About in-transit encryption

This page gives an overview of in-transit encryption for Memorystore for Valkey.

For instructions on how to encrypt a connection with in-transit encryption, seeManage in-transit encryption.

Memorystore for Valkey only supports TLS protocol versions 1.2 or higher.

Introduction

Memorystore for Valkey supports encrypting all Valkey traffic using theTransport Layer Security (TLS) protocol. Whenin-transit encryption is enabled Valkey clients communicate exclusively across asecure connection. Valkey clients that are not configured for TLS areblocked. If you choose to enable in-transit encryption you are responsible forensuring that your Valkey client is capable of using the TLS protocol.

Note: For instances with replicas, replicated data is fully encrypted atthe network level based on Google Cloud encryption standards.

In-transit encryption prerequisites

In order to use in-transit encryption with Memorystore for Valkey, you need:

  1. A Valkey client that supports TLS or a third-party TLS sidecar

  2. Certificate Authoritiesinstalled on the client machine accessing your Valkey instance

Not every Valkey client library supports TLS. If you are using a clientthat does not support TLS, we recommend using theStunnel third-party plugin that enables TLS for your client. SeeSecurely connecting to a Valkey instance using Stunnel and telnetfor an example of how to connect to a Valkey instance with Stunnel.

Certificate Authorities

A Valkey instance that uses in-transit encryption has uniqueCertificate Authorities (CAs) that are used to authenticate the certificates ofthe machines in your instance. Each CA is identified by a certificate that youmust download and install on the client accessing your Valkey instance.

Note: CAs are valid for ten years from the date they are created. To ensureservice continuity, new CAs must be installed on clients of the Valkey instancebefore the previous CAs expire.

Certificate authority rotation

CAs are valid for 10 years upon instance creation. In addition, a new CA willbecome available prior to CA expiration.

Old CAs are valid until their expiration date. This gives you a window in whichto download and install the new CA to clients connecting to the Valkey instance.After the old CAs expire you can uninstall them from clients.

For instructions on rotating the CA, seeManaging Certificate Authority rotation.

Server certificate rotation

Server-side certificate rotation occurs every week. New server certificatesapply to new connections only, and existing connections remain alive duringrotation.

Performance impact of enabling in-transit encryption

The in-transit encryption feature encrypts and decrypts data, which comes withprocessing overhead. As a result, enabling in-transit encryption can reduceperformance. Also, when using in-transit encryption, each additional connectioncomes with an associated resource cost. To determine the latency associated withusing in-transit encryption, compare application performance by benchmarkingapplication performance with both an instance that has in-transit encryptionenabled and an instance that has it disabled.

Guidelines to improve performance

  • Decrease the number of client connections when possible. Establish and reuselong-running connections rather than creating on-demand short-livedconnections.

  • Increase the size of your Memorystore for Valkey instance.

  • Increase the CPU resources of the Memorystore client hostmachine. Client machines with a higher CPU count yields better performance. Ifusing a Compute Engine VM, we recommend compute optimized instances.

  • Decrease the payload size associated with application traffic because largerpayloads require more round trips.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.