Enabling TLS in GlusterFS encrypts storage traffic between clients and bricks so volume I/O and administrative operations are not exposed on untrusted networks.
For the native GlusterFS protocol, encryption is enabled per volume using the client.ssl and server.ssl options. The glusterd daemon and the glusterfs client read a certificate, private key, and CA bundle from local files, while management connections can be forced to use TLS when /var/lib/glusterd/secure-access is present.
All peers and clients must trust the same CA and present certificates with identities that match the hostnames used for connections. Enabling TLS can immediately break mounts and peer operations on nodes missing the correct files or permissions, and it does not secure traffic for NFS or Samba exports backed by the same volume.
Related: How to restrict GlusterFS client access
Related: How to improve GlusterFS security
Steps to enable TLS for GlusterFS:
- Identify the volume to enable TLS on.
$ sudo gluster volume list volume1
Replace volume1 in the following commands with the actual volume name.
- Confirm TLS certificate, key, and CA files exist on each node.
$ sudo ls -l /etc/ssl/gluster.pem /etc/ssl/gluster.key /etc/ssl/gluster.ca -rw-r--r-- 1 root root 2150 Jan 10 12:03 /etc/ssl/gluster.pem -rw------- 1 root root 1704 Jan 10 12:03 /etc/ssl/gluster.key -rw-r--r-- 1 root root 1854 Jan 10 12:03 /etc/ssl/gluster.ca
Private key permissions should remain restrictive (for example 0600) to avoid exposing the TLS identity.
- Enable TLS for client I/O on the volume.
$ sudo gluster volume set volume1 client.ssl on volume set: success
Clients without the correct CA trust and certificate material can fail to mount or reconnect once TLS is enforced.
- Enable TLS for server I/O on the volume.
$ sudo gluster volume set volume1 server.ssl on volume set: success
Peer and brick connections can fail if any node lacks the matching CA and certificate setup.
- Enable TLS for management traffic on each node.
$ sudo install --mode=0644 /dev/null /var/lib/glusterd/secure-access
Presence of /var/lib/glusterd/secure-access forces management connections to use TLS.
- Verify the management TLS marker file exists on each node.
$ sudo ls -l /var/lib/glusterd/secure-access -rw-r--r-- 1 root root 0 Jan 10 12:08 /var/lib/glusterd/secure-access
- Verify the client TLS option is enabled.
$ sudo gluster volume get volume1 client.ssl Option Value ------ ----- client.ssl on
- Verify the server TLS option is enabled.
$ sudo gluster volume get volume1 server.ssl Option Value ------ ----- server.ssl on
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
