Skip to content

Secure the Redis config and data files

Severity: mediumApplies to: Redis 6.x+Applies to: Redis 8.xApplies to: Valkey 8.x / 9.x
The fix
Terminal window
sudo chown root:redis /etc/redis/redis.conf
sudo chmod 640 /etc/redis/redis.conf
sudo chown -R redis:redis /var/lib/redis
sudo chmod 750 /var/lib/redis
sudo chmod 640 /var/lib/redis/dump.rdb 2>/dev/null || true

Substitute /etc/valkey/valkey.conf, /var/lib/valkey and the valkey user if that’s what you’re running.

Redis’s documentation notes that the password is “set by the system administrator in clear text inside the redis.conf file”. That is a reasonable design — but it means the file’s permissions are part of your authentication.

Two consequences that are easy to miss:

The config file is a credential. A 644 redis.conf means every local user — every service account, every deployment agent, anything that gets a shell through an unrelated bug — can read the password and authenticate as default. All the work in requiring authentication is undone by a chmod nobody looked at.

The dump file is the entire dataset. dump.rdb is your whole keyspace on disk, unencrypted. Reading it requires no password and no Redis connection at all — just filesystem access. Sessions, tokens, cached PII: all of it, readable.

640 with group redis gives the daemon what it needs and nothing to anyone else.

If you moved users out to an aclfile, that file now holds the secrets instead:

/etc/redis/redis.conf
aclfile /etc/redis/users.acl
Terminal window
sudo chown root:redis /etc/redis/users.acl
sudo chmod 640 /etc/redis/users.acl

An aclfile is worth using — ACL SAVE persists runtime user changes to it without rewriting your whole config — but it inherits exactly the same exposure as redis.conf, and it’s newer, so it’s more often missed.

The permissions above protect the running host. They say nothing about the copy of dump.rdb in your backup bucket, which is the same unencrypted keyspace with a different access-control system in front of it — often a much weaker one.

If the dataset is sensitive enough to justify 640, it’s sensitive enough that the backups need encryption at rest and a look at who can read the bucket.