How To Enable Mutual TLS


FeatureBase supports Mutual TLS, which allows both the client and server to cryptographically verify each other and establish an encrypted connection. To enable encryption on every connection, FeatureBase is configured with a PEM-encoded TLS keypair. In addition, nodes in a FeatureBase cluster internally communicate over the Memberlist protocol, which can be configured with a shared 32-bit key to enable AES-256 symmetric encryption within the cluster.

Generating keys

In order to enable TLS, you will need to generate a TLS keypair for FeatureBase. For testing in a development environment, we recommend using Certstrap to generate the necessary keys. We do not recommend certstrap for production usage. Setting up a secure public key infrastructure is outside of the scope of this document, but the following examples will use Certstrap to bootstrap a certificate authority and create signed TLS keypairs for the purpose of demonstration.

Create a root CA for testing purposes:

    certstrap init --common-name ""

Create and sign a keypair for FeatureBase:

    certstrap request-cert --common-name ""
    certstrap sign --CA

Create a 32-bit key to encrypt Memberlist (gossip) communication:

    head -c 32 /dev/random > out/gossip.key

After running the previous commands, you should have the following files in a directory called “out”:

Configuring FeatureBase

FeatureBase must be configured with the certificate and private key using environment variables, a configuration file, or command line parameters. Internal etcd cluster communication does not currently support TLS, but that’s coming soon.

      certificate = "/path/to/"
      key = "/path/to/"

You must also update your bind configuration to use the https scheme.

bind = "https://YOUR-DOMAIN-HERE:10101"
bind-grpc = "https://YOUR-DOMAIN-HERE:20101"
Something missing or incorrect?
Help improve this article or join us on Discord!

© 2022 Molecula Corp. (DBA FeatureBase). All rights reserved.