Internode TLS

Internode TLS secures communication between nodes within a cluster. It is important to secure communications between nodes if you do not trust the network between the nodes.

Before setting up internode TLS, check the current status of your configuration with SECURITY_CONFIG_CHECK.


Communication between the server nodes uses two channels. To enable internode encryption, you must set the EncryptSpreadComm parameter, then the DataSSLParams parameter. Both are disabled by default.

  1. Control Channel Spread TLS: Implemented using AES on top of spread
  2. Data Channel TLS: Implemented using TCP

If you enable internode encryption, some of your queries may run slower than expected. The performance you experience depends on the data sent and the network's quality.

Admintools generates or retrieves the spread key to encrypt all traffic on the control channel and ships the spread key to all nodes. Vertica uses TLS to encrypt all traffic on the data channel. TLS credentials are shared between nodes over the encrypted control channel.

The following graphic illustrates the internode encryption process.