Grid Logo
X (Twitter)
Start project

Valkey SSL Certificate Setup

By default, communication to Valkey is unencrypted, which means data transmitted between your application and the database can be intercepted. This guide walks you through configuring SSL certificates for your Valkey database deployment on Grid to secure your database connections.

Prerequisites

Ensure you have SSH access to your Valkey container and appropriate permissions to modify Valkey configuration files.

Important: A persistent volume is mounted at /config to ensure that SSL certificates and the valkey.conf configuration file persist across container restarts and redeployments.

Why SSL Certificates Matter

SSL certificates protect your database connections from man-in-the-middle (MITM) attacks. Without SSL encryption, attackers can intercept, read, and modify data transmitted between your application and Valkey database.

SSL Certificate and Man-in-the-Middle Attack Protection Diagram

Security Risk

Without SSL encryption, sensitive data like passwords, personal information, and business data can be intercepted by attackers. Always use SSL/TLS encryption for production databases.

1
Step 1: Navigate to Valkey Configuration Directory

Navigate to the persistent volume mount point where Valkey configuration files and SSL certificates will be stored:

cd /config

Persistent Volume

The /config directory is a persistent volume, ensuring that your SSL certificates and valkey.conf configuration persist across container restarts and deployments.

2
Step 2: Configure Valkey for SSL/TLS

Add SSL/TLS configuration to the Valkey configuration file (valkey.conf or redis.conf) in the persistent volume:

printf "port 0 tls-port 6379 tls-cert-file /config/valkey.crt tls-key-file /config/valkey.key tls-ca-cert-file /config/ca.crt " >> /config/valkey.conf

Verify the configuration was added correctly:

tail /config/valkey.conf

3
Step 3: Generate SSL Certificates

Important: These commands should be run on your client terminal, not in the container shell. Generate the certificates on your local machine first, then copy them to the container.

openssl genrsa -out ca.key 4096 openssl req -x509 -new -nodes -key ca.key \ -sha256 -days 3650 \ -out ca.crt

Generate the server private key and certificate signing request:

openssl genrsa -out valkey.key 2048 openssl req -new -key valkey.key -out valkey.csr

Sign the server certificate with the CA:

openssl x509 -req -in valkey.csr \ -CA ca.crt -CAkey ca.key \ -CAcreateserial \ -out valkey.crt \ -days 3650 \ -sha256

Alternative Command

You can also use this single-line command:

openssl x509 -req -in valkey.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out valkey.crt -days 3650 -sha256

4
Step 4: Add key and certificates

After creating the key & certificates on your local machine, add them to the persistent volume at /config/ using the cat command with heredoc:

Add the private key:

cat > /config/valkey.key << 'EOF' -----BEGIN PRIVATE KEY----- [paste your key content here] -----END PRIVATE KEY----- EOF

Add the certificate:

cat > /config/valkey.crt << 'EOF' -----BEGIN CERTIFICATE----- [paste your certificate content here] -----END CERTIFICATE----- EOF

Add the CA certificate:

cat > /config/ca.crt << 'EOF' -----BEGIN CERTIFICATE----- [paste your CA certificate content here] -----END CERTIFICATE----- EOF

After adding the files, set proper permissions:

chmod 600 /config/valkey.keychown valkey:valkey /config/valkey.keychmod 644 /config/valkey.crtchmod 644 /config/ca.crt

Security Note

The private key (valkey.key) must have restricted permissions (600) and be owned by the valkey user for security.

5
Step 5: Restart Valkey Service

Apply the SSL/TLS configuration changes:

valkey-server /config/valkey.conf

Note

The restart method depends on how Valkey is deployed. Use systemctl for systemd services, or restart the container if running in Docker.

6
Step 6: Test SSL Connection

Verify that SSL/TLS is working by connecting to your Valkey instance with TLS. Use the port that your provider has mapped in the networking configuration:

valkey-cli --tls --cert /config/valkey.crt --key /config/valkey.key --cacert /config/ca.crt -h provider.akash-palmito.org -p <provider-mapped-port>

Or using redis-cli (Valkey is Redis-compatible):

-4 redis-cli --tls --cert /config/valkey.crt --key /config/valkey.key --cacert /config/ca.crt -h provider.akash-palmito.org -p <provider-mapped-port>

Replace the connection parameters with your actual values:

  • host: Your Valkey host address
  • port: The port mapped by your provider in the networking configuration
  • cert: Path to client certificate (/config/valkey.crt)
  • key: Path to client private key (/config/valkey.key)
  • cacert: Path to CA certificate (/config/ca.crt)

Success Indicators

  • Connection established without errors
  • TLS handshake completed successfully
  • Commands execute without SSL-related warnings

TLS Configuration Options

tls-auth-clients

Set to yes to require client certificates, or no to allow connections without client certificates.

tls-protocols

Specify allowed TLS protocols (e.g., "TLSv1.2 TLSv1.3"). Recommended to use TLSv1.2 or higher for security.

tls-ciphers

Configure allowed cipher suites. Use strong ciphers for production environments to ensure maximum security.