Wire encryption provides confidentiality and privacy to two parties communicating over a public network. The two parties may also need to prove their identity to each other: authentication is the process of proving identity.
In Dremio, Transport Layer Security (TLS), previously called Secure Socket Layer, is the protocol used to establish an encrypted communication channel between two parties.
Dremio supports the following TLS wire encryption methods:
Web Server Encryption - Enables HTTPS on Dremio's web server.
ODBC/JDBC Client Encryption - Enables TLS communication between ODBC / JDBC clients and the Dremio server.
Intracluster Encryption - Enables TLS communication between nodes in a Dremio cluster.
Full Wire Encryption - Enables all TLS communication.
File permissions on the keystore, truststore, and dremio.conf files must be set correctly.
- keystore permission: 0440
- truststore permission: 0444
- dremio.conf file permission: 0444
Web Server Encryption
Web server encryption specifies that the Dremio web server use HTTPS. Encryption is configured by setting the
trustStore properties in the dremio.conf file on all Dremio coordinator nodes.
For security reasons, it is not recommended to use a self-signed certificate in production. Most browsers will warn you if the Dremio web server is configured with a self-signed certificate.
ODBC/JDBC Client Encryption (Enterprise Edition only)
ODBC/JDBC client encryption specifies that Transport Layer Security (TLS) communication occurs between the ODBC/JDBC client applications and the Dremio server.
Intracluster Encryption (Enterprise Edition only)
Intracluster encryption specifies that Transport Layer Security (TLS) communication occurs between Dremio nodes in a cluster. This communication is between coordinator-coordinator, coordinator-executor, and executor-executor nodes.
Encryption is configured by setting the
trustStore properties in the dremio.conf file on all Dremio coordinator and executor nodes.
Full Wire Encryption (Enterprise Edition only)
Full wire encryption uses the same keystore and truststore to configure Dremio for all web server, client-server, and intracluster communication.
Encryption is configured via the dremio.conf file. The dremio.conf file must be modified on all Dremio coordinator and executor nodes in the cluster.