Manage in-transit encryption

Note: If you are looking for the Memorystore for Redis Cluster documentation,seeManage in-transit encryption.

This page explains how to enable in-transit encryption during Redis instancecreation, and how to manage in-transit encryption for the instance. In-transitencryption uses the Transport Layer Security (TLS) protocol.

For information on the general behavior and benefits of usingin-transit encryption, seeIn-transit encryption.

For a list of permissions that a user needs in order to perform the managementtasks on this page, seeIn-transit encryption permissions.

You can only enable in-transit encryptions when you initially create your Redisinstance. In-transit encryption cannot be disabled for instances created in thisway.

Note: For Standard Tier instances, replicated data is fully encrypted at thenetwork level based on Google Cloud encryption standards.

Creating a Redis instance with in-transit encryption

Console

When youcreate a Redis instance,selectEnable in-transit encryption.

gcloud

Tocreate a Redis instancethat has in-transit encryption, enter the following command, replacingvariables with appropriate values:

gcloud redis instances createinstance-id --transit-encryption-mode=SERVER_AUTHENTICATION --size=size --region=region-id

Where:

  • --transit-encryption-mode=SERVER_AUTHENTICATION enables in-transitencryption for your instance.

Downloading the Certificate Authority

Console

  1. Go to theMemorystore for Redis page in the Google Cloud console.

    Memorystore for Redis

  2. View your instance'sInstance details page by clicking on yourInstanceID.

  3. Click theDownload orDownload All button underTLS servercertificate.

gcloud

If in-transit encryption is enabled on your instance, you see the contentsof the Certificate Authority(ies) when you run the following command:

gcloud redis instances describeinstance-id --region=region

The response body will include all applicable Certificate Authorities. Thefollowing is an example Certificate Authority (CA) for Memorystore for Redis:

-----BEGIN CERTIFICATE-----MIIDnTCCAoWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBhTEtMCsGA1UELhMkNzYxNTc4OGMtMTI2Yi00Nzk0LWI2MWMtY2YxOWE2Y2Y1ZjNiMTEwLwYDVQQDEyhHb29nbGUgQ2xvdWQgTWVtb3J5c3RvcmUgUmVkaXMgU2VydmVyIENBMRQwEgYDVQQKEwtHb29nbGUsIEluYzELMAkGA1UEBhMCVVMwHhcNMjAwOTE3MjEzNDE1WhcNMzAwOTE1MjEzNTE1WjCBhTEtMCsGA1UELhMkNzYxNTc4OGMtMTI2Yi00Nzk0LWI2MWMtY2YxOWE2Y2Y1ZjNiMTEwLwYDVQQDEyhHb29nbGUgQ2xvdWQgTWVtb3J5c3RvcmUgUmVkaXMgU2VydmVyIENBMRQwEgYDVQQKEwtHb29nbGUsIEluYzELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyDKmDHZm6tzMhNtKOnp8H8+zTv1qA6OkBToVqCjKTTMGO18ovNtAAMjbGvclLuJNLbA2WTTWVttHen6Cn82h03gG9HMk9AwK1cVT7gW072h++TRsYddIRlwnSweRWL8jUX+PNt7CjFqH+sma/Hb1mCktHdBOa897JiYHrMVNTcpS8SFwwz05yHUTEVGlHdkvlaJXfHLe6keCMABLyjaMh1Jl4gZI2WqLMV680pJusK6FI6q/NmqENFc9ywMEg395lHTK9w9e014WIXg0q7sU384ChVVS2yYOMEUWeov4Qx6XeVfA4ss5t7OCqsMQkvslkE90mJZcVvhBj3QvTH9RzAgMBAAGjFjAUMBIGA1UdEwEB/wQIMAYBAf8CAQAwDQYJKoZIhvcNAQELBQADggEBAJkn+MDE4V10DZn4uEc0s0Mg4FEMC1fDewmDYwSNnxRlzfEi+wAX2AaqrJ4m4Qa7xIyuSYxArEOY6QeyJyw7/06dom8aAv4aO2p8hE04Ih6QwaTMFIlT2Jf6TidVd3eTwfjwFJVoJ+dgxsaCv2uMFZWee5aRHmKzj9LhqPwpWnTs9Q/qmOheUNoe2/1i8yvn662M7RZMR7fZH6ETsdz5w1nPXXiRqJ7K0EGKoPNjMlYK3/U1X3sazI4tpMNgTdxGrnNh9Sd9REMBmDCPj9dUI9k4hQX4yQZp96fnLT6cet22OPajEKnpzyqJs1s4iX/glEtWs4V/YBhKA56CW6ASZS8=-----END CERTIFICATE-----

Copy and save all of the CAs temporarily so you caninstallthem on clients accessing the Redis instance.

Important: When you copy and paste the text of the CAs to your client youmust include the-----BEGIN CERTIFICATE----- and-----END CERTIFICATE----- lines.

Installing a Certificate Authority on your client

You must install your Redis instance's Certificate Authority(ies) on theconnecting client. CA installation can vary depending on the client type. Thesteps below explain how to install a CA on a Compute Engine Linux VM.

  1. Connect with SSH to your Compute Engine Linux client.

  2. Create a file calledserver_ca.pem in your client by running the followingcommand:

    sudo vim /tmp/server_ca.pem

  3. Download the Certificate Authorityand paste it into the previously createdserver_ca.pem file.

    The text of the CA must be formatted correctly:

    • Copythe entire Certificate Authority including the-----BEGIN CERTIFICATE-----and-----END CERTIFICATE----- lines.
    • Make sure that the textof the CA is completely left justified. There should be no spaces in front ofany line of the CA.

Configuring your client for in-transit encryption

The client that you use to connect to the Redis instancemustsupport TLSor use a third-party sidecar to enable TLS.

If your client supports TLS, configure it to point to your Redis instance's IP,port6378, and the file containing the Certificate Authority. If you chooseto use a sidecar, we recommendusing Stunnel.

Additional client configuration

Some clients do not accept self-signed certificates by default and will requireadditional configuration.

For example,Lettuce is a popularJava client for Redis. Their documentation provides an example for connectingnatively with TLS (seeExample 47).Given that the Java Security Manager does not allow self-signed certificates bydefault, an additional option needs to be specified in the Redis URIconstruction.withVerifyPeer(false).

Securely connecting to a Redis instance using Stunnel and telnet

For instructions on using Stunnel to enable in-transit encryption on aCompute Engine client, seeConnect to a Redis instance securely by using Stunnel and telnet.

Managing Certificate Authority rotation

You shouldinstallalldownloadableCertificate Authorities on clients accessing the Redis instance.

Installing the new CA, in addition to the previous CA,once it becomes availableis the simplest form of ensuring that you have the necessary CA when theCertificate Authority rotation event occurs.

Run the following command once a new Certificate Authority is introduced to viewthe contents of the new CA:

gcloud redis instances describeinstance-id --region=region

Next, copy and paste the newest Certificate Authority into the filein your client in which you saved the previous CA.

The file should use the following format. The order of the CAs does not matter:

-----BEGIN CERTIFICATE-----MIIDnTCCAoWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBhTEtMCsGA1UELhMkNzYxNTc4OGMtMTI2Yi00Nzk0LWI2MWMtY2YxOWE2Y2Y1ZjNiMTEwLwYDVQQDEyhHb29nbGUgQ2xvdWQgTWVtb3J5c3RvcmUgUmVkaXMgU2VydmVyIENBMRQwEgYDVQQKEwtHb29nbGUsIEluYzELMAkGA1UEBhMCVVMwHhcNMjAwOTE3MjEzNDE1WhcNMzAwOTE1MjEzNTE1WjCBhTEtMCsGA1UELhMkNzYxNTc4OGMtMTI2Yi00Nzk0LWI2MWMtY2YxOWE2Y2Y1ZjNiMTEwLwYDVQQDEyhHb29nbGUgQ2xvdWQgTWVtb3J5c3RvcmUgUmVkaXMgU2VydmVyIENBMRQwEgYDVQQKEwtHb29nbGUsIEluYzELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyDKmDHZm6tzMhNtKOnp8H8+zTv1qA6OkBToVqCjKTTMGO18ovNtAAMjbGvclLuJNLbA2WTTWVttHen6Cn82h03gG9HMk9AwK1cVT7gW072h++TRsYddIRlwnSweRWL8jUX+PNt7CjFqH+sma/Hb1mCktHdBOa897JiYHrMVNTcpS8SFwwz05yHUTEVGlHdkvlaJXfHLe6keCMABLyjaMh1Jl4gZI2WqLMV680pJusK6FI6q/NmqENFc9ywMEg395lHTK9w9e014WIXg0q7sU384ChVVS2yYOMEUWeov4Qx6XeVfA4ss5t7OCqsMQkvslkE90mJZcVvhBj3QvTH9RzAgMBAAGjFjAUMBIGA1UdEwEB/wQIMAYBAf8CAQAwDQYJKoZIhvcNAQELBQADggEBAJkn+MDE4V10DZn4uEc0s0Mg4FEMC1fDewmDYwSNnxRlzfEi+wAX2AaqrJ4m4Qa7xIyuSYxArEOY6QeyJyw7/06dom8aAv4aO2p8hE04Ih6QwaTMFIlT2Jf6TidVd3eTwfjwFJVoJ+dgxsaCv2uMFZWee5aRHmKzj9LhqPwpWnTs9Q/qmOheUNoe2/1i8yvn662M7RZMR7fZH6ETsdz5w1nPXXiRqJ7K0EGKoPNjMlYK3/U1X3sazI4tpMNgTdxGrnNh9Sd9REMBmDCPj9dUI9k4hQX4yQZp96fnLT6cet22OPajEKnpzyqJs1s4iX/glEtWs4V/YBhKA56CW6ASZS8=-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIIDnTCCAoWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBhTEtMCsGA1UELhMkYjg4ZTUzYTMtODdmNC00N2VhLWJjN2MtYTdhMzM4NmIwZmU4MTEwLwYDVQQDEyhHb29nbGUgQ2xvdWQgTWVtb3J5c3RvcmUgUmVkaXMgU2VydmVyIENBMRQwEgYDVQQKEwtHb29nbGUsIEluYzELMAkGA1UEBhMCVVMwHhcNMjAwOTE4MjEzMTI3WhcNMzAwOTE2MjEzMjI3WjCBhTEtMCsGA1UELhMkYjg4ZTUzYTMtODdmNC00N2VhLWJjN2MtYTdhMzM4NmIwZmU4MTEwLwYDVQQDEyhHb29nbGUgQ2xvdWQgTWVtb3J5c3RvcmUgUmVkaXMgU2VydmVyIENBMRQwEgYDVQQKEwtHb29nbGUsIEluYzELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEO4Zs/So5DA6wtftkAElD8BVREob4gby2mGBYAtd3JJQKFC+zIqCf2DhrWihrCeXhsdsZqJUF16E3MsCCWS2TUWt6T37zObU2fzKmb7X+TSw1tunIUcIXwWzoMhqdGrIvfI9guMbF+KssQIjDMs9MG/hY6cY1NB5THOxXqcxzYrwSKB1EE160EDz4RgKAYQhw7AyVOBBAbWqA5pTEDuUyqpsz+NFpKYTwaeTpzil0xIl0JJS3DOd4G7ZnMG2wFT2j3wt+P0SkAPuOWgmX82iOgGmKoaCh3KcICie/rZRTfsRPjMm+yswRQRDeLB5eoMmH+gbUInVZU0qOJ/7gOYEbAgMBAAGjFjAUMBIGA1UdEwEB/wQIMAYBAf8CAQAwDQYJKoZIhvcNAQELBQADggEBAF4xlEbwLUK5VjoKlJBtKXLYrYcW+AbQLhZQFP8exE8bOW7p39h+5J0nl3ItPxu697BCt1P5TFisba8pBxaExiDsYmjKQrhtizMkzl5h9hGksOgoLlAqaaxfA97+Q9Tq5gaYChESur/159Z3jiM47obKoZmHfgSgr//7tjII7yZxUGhOjIVffv/fEa4aixqM0yH1V1s8hWHZeui2VFrHmTxY20IH9ktyedjSUgnFXzsEH6sbR18p0wBZqyrrtURsDaUIeoOHfHgEJM8k/wphSJI0V6pMC6nax2JhexLTRiUsiGTLRDe3VtsdWqS2DLa99DmrfdF0eFrfWw3VRNLwwXg=-----END CERTIFICATE-----

All you need to do to make sure that you have the required CA is to make surethat the CAs saved in your client file match those shown bygcloud redisinstances describe. After a rotation event begins there are multiple CAs toensure ample time for rotations with minimal downtime.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.