Security¶
Best practices for secure credential management.
Credential Storage Options¶
1. Environment Variables (Recommended for CI/CD)¶
Pros: Not stored on disk, standard CI/CD pattern Cons: Visible in process listings, shell history
2. OS Keyring (Recommended for Workstations)¶
# Requires secure-storage feature
cargo install redisctl --features secure-storage
# Store in keyring
redisctl profile set prod \
--cloud-api-key "$KEY" \
--cloud-secret-key "$SECRET" \
--use-keyring
Credentials are stored in: - macOS: Keychain - Windows: Credential Manager - Linux: Secret Service (GNOME Keyring, KWallet)
Pros: Encrypted, OS-managed, survives reboots Cons: Requires additional feature flag
3. Environment Variable References¶
redisctl profile set prod \
--cloud-api-key '${REDIS_CLOUD_API_KEY}' \
--cloud-secret-key '${REDIS_CLOUD_SECRET_KEY}'
Config file stores the reference, not the value:
Pros: Credentials not in config file, flexible Cons: Requires environment setup
4. Plaintext (Not Recommended)¶
Pros: Simple Cons: Credentials visible in config file
Avoid Plaintext for Production
Never store production credentials in plaintext. Use keyring or environment variables.
Best Practices¶
Development¶
# Use environment variables or plaintext profiles
redisctl profile set dev --cloud-api-key "dev-key"
CI/CD¶
# GitHub Actions
env:
REDIS_CLOUD_API_KEY: ${{ secrets.REDIS_CLOUD_API_KEY }}
REDIS_CLOUD_SECRET_KEY: ${{ secrets.REDIS_CLOUD_SECRET_KEY }}
steps:
- run: redisctl cloud subscription list
Production Workstations¶
# Use OS keyring
redisctl profile set prod \
--cloud-api-key "$KEY" \
--cloud-secret-key "$SECRET" \
--use-keyring
Files.com API Key¶
For support package uploads:
# Environment variable
export REDIS_ENTERPRISE_FILES_API_KEY="your-key"
# Or secure storage
redisctl files-key set "$KEY" --use-keyring
Audit¶
Check What's Stored¶
# List profiles (credentials redacted)
redisctl profile list
# Show profile details
redisctl profile show prod
Config File Location¶
TLS Certificate Configuration¶
Kubernetes Deployments¶
Redis Enterprise clusters deployed on Kubernetes typically use self-signed certificates. Instead of disabling TLS verification with REDIS_ENTERPRISE_INSECURE=true, you can provide the cluster's CA certificate for secure connections:
# Extract CA cert from Kubernetes secret
kubectl get secret rec-proxy-cert -o jsonpath='{.data.ca\.crt}' | base64 -d > ca.crt
# Use the CA cert for verification
export REDIS_ENTERPRISE_CA_CERT="./ca.crt"
export REDIS_ENTERPRISE_URL="https://rec-api.redis.svc:9443"
export REDIS_ENTERPRISE_USER="admin@cluster.local"
export REDIS_ENTERPRISE_PASSWORD="password"
redisctl enterprise cluster get
When to Use Each Option¶
| Option | Use Case |
|---|---|
REDIS_ENTERPRISE_CA_CERT |
Kubernetes, self-signed certs where you have the CA |
REDIS_ENTERPRISE_INSECURE=true |
Local development, testing only |
| Neither | Production clusters with trusted certificates |
Avoid Insecure Mode in Production
Using REDIS_ENTERPRISE_INSECURE=true disables all certificate verification and should only be used for local development. For Kubernetes deployments, always use REDIS_ENTERPRISE_CA_CERT with the cluster's CA certificate.
Revoking Credentials¶
Redis Cloud¶
- Go to Redis Cloud Console
- Navigate to Access Management > API Keys
- Delete the compromised key
- Generate a new key
- Update your profiles
Redis Enterprise¶
- Change the password in the cluster admin console
- Update all profiles using that password