Keeping systems secure is a never-ending mission. Every day, there are new threats, new vulnerabilities, and new bad actors that risk exposing your precious data. That’s why with every release of Bacalhau, security is our number one focus.

As part of our mission to make Bacalhau one of the most secure platforms that you can use to process your data in a safe and secure way, we’re pleased to introduce the latest feature to further that mission: Encrypted node-to-node communication with TLS certificates.

Security at the Core, at the Edge, and Everywhere In-between

One of Bacalhau’s central promises is that data you process with a Bacalhau job can be processed securely. We’ve worked hard to ensure that a job can only read and write data that you want it to. We’ve built in token management and encryption for accessing nodes so you can control who can access your network. Now, with node-to-node encryption with TLS, your networks are secure at every point in the system, and everywhere in-between.

With this new capability, you can now run Bacalhau nodes on any networked system, safe in the knowledge that all of your data is secure both at rest, and in transit with industry-defining encryption protocols.

What does it look like?

When properly configured to use TLS, Bacalhau nodes can be communicated with exclusively over secure connections. From the CLI to the orchestrator, and then to any other point in the network. With TLS enabled, all communication between every node in your network is now fully encrypted.

How can you use it?

Setting up TLS communication between nodes can be broken down into 3 main steps:

1. Generating a Root Certificate Authority

2. Generating a NATS Server Certificate

3. Configuring Bacalnodes to use TLS

As a distributed system, Bacalhau supports TLS encryption to secure its communication channels. While this guide demonstrates the implementation using self-signed certificates, the same principles apply when using company-issued or publicly trusted certificates.

Generating a Root Certificate Authority

First, you’ll need to generate a self-signed root certificate authority (CA) certificate, which will be used to sign all subsequent certificates. You can use standard tools like openssl or mkcert for this process. We recommend setting a long expiration date for the root CA and securely backing up both the certificate and its private key.

Either tool should produce two essential components: the self-signed root CA certificate and its corresponding private key.

Generating a NATS Server Certificate

Next up, you’ll generate the certificate that enables TLS connections for the NATS server.

First, identify the DNS name or IP address used to connect to the orchestrator. This is typically found in the compute nodes' configuration under the "Orchestrators" field. For example:

• If your config specifies nats://10.0.5.16:4222, use the IP address 10.0.5.16

• If your config specifies nats://my-bacalhau-orchestrator-node:4222, use the DNS name my-bacalhau-orchestrator-node

Next, generate a server certificate signed by the Root CA (created in step 1). This certificate must include your chosen IP address or DNS name in its Subject Alternative Name field. Additionally, always include the IP address "127.0.0.1" in the Subject Alternative Names to support communications initiated from the orchestrator node itself.

This step will produce two critical files: the server certificate and its corresponding private key. Store both files securely in a protected location.

Configuring and Starting Bacalhau Nodes with TLS

Finally, you'll need to configure both orchestrator nodes and compute nodes with the generated certificates.

First, copy the following files to the orchestrator node:

1. The root certificate from step 1 (certificate file only, not the private key)

2. The server certificate from step 2

3. The server's private key from step 2

The orchestrator node should now have three files: the root certificate, server certificate, and server key file. Next, enable TLS support by adding the TLS configuration section to the orchestrator's configuration file.

Next, prepare each compute node by copying the root certificate file (excluding the private key) to the node. Then, update each compute node's configuration to trust this certificate authority for secure server connections.

After restarting the Bacalhau processes on all nodes, secure TLS communication will be established for all node-to-node interactions.

Conclusion

And that’s it! With node-to-node TLS encryption, Bacalhau just leveled up! Your data is now secure end-to-end, no matter where or how it’s processed. This is a huge leap for secure distributed computing, and we’re just getting started. Enable TLS on your network today and let’s build the future of secure data processing together!

We’ve worked hard to make using TLS with Bacalhau as simple as possible, but we’ve updated our documentation with the ins-and-outs to cover as many use cases as we can. Check them out for even more information.

Get Involved!

We welcome your involvement in Bacalhau. There are many ways to contribute, and we’d love to hear from you. Please reach out to us at any of the following locations.

• Website Expanso

• Website Bacalhau

• Bluesky Bacalhau

• Twitter Bacalhau

• Twitter Expanso

• Slack

• LinkedIn

• Careers Page

Commercial Support

While Bacalhau is open-source software, the Bacalhau binaries go through the security, verification, and signing build process lovingly crafted by Expanso. You can read more about the difference between open-source Bacalhau and commercially supported Bacalhau in our FAQ. If you would like to use our pre-built binaries and receive commercial support, please contact us!

⭐️ GitHub

Slack

Website

Website