How to enable TLS for GlusterFS

Enabling TLS in GlusterFS encrypts storage traffic between clients and bricks so volume I/O and administrative operations are not exposed on untrusted networks.

For the native GlusterFS protocol, encryption is enabled per volume using the client.ssl and server.ssl options. The glusterd daemon and the glusterfs client read a certificate, private key, and CA bundle from local files, while management connections can be forced to use TLS when /var/lib/glusterd/secure-access is present.

All peers and clients must trust the same CA and present certificates with identities that match the hostnames used for connections. Enabling TLS can immediately break mounts and peer operations on nodes missing the correct files or permissions, and it does not secure traffic for NFS or Samba exports backed by the same volume.

Related: How to restrict GlusterFS client access
Related: How to improve GlusterFS security

Steps to enable TLS for GlusterFS:

  1. Identify the volume to enable TLS on. 
    $ sudo gluster volume list
volume1

    Replace volume1 in the following commands with the actual volume name.

  2. Confirm TLS certificate, key, and CA files exist on each node. 
    $ sudo ls -l /etc/ssl/gluster.pem /etc/ssl/gluster.key /etc/ssl/gluster.ca
-rw-r--r-- 1 root root 2150 Jan 10 12:03 /etc/ssl/gluster.pem
-rw------- 1 root root 1704 Jan 10 12:03 /etc/ssl/gluster.key
-rw-r--r-- 1 root root 1854 Jan 10 12:03 /etc/ssl/gluster.ca

    Private key permissions should remain restrictive (for example 0600) to avoid exposing the TLS identity.

  3. Enable TLS for client I/O on the volume. 
    $ sudo gluster volume set volume1 client.ssl on
volume set: success

    Clients without the correct CA trust and certificate material can fail to mount or reconnect once TLS is enforced.

  4. Enable TLS for server I/O on the volume. 
    $ sudo gluster volume set volume1 server.ssl on
volume set: success

    Peer and brick connections can fail if any node lacks the matching CA and certificate setup.

  5. Enable TLS for management traffic on each node. 
    $ sudo install --mode=0644 /dev/null /var/lib/glusterd/secure-access

    Presence of /var/lib/glusterd/secure-access forces management connections to use TLS.

  6. Verify the management TLS marker file exists on each node. 
    $ sudo ls -l /var/lib/glusterd/secure-access
-rw-r--r-- 1 root root 0 Jan 10 12:08 /var/lib/glusterd/secure-access
  7. Verify the client TLS option is enabled. 
    $ sudo gluster volume get volume1 client.ssl
Option      Value
------      -----
client.ssl  on
  8. Verify the server TLS option is enabled. 
    $ sudo gluster volume get volume1 server.ssl
Option      Value
------      -----
server.ssl  on