February 21, 2018 | Written by: DJ Walker-Morgan
Categorized: Products | What's New
Share this post:
New Compose for Redis instances on IBM Cloud now have TLS encryption enabled allowing greater security for your blazing fast in-memory data structures and caches.
Using TLS encryption means your connections, commands, and data are made safer from interception on the internet. TLS is the standard that took over from SSL for securing web connections and it is also referred to as TLS/SSL or SSL/TLS. We’ve made TLS encryption support the default for new Redis services. You can, though, still configure Redis without TLS by selecting an alternative plan when creating your Redis instance.
Redis and TLS/SSL
Not every Redis library or tool can do TLS encryption because, out of the box, Redis the database doesn’t do TLS. With TLS/SSL, we are wrapping each Redis connection in its own TLS tunnels. The Redis portal unwraps when it is safely within the IBM Cloud Compose Redis instance.
TLS encryption for Redis is represented in connection URLs by the de-facto standard scheme `rediss:`. That’s an extra s over the single-s redis: scheme. Many Redis drivers acknowledge the rediss: scheme and automatically use the secure TLS encryption.
There are, though, some tools that do not understand it. Most importantly, redis-cli, the Redis command line interface does not know how to do TLS encrypted connections. That’s not a problem though as a free software utility called stunnel (find it at https://www.stunnel.org/) can perform that TLS wrapping for non-TLS aware programs and drivers like redis-cli. We cover how to configure it for IBM Cloud Compose for Redis instances in the documentation.
With this economical and efficient way to configure secure connections now available, we’ve made it the default for new deployments of IBM Cloud Compose for Redis. It is easier to deploy than the previous SSH tunnel option (which needed certificates exchanged in advance) and more flexible. Existing users who want the TLS encryption option for their Redis should provision a new instance and migrate to it.