Configuration
SSL encryption

SSL encryption

Memgraph uses SSL (Secure Sockets Layer) protocol for establishing an authenticated and encrypted connection to a database instance.

Achieving a secure connection is a three-step process that requires

  1. Owning a SSL certificate
  2. Configuring the server
  3. Enabling SSL connection

For any errors that might come up, check out the Help center page on errors.

SSL certificate

SSL certificate is a pair of .pem documents issued by self-signing, or by a Certification Authority. Memgraph contains a self-signed testing certificate (cert.pem and key.pem) located at /etc/memgraph/ssl/.

If you are using Docker and want to use your own certificates, you need to copy them into a Docker container in order to utilize them.

Configure the server

To use a certain SSL certificate, change the configuration file to include the --bolt-cert-file and --bolt-key-file flags and set them to the location of the certification files.

If you are using the Memgraph self-signed certificate, set the configuration flags to:

--bolt-cert-file=/etc/memgraph/ssl/cert.pem
--bolt-key-file=/etc/memgraph/ssl/key.pem

When using Linux, be sure that the user memgraph has permissions (400) to access the files.

Once the flags are included in the configuration, you cannot establish an insecure connection.

Enable SSL connection

To enable SSL connection in Memgraph Lab, switch to Connect Manually view and turn the SSL on.

When Memgraph Lab is connected to Memgraph database using SSL encryption, logs cannot be viewed inside the Lab.

How to set up SSL encryption

Memgraph uses SSL (Secure Sockets Layer) protocol for establishing an authenticated and encrypted connection to a database instance.

Docker

  1. Start a Memgraph instance with docker run command including the -v mg_lib:/var/lib/memgraph and -v mg_etc:/etc/memgraph volumes.

  2. Copy the SSL certificate inside of the Docker container or use Memgraph self-signed certificates (cert.pem and key.pem) located at /etc/memgraph/ssl/.

  3. Change the configuration file to include the following configuration flags:

    --bolt-cert-file=<path>
--bolt-key-file=<path>

  4. Set the flags to the paths of your SSL certificate.

    If you are using the Memgraph self-signed certificate, set the configuration flags to:

    --bolt-cert-file=/etc/memgraph/ssl/cert.pem
--bolt-key-file=/etc/memgraph/ssl/key.pem

  5. Stop the Docker container, then start it again, including the volumes you used in step 1.

    If you are running memgraph-platform image, pass the configuration flag MGCONSOLE="--use-ssl=true":

    docker run -p 7687:7687 -p 3000:3000 -p 7444:7444 -v mg_lib:/var/lib/memgraph -v mg_etc:/etc/memgraph -e MGCONSOLE="--use-ssl=true" memgraph/memgraph-platform

  6. Open Memgraph Lab and switch to Connect Manually view, turn the SSL On and connect.

  7. If you are using pymgclient (opens in a new tab) to query the database with Python, add sslmode=mgclient.MG_SSLMODE_REQUIRE to the mgclient.connect

For other ways of connecting to Memgraph DB using SSL encryption, check the reference guide.

Linux

  1. Run Memgraph.

  2. Open the configuration file available at /etc/memgraph/memgraph.conf.

  3. Change the configuration file to include the following configuration flags:

    --bolt-cert-file=<path>
--bolt-key-file=<path>

  4. Set the flags to the paths of your SSL certificate, or use Memgraph self-signed certificates (cert.pem and key.pem) located at /etc/memgraph/ssl/:

    --bolt-cert-file=/etc/memgraph/ssl/cert.pem
--bolt-key-file=/etc/memgraph/ssl/key.pem

  5. Restart Memgraph.

  6. Open Memgraph Lab and switch to Connect Manually view, turn the SSL On and connect.

  7. If you are using pymgclient (opens in a new tab) to query the database with Python, add sslmode=mgclient.MG_SSLMODE_REQUIRE to the mgclient.connect

For other ways of connecting to Memgraph DB using SSL encryption, check the reference guide.