Skip to content

Enable TLS for Redis

Severity: highApplies to: Redis 6.x+Applies to: Redis 8.xApplies to: Valkey 8.x / 9.x
The fix/etc/redis/redis.conf
Terminal window
port 0
tls-port 6379
tls-cert-file /etc/redis/tls/redis.crt
tls-key-file /etc/redis/tls/redis.key
tls-ca-cert-file /etc/redis/tls/ca.crt
tls-auth-clients yes

port 0 disables the plaintext listener entirely. Restart to apply.

Redis’s own documentation is explicit that AUTH, “like every other Redis command, is sent unencrypted” and therefore “does not protect against an attacker who has enough access to the network to perform eavesdropping.”

So without TLS, your carefully generated 48-byte secret is transmitted in cleartext on every single connection, alongside every key and value you read or write. Anyone positioned on the path — another tenant, a compromised switch, a misconfigured mirror port, a cloud provider’s internal network — sees all of it.

TLS is what makes the authentication you configured actually mean something over a network. On a loopback-only instance it buys you little; the moment traffic crosses a wire, it’s the difference between a secret and a broadcast.

Setting tls-port adds a TLS listener. It does not remove the plaintext one. An instance with both is not protected: an attacker (or a misconfigured client) simply connects to the plaintext port, and you get none of the benefit while believing you have all of it.

port 0 is what closes it. If you need a transition period, run both briefly, then set port 0 once every client is migrated — and verify with ss rather than assuming.

tls-auth-clients yes requires clients to present their own certificate — mutual TLS. It’s a genuine second factor for the connection, and it’s the default.

It also means every client needs a certificate issued by your CA, which is real operational work. tls-auth-clients no gives you encryption without client certificates; that is still a large improvement over plaintext, and it is a reasonable stop if issuing client certs isn’t realistic yet. Just choose it deliberately rather than discovering it when clients fail to connect.

TLS is compiled in, not universal. Distribution packages for Redis and Valkey generally include it, but a binary you built yourself may not:

Terminal window
redis-server --tls-port 0 2>&1 | head -1

If TLS is unsupported you’ll get an error about an unknown option rather than a working server.