolic link to the path
sudo ln -s ~/redis-stable/src/redis-cli /usr/bin/redis-cli
- Once completed you can validate the build and connect to
redis-server
# validate the redis-cli
redis-cli -h localhost -p 6379 --tls
localhost:6379> INFO SSL
# SSL
ssl_enabled:yes
ssl_current_certificate_not_before_date:Jul 27 00:00:00 2021 GMT
ssl_current_certificate_not_after_date:Aug 25 23:59:59 2022 GMT
ssl_current_certificate_serial:ABCDEFGKKSHDJKAHSD05A15BF008A57002E8
Conclusion
Enable in transit encryption for redis-server could enable end-to-end secure communication between each services that requires access to redis. However, if you use redis-cli as your client, this would require you to do some work to make the client support it. We could possibly also enable at-rest encryption enabled to ensure data stored in the redis-server is secured as well.
Hopefully, in the next release redis-cli come by default with tls option. So we can enable end to end encryption without needing this workaround.