Dragonfly Cloud Transport Layer Security

The Challenge with Secure Communications in the Modern Cloud World

In today’s digital world, data is the lifeblood of almost every business, service, and application. With the rapid shift to cloud computing, distributed applications, and remote work, data now frequently travels across public networks, where it’s exposed to potential threats. Sensitive information—whether it's personal data, financial records, or business transactions—can be intercepted, altered, or even stolen by malicious actors if it’s not properly protected.

When data moves across public or even private networks, the risk of man-in-the-middle attacks, eavesdropping, and other cyber threats becomes very real. For developers, DevOps engineers, and architects, this presents a fundamental challenge: how can we ensure that communication between clients and servers remains secure?

That’s where Transport Layer Security (TLS) comes into play.

What is TLS, and Why Do We Need It?

Transport Layer Security (TLS) is a cryptographic protocol that provides secure communication over a network. It’s the backbone of secure interactions on the internet and within cloud-based environments, ensuring that data transmitted between clients and servers remains confidential, untampered, and authentic. For businesses and developers, especially those using cloud services like Dragonfly Cloud, TLS is indispensable in protecting sensitive data from cyber threats during transit.

TLS operates by encrypting the data exchanged between two endpoints—typically a client (such as a software application) and a server (such as a cloud datastore). This encryption ensures that even if the data is intercepted, it remains unreadable without the proper decryption key.

TLS stands out due to its robust security features, which make it essential for safeguarding data in transit. Some of the key features include:

1. Encryption: TLS uses encryption algorithms to transform data into a secure format. Only the intended recipient, who holds the decryption key, can decode the encrypted data. This protects the information from being exposed to unauthorized parties.
2. Data Integrity: TLS ensures that the data sent between the client and server is not altered during transit. Integrity checks help detect if any unauthorized modifications occur, ensuring that the data you send is exactly the data that’s received.
3. Authentication: TLS uses certificates to authenticate the identities of the communicating parties. These certificates are issued by trusted Certificate Authorities (CAs), verifying that the server you're communicating with is genuine. This prevents attackers from impersonating servers and conducting man-in-the-middle attacks.
4. Forward Secrecy: In modern TLS configurations, forward secrecy ensures that even if long-term keys are compromised, past communications remain secure. Each session generates a unique key, meaning old sessions can’t be decrypted with a future breach.

These features make TLS a cornerstone for secure online communication, particularly in cloud environments where data moves across potentially vulnerable public networks.

To better understand what’s under the curtains, let’s discuss key components of the TLS protocol:

1. Certificate Authority (CA): A trusted entity responsible for issuing and verifying digital certificates. The CA ensures that the certificate used by a server is valid and trusted by clients.
2. Root Certificate A a digital certificate that forms the foundation of the trust chain for a public key infrastructure (PKI). These public root certificates are recognized and pre-installed in the trusted root certificate stores of operating systems, web browsers, and other software. This allows users to connect securely to websites and services that have certificates validated by the public CA's root certificate without requiring additional configuration.
3. Server Certificate: A digital certificate is issued by the CA to the server, which includes information like the server's public key, its identity (domain name), and the CA's signature. The certificate allows the client to verify the identity of the server.
4. Private Key: The server holds a private key, which corresponds to the public key in the certificate. This private key is used to decrypt messages and sign communications to prove ownership of the public key without exposing it.
5. Public Key: This key is embedded in the server’s digital certificate and is publicly available. The client uses the public key to encrypt sensitive information before sending it to the server, ensuring that only the server can decrypt it using its private key.

Dragonfly & Dragonfly Cloud Accomplish Consistency with TLS Management

In a large-scale, distributed cloud environment like Dragonfly Cloud, managing TLS certificates and rotating them without causing disruption can be challenging. Some of the common issues include:

1. Keeping Certificates Secure and Private: Only authorized personnel should have access to certificate files and private keys.
2. Certificate Rotation: If certificate rotation is not handled carefully, existing connections may break, leading to service interruptions. To prevent this, it’s crucial to implement graceful certificate rotation—where existing client connections continue to use the old certificate while new connections switch to the new certificate. This ensures continuous availability during the transition.
3. Revocation of Compromised Certificates: If a certificate or its private key is compromised, it needs to be revoked immediately, and a new one must be issued and distributed across the system. The revoked certificate also needs to be communicated to clients so that they stop trusting it. Managing this revocation process swiftly and effectively is vital to maintaining security. To solve these challenges, we at Dragonfly implement automated certificate management. This ensures that certificates are rotated seamlessly, with minimal to no human intervention, reducing the risk of downtime or misconfiguration.

Here’s how automation addresses the key aspects of certificate management:

1. Proactive Monitoring: Automated systems can track the expiration dates of certificates and trigger the rotation process well in advance, ensuring that certificates are renewed before they expire.
2. Graceful Rotation: By automating the process, systems can manage the graceful rotation of certificates, ensuring that active connections continue to use the old certificate while new ones adopt the updated certificate. This minimizes the risk of service disruption during the rotation process.
3. Revocation and Replacement: In the event of a security breach, Dragonfly Cloud handles the immediate revocation of compromised certificates by issuing new ones across the environment, reducing the time that subsystems are vulnerable.

Data Plane TLS Management

The data plane in Dragonfly is responsible for the actual Dragonfly servers and TLS connections. Ensuring secure connections at this layer is paramount for data integrity and confidentiality.

Dragonfly uses a comprehensive OpenSSL TLS implementation that leverages industry standards to encrypt data in transit. The server is designed to support robust cryptographic protocols. Dragonfly ensures that all data exchanged is secure from eavesdropping and tampering.

To maintain a high level of security, Dragonfly supports TLS certificate rotation without downtime as part of Dragonfly server implementation. To facilitate efficient certificate management on Linux-based systems, Dragonfly can use symbolic links (symlinks) that point to the current active certificates. This method allows for easy updates and management of certificate files without requiring extensive changes to configuration files. For more details, refer to the official Dragonfly TLS documentation.

Control Plane TLS Management

While the data plane handles client-server communications, the control plane manages configurations, orchestration, and policy enforcement.

The control plane party is responsible for managing the lifecycle of TLS certificates, ensuring that they are updated and rotated as required. The feature includes:

1. Certificate Provisioning: We utilize certain automation with the lego library with DNS challenge to provision Let's Encrypt certificates.
2. Centralized Management: The control plane maintains a secure centralized repository of TLS certificates, allowing for streamlined management and visibility into the status of all certificates used across the datastores.
3. Automated Updates: Control loops ensure that certificates are renewed and rotated on schedule, reducing the risk of expired certificates causing operational disruptions.

To better understand the mechanics of how Dragonfly Cloud controls and ensures certificates are up to date, check out our detailed blog post on Dragonfly Cloud Control Loops. This article outlines how the control plane consistently monitors and updates cloud resources.

Just Give It a Try

We talked a lot about TLS security and integrity on both the control plane and data plane side, but for the users of Dragonfly Cloud everything comes in one click. The certificate provided by Let's Encrypt is placed inside a datastore as part of the provisioning process, just choose the datastore configuration you need to provision, TLS will be there by default.

Once the TLS certificates are in place, establishing a secure connection between a client and Dragonfly is seamless. The redis client validates the server certificate before connecting to the database.

$> redis-cli -u rediss://default:xxxxxx@xxxxxx.dragonflydb.cloud:6385

dragonfly$> SET hello dragonfly-with-tls
OK

Connection is established between dragonfly server and redis-cli and we can conclude that it is secure. For more detailed information on the TLS certificate used we can issue another command to check detailed information on the datastore of our interest.

$> openssl s_client -connect xxxxxx.dragonflydb.cloud:6385

Conclusion

Dragonfly Cloud's approach to managing TLS is designed to provide robust security while maintaining operational consistency. By leveraging automated processes, centralized management, and graceful certificate rotation, Dragonfly ensures secure communications across both data and control planes. With a focus on industry best practices and ongoing improvements, Dragonfly is committed to providing its users with the highest level of security in their cloud database services.

As highlighted in our recent post, Dragonfly Cloud is Enterprise Ready, Dragonfly Cloud is also SOC 2 Type 2 compliant and includes features like Role-Based Access Control (RBAC) and Access Control Lists (ACL). Combined with TLS, these capabilities make Dragonfly Cloud ready to handle millions of commands per second with enterprise-grade security, meeting the needs of organizations seeking robust, scalable, and secure cloud in-memory data solutions.