Version: current [26.x Preview]

Configuring Wire Encryption

Wire encryption provides confidentiality and privacy over a public network. Dremio uses Transport Layer Security (TLS) to establish encrypted communication channels. Wire encryption is configured in dremio.conf.

Dremio supports the following TLS wire encryption methods:

Full Wire Encryption - Enables all TLS communication.
Web Server Encryption - Enables HTTPS on the Dremio's web server.
Client Encryption - Encryption for Arrow Flight, Arrow Flight SQL JDBC and ODBC clients or for legacy JDBC and ODBC clients
Intracluster Encryption - Enables TLS communication between nodes in a Dremio cluster.

All Dremio clusters must have the following configured:

One or more coordinator nodes with the master-coordinator role. See High Availability in Cluster Deloyments for a multiple coordinator node environment.
One or more executor nodes.

In a cluster environment (not a single node install), a node can only have a single role: as either a master-coordinator or an executor. In addition, a coordinator-only role is not supported. A coordinator node refers to a node with the master-coordinator role enabled.

Prerequisite

Prior to configuring your Dremio environment for wire encryption, the file permissions on the keystore, truststore, and dremio.conf files must be set as follows:

keystore permission: 0440
truststore permission: 0444
dremio.conf file permission: 0444

Full Wire Encryption Enterprise

To configure Dremio to use encryption for all web server, client-server, and intracluster communication using the same keystore and truststore, set the following properties in dremio.conf on all of your Dremio coordinator and executor nodes.

Full wire encryption configuration

javax.net.ssl.keyStoreType: "type" # optional; default: JKS
javax.net.ssl.keyStore: "path/to/keystore/jks/file"
javax.net.ssl.keyStorePassword: "keystorePassword"
javax.net.ssl.keyPassword: "key password"
javax.net.ssl.trustStoreType: "type" # optional; default: JKS
javax.net.ssl.trustStore: "path/to/truststore/jks/file"
javax.net.ssl.trustStorePassword: "trustStorePassword"

services.coordinator.client-endpoint.ssl.enabled: true
services.coordinator.client-endpoint.ssl.auto-certificate.enabled: false
services.coordinator.web.ssl.enabled: true
services.coordinator.web.ssl.auto-certificate.enabled: false
services.fabric.ssl.enabled: true
services.fabric.ssl.auto-certificate.enabled: false

Web Server Encryption

Web servers can be configured to use HTTPS with a self-signed or CA-issued certificates.

Self-signed certificates

To configure Dremio to use self-signed certificates for Dremio web server encryption, add the following parameters to dremio.conf on all of your coordinator nodes.

Self-signed certificate properties

services.coordinator.web.ssl.enabled: true
services.coordinator.web.ssl.auto-certificate.enabled: true

note

Self-signed certificates are not recommended in production, and most browsers will provide a warning.

Custom Stores

Custom keystore and trustStore configrations in dremio.conf must be present on all Dremio coordinators.

Web server encryption configuration

services.coordinator.web.ssl.enabled: true
services.coordinator.web.ssl.auto-certificate.enabled: false

services.coordinator.web.ssl.keyStore: "path/to/keystore/jks/file",
services.coordinator.web.ssl.keyStorePassword: "keystorePassword",
services.coordinator.web.ssl.trustStore: "path/to/trustStore", (Optional)
services.coordinator.web.ssl.trustStorePassword: "trustStorePassword" (Optional)

In Dremio 24+, the following properties in dremio.conf can be encrypted using the dremio-admin encrypt CLI command:

keyStorePassword
trustStorePassword

Client Encryption

Arrow Flight and Arrow Flight SQL JDBC and ODBC Enterprise

To enable encryption between Arrow Flight client appliations and the Dremio cluster, add these properties to the dremio.conf file on all of your coordinator nodes:

Arrow Flight client encryption configuration

services.flight.ssl.enabled: true
services.flight.ssl.auto-certificate.enabled: false
services.flight.ssl.keyStoreType: "jks"
services.flight.ssl.keyStore: "/path/to/serverKeyStore.jks"
services.flight.ssl.keyStorePassword: "<password for your keystore>"
services.flight.ssl.keyPassword: "<password for your key>"
services.flight.ssl.trustStoreType: "jks"
services.flight.ssl.trustStore: "/path/to/serverTrustStore.jks"
services.flight.ssl.trustStorePassword: "<password for your truststore>"

Legacy JDBC and Power BI Clients With Legacy ODBC Driver Enterprise

Transport Layer Security (TLS) communication is supported for encrypting communication between JDBC client applications and a Dremio cluster, or between Power BI client applications that use the legacy ODBC driver and a Dremio cluster.

To configure Dremio to use TLS for client-server encryption:

Set the keyStore and trustStore properties in the dremio.conf file on all of your Dremio coordinator nodes.
Download, install, and configure a driver for your client application, ensuring that you configure parameters required for wire encyption. See Drivers for specific driver information.

To enable encryption in Dremio, add the following keyStore and trustStore properties to the dremio.conf file on all of your Dremio coordinator nodes:

Properties for enabling encryption

services.coordinator.client-endpoint.ssl.enabled: true
services.coordinator.client-endpoint.ssl.auto-certificate.enabled: false
services.coordinator.client-endpoint.ssl.keyStoreType: "type" # optional; default: JKS
services.coordinator.client-endpoint.ssl.keyStore: "path/to/keystore/jks/file"
services.coordinator.client-endpoint.ssl.keyStorePassword: "file password"
services.coordinator.client-endpoint.ssl.keyPassword: "key password"
services.coordinator.client-endpoint.ssl.trustStoreType: "type" # optional; default: JKS
services.coordinator.client-endpoint.ssl.trustStore: "path/to/truststore/jks/file"
services.coordinator.client-endpoint.ssl.trustStorePassword: "file password"

Intracluster Encryption Enterprise

Transport Layer Security (TLS) communication is supported for encrypting communication between Dremio nodes in the cluster.

Self-Signed Certificates

To configure Dremio to use self-signed certificates for intracluster encryption, add the following parameters to dremio.conf on all of your coordinator and executor nodes.

Self-signed certificates for intracluster encryption

services.fabric.ssl.enabled: true
services.fabric.ssl.auto-certificate.enabled: true

note

Using a self-signed certificate in production is not recommended for security reasons.

Custom keystores and truststores

To configure Dremio to use TLS for intracluster encryption, set the keyStore and trustStore properties in the dremio.conf file on all of your Dremio coordinator and executor nodes.

Intracluster encryption configuration

services.fabric.ssl.enabled: true
services.fabric.ssl.auto-certificate.enabled: false
services.fabric.ssl.keyStoreType: "type" # optional; default: JKS
services.fabric.ssl.keyStore: "path/to/keystore/jks/file"
services.fabric.ssl.keyStorePassword: "file password"
services.fabric.ssl.keyPassword: "key password"
services.fabric.ssl.trustStoreType: "type" # optional; default: JKS
services.fabric.ssl.trustStore: "path/to/truststore/jks/file"
services.fabric.ssl.trustStorePassword: "file password"

Password Encryption

The following properties in dremio.conf can be encrypted.

keyStorePassword
keyPassword
trustStorePassword

See the dremio-admin encrypt Admin CLI command for further information.

Prerequisite​

Full Wire Encryption Enterprise​

Web Server Encryption​

Self-signed certificates​

Custom Stores​

Client Encryption​

Arrow Flight and Arrow Flight SQL JDBC and ODBC Enterprise​

Legacy JDBC and Power BI Clients With Legacy ODBC Driver Enterprise​

Intracluster Encryption Enterprise​

Self-Signed Certificates​

Custom keystores and truststores​

Password Encryption​