|The symmetric encryption feature has been deprecated. You can use the TLS/SSL protocol to establish an encrypted communication across your Hazelcast cluster.|
Hazelcast offers features which allow to reach a required privacy on communication level by enabling encryption. Encryption is based on Java Cryptography Architecture (JCA).
There are two different encryption features:
transport level encryption
supported by members and clients
TCP-only, i.e., multicast join messages are not encrypted
More details in the TLS/SSL section
Symmetric encryption for Hazelcast member protocol
only supported by the members; communication with clients is not encrypted
multicast join messages are encrypted, too
The preferred and recommended feature is the TLS protocol as it’s a standard way how to protect communication on transport level: Both TLS and symmetric encryption are for encrypting the network traffic. TLS is already superior to symmetric encryption on more than one aspects as seen above. Symmetric encryption is only supported in member-member communication while TLS can encrypt client communications as well. When there is no specific reason to use symmetric encryption, we recommend you to use the TLS protocol.
Symmetric encryption for Hazelcast member protocol can be configured with cipher algorithms implemented by security providers and accessed through Java Cryptography Architecture. Check documentation of your Java version to learn about supported algorithm names. The following are some examples:
MD5 message-digest algorithm as the cryptographic
hash function. You can also use the salting process by giving a salt
and password which are then concatenated and processed with
the resulting output is stored with the salt.
In symmetric encryption, each member uses the same key, so the key is shared. Here is an example configuration for symmetric encryption.
<hazelcast> ... <network> <symmetric-encryption enabled="true"> <algorithm>AES</algorithm> <salt>thesalt</salt> <password>thepass</password> <iteration-count>175</iteration-count> </symmetric-encryption> </network> ... </hazelcast>
hazelcast: network: symmetric-encryption: enabled: true algorithm: AES salt: thesalt password: thepass iteration-count: 175
You set the encryption algorithm, the salt, password and the iteration count to be used
for generating the secret key. You also need to set the
enabled attribute to
Note that all members should have the same encryption configuration.
Since symmetric encryption relies on JCA, you can additionally benefit from the
algorithms provided by the Bouncy Castle Crypto APIs. For this,
you need to set the
hazelcast.security.bouncy.enabled property to