TLS & mTLS

Server TLS

[server.tls]
cert_path = "/etc/nodedb/tls/server.crt"
key_path = "/etc/nodedb/tls/server.key"

Per-protocol TLS toggle:

[server.tls]
native = true
pgwire = true
http = true
resp = true
ilp = false    # disable TLS for high-throughput ILP ingest

mTLS (Mutual TLS)

[tls]
cert = "/path/to/server.crt"
key = "/path/to/server.key"
client_ca = "/path/to/ca.crt"
crl = "/path/to/revocation.crl"

When client_ca is set, clients must present a valid certificate signed by the CA.

Encryption at Rest

  • Data volumes — AES-256-XTS
  • WAL segments — AES-256-GCM with per-file data encryption keys
  • Lite devices — AES-256-GCM + Argon2id key derivation
View page sourceLast updated on Apr 18, 2026 by Farhan Syah