Secure the Redis config and data files
sudo chown root:redis /etc/redis/redis.confsudo chmod 640 /etc/redis/redis.conf
sudo chown -R redis:redis /var/lib/redissudo chmod 750 /var/lib/redissudo chmod 640 /var/lib/redis/dump.rdb 2>/dev/null || trueSubstitute /etc/valkey/valkey.conf, /var/lib/valkey and the valkey user if
that’s what you’re running.
Why it matters
Section titled “Why it matters”Redis’s documentation notes that the password is “set by the system administrator in clear text inside the redis.conf file”. That is a reasonable design — but it means the file’s permissions are part of your authentication.
Two consequences that are easy to miss:
The config file is a credential. A 644 redis.conf means every local user
— every service account, every deployment agent, anything that gets a shell
through an unrelated bug — can read the password and authenticate as default.
All the work in requiring authentication is
undone by a chmod nobody looked at.
The dump file is the entire dataset. dump.rdb is your whole keyspace on
disk, unencrypted. Reading it requires no password and no Redis connection at
all — just filesystem access. Sessions, tokens, cached PII: all of it, readable.
640 with group redis gives the daemon what it needs and nothing to anyone
else.
Don’t forget the ACL file
Section titled “Don’t forget the ACL file”If you moved users out to an aclfile, that file now holds the secrets instead:
aclfile /etc/redis/users.aclsudo chown root:redis /etc/redis/users.aclsudo chmod 640 /etc/redis/users.aclAn aclfile is worth using — ACL SAVE persists runtime user changes to it
without rewriting your whole config — but it inherits exactly the same exposure
as redis.conf, and it’s newer, so it’s more often missed.
Backups leak what the live files don’t
Section titled “Backups leak what the live files don’t”The permissions above protect the running host. They say nothing about the copy
of dump.rdb in your backup bucket, which is the same unencrypted keyspace with
a different access-control system in front of it — often a much weaker one.
If the dataset is sensitive enough to justify 640, it’s sensitive enough that
the backups need encryption at rest and a look at who can read the bucket.
Related
Section titled “Related”- Require authentication with ACL users — the secret this protects.
- Run Redis as an unprivileged user — who owns these files.