Encryption: Data in Transit Node to Node
========================================

Communication between all or some nodes can be encrypted. The controlling parameter is :code:`server_encryption_options`.

Once enabled, all communication between the nodes is transmitted over TLS/SSL.
The libraries used by Scylla for OpenSSL are FIPS 140-2 certified.

To build a self-signed certificate chain, see :doc:`generating a self-signed certificate chain using openssl </operating-scylla/security/generate-certificate/>`.

**Procedure**

#. Configure the ``internode_encryption``, under :code:`/etc/scylla/scylla.yaml`.

   Available options are:

   * ``internode_encryption`` can be one of the following:

     * ``none`` (default) - No traffic is encrypted.
     * ``all`` - Encrypts all traffic
     * ``dc`` - Encrypts the traffic between the data centers.
     * ``rack`` - Encrypts the traffic between the racks.

   * ``certificate`` - A PEM format certificate, either self-signed, or provided by a certificate authority (CA).
   * ``keyfile`` - The corresponding PEM format key for the certificate.
   * ``truststore`` - Optional path to a PEM format certificate store of trusted CAs. If not provided, Scylla will attempt to use the system trust store to authenticate certificates.
   * ``certficate_revocation_list`` - The path to a PEM-encoded certificate revocation list (CRL) - a list of issued certificates that have been revoked before their expiration date.
   * ``require_client_auth`` - Set to ``True`` to require client side authorization. ``False`` by default.
   * ``priority_string`` - Specifies session's handshake algorithms and options to use. By default there are none.
     For information on priority strings, refer to this `guide <https://gnutls.org/manual/html_node/Priority-Strings.html>`_.

   scylla.yaml example:

   .. code-block:: yaml

      server_encryption_options:
          internode_encryption: <none|rack|dc|all>
          certificate: <path to a PEM-encoded certificate file>
          keyfile: <path to a PEM-encoded key for certificate>
          truststore: <path to a PEM-encoded trust store> (optional)
          certficate_revocation_list: <path to a PEM-encoded CRL file> (optional)


#. Restart Scylla node to apply the changes.

   .. include:: /rst_include/scylla-commands-restart-index.rst

.. include:: /operating-scylla/security/_common/ssl-hot-reload.rst


See Also
--------
* :doc:`Encryption Data in Transit Client to Node </operating-scylla/security/client-node-encryption/>`
* :doc:`Generating a self-signed Certificate Chain Using openssl </operating-scylla/security/generate-certificate/>`
* :doc:`Authorization</operating-scylla/security/authorization/>`
* :doc:`Invalid SSL Protocol Error </troubleshooting/error-messages/invalid-ssl-prot-error>`