Enable TLS for Redis
/etc/redis/redis.confport 0tls-port 6379tls-cert-file /etc/redis/tls/redis.crttls-key-file /etc/redis/tls/redis.keytls-ca-cert-file /etc/redis/tls/ca.crttls-auth-clients yesport 0 disables the plaintext listener entirely. Restart to apply.
Why it matters
Section titled “Why it matters”Redis’s own documentation is explicit that AUTH, “like every other Redis
command, is sent unencrypted” and therefore “does not protect against an
attacker who has enough access to the network to perform eavesdropping.”
So without TLS, your carefully generated 48-byte secret is transmitted in cleartext on every single connection, alongside every key and value you read or write. Anyone positioned on the path — another tenant, a compromised switch, a misconfigured mirror port, a cloud provider’s internal network — sees all of it.
TLS is what makes the authentication you configured actually mean something over a network. On a loopback-only instance it buys you little; the moment traffic crosses a wire, it’s the difference between a secret and a broadcast.
port 0 is the line that matters
Section titled “port 0 is the line that matters”Setting tls-port adds a TLS listener. It does not remove the plaintext one.
An instance with both is not protected: an attacker (or a misconfigured client)
simply connects to the plaintext port, and you get none of the benefit while
believing you have all of it.
port 0 is what closes it. If you need a transition period, run both briefly,
then set port 0 once every client is migrated — and verify with ss rather
than assuming.
tls-auth-clients cuts both ways
Section titled “tls-auth-clients cuts both ways”tls-auth-clients yes requires clients to present their own certificate — mutual
TLS. It’s a genuine second factor for the connection, and it’s the default.
It also means every client needs a certificate issued by your CA, which is
real operational work. tls-auth-clients no gives you encryption without client
certificates; that is still a large improvement over plaintext, and it is a
reasonable stop if issuing client certs isn’t realistic yet. Just choose it
deliberately rather than discovering it when clients fail to connect.
Check your build supports it
Section titled “Check your build supports it”TLS is compiled in, not universal. Distribution packages for Redis and Valkey generally include it, but a binary you built yourself may not:
redis-server --tls-port 0 2>&1 | head -1If TLS is unsupported you’ll get an error about an unknown option rather than a working server.
Related
Section titled “Related”- Require authentication with ACL users — the credential TLS protects.
- Bind Redis to a private interface — if nothing crosses a wire, this matters less.