Is replication traffic encrypted if clusterAuthMode defaults to "keyfile" but ssl.mode is set to "requireSSL"

I’ve reviewed the doc but it’s not clear if intra-cluster (replication) traffic is encrypted if clusterAuthMode defaults to “keyfile”…ie. clusterAuthMode is not specified in the config file but security.keyFile is set.

So the question is basic: Is replication traffic encrypted if clusterAuthmode = keyFile? or must it be set to x509 to encrypt the traffic? ssl.mode is set to “requireSSL”.


Hi @Jim_Fletcher,

Possibly, but not automatically: authentication and network encryption are independent security measures that must be configured separately. I recommend enabling both of these security measures per the MongoDB Security Checklist.

x.509 certificate authentication can optionally be used for client and internal authentication, but you still need to Configure mongod and mongos for TLS/SSL to enable network encryption. If you plan to use x.509 certificates for auth, network encryption is required and should be enabled first.

Network encryption can also be used with the default SCRAM authentication or any of the MongoDB Enterprise authentication methods (Kerberos or LDAP), or configured before you set up authentication.

ssl.mode is set to “requireSSL”.

This (or the modern net.tls.mode: requireTLS equivalent) is the key setting for network encryption. The TLS/SSL options were renamed to TLS in MongoDB 4.2+ for clarity but they’ve always supported TLS. TLS is the successor to SSL, but the SSL name is more widely known despite the deprecation of SSL protocols years ago due to security flaws.