How to Enable Encryption in Transit in ClickHouse

Galaxy Glossary

How do I enable TLS encryption in ClickHouse?

Encrypt traffic between ClickHouse clients and servers using TLS to protect data in motion.

Welcome to the Galaxy, Guardian!
You'll be receiving a confirmation email

Follow us on twitter :)

Oops! Something went wrong while submitting the form.

Description

Example H2

Example H3

Why should I encrypt ClickHouse traffic?

Unencrypted TCP connections expose query text and result sets to interception. TLS protects customer emails, order totals, and product prices as they move between applications and ClickHouse nodes.

How do I configure TLS on the ClickHouse server?

Add a secure port and certificate paths in config.xml. Restart the server for changes to apply.

Server-side XML snippet

<tcp_port_secure>9440</tcp_port_secure>
<openSSL>
<server>
<certificateFile>/etc/clickhouse/server.crt</certificateFile>
<privateKeyFile>/etc/clickhouse/server.key</privateKeyFile>
<dhParamsFile>/etc/clickhouse/dhparam.pem</dhParamsFile>
</server>
</openSSL>

How do I generate certificates?

Use OpenSSL or your PKI.For internal clusters, a self-signed root CA is fine. For public endpoints, buy a CA-signed certificate or use Let’s Encrypt.

How do I connect securely from `clickhouse-client`?

Pass --secure or --protocol=https. Verify the hostname matches the cert’s CN/SAN.

clickhouse-client --host db.prod --port 9440 --secure \
--user alice --password ***

How do I connect securely from applications?

Add ssl=true (JDBC) or use https:// (HTTP interface).Always require validation in production.

# JDBC
jdbc:clickhouse://db.prod:9440?ssl=true&sslmode=required&user=app&password=pwd
# HTTP
curl -s -G "https://db.prod:8443/" --data-urlencode "query=SELECT 1"

What is the exact syntax?

See next section for a consolidated cheat-sheet.

Practical example: list high-value orders securely

Connect with TLS, then run:

SELECT o.id, o.total_amount, c.email
FROM Orders AS o
JOIN Customers AS c ON o.customer_id = c.id
WHERE o.total_amount > 1000
ORDER BY o.total_amount DESC;

Best practices for encryption in transit

Rotate certificates regularly, disable weak ciphers, and monitor the secure port separately.Enforce TLS on every client by default.

Common mistakes and fixes

Missing secure port: Enabling TLS without <tcp_port_secure> keeps clients on plain TCP. Always expose 9440 (or your chosen port).

Ignoring certificate validation: Using sslmode=none negates security. Require full validation in production.

FAQ

Does TLS slow down ClickHouse?

CPU overhead is minimal; disk or network speed is usually the bottleneck. Benchmarks show <3% impact for typical analytics workloads.

Can I use mutual TLS?

Yes.Add <verificationMode>strict</verificationMode> and supply client certificates during connection.

How do I test my setup?

Run openssl s_client -connect db.prod:9440 to inspect the certificate chain and cipher suite.

Why How to Enable Encryption in Transit in ClickHouse is important