Transport Security

Datafi encrypts all data in transit across every communication path. The platform uses TLS 1.3 for client-to-coordinator connections, mutual TLS (mTLS) for coordinator-to-edge communication, and database TLS/SSL for connections to your data sources.

Encryption Layers

Segment	Protocol	Minimum Version	Authentication
Client to Coordinator	TLS	1.3	Server certificate
Coordinator to Edge	mTLS	1.3	Mutual certificates
Edge to Data Source	TLS/SSL	Varies by database	Server certificate + credentials

TLS 1.3 (Client to Coordinator)

All client connections to the Datafi coordinator are encrypted with TLS 1.3. Older TLS versions (1.0, 1.1, 1.2) are not supported.

Cipher Suites

Datafi supports the following TLS 1.3 cipher suites:

Cipher Suite	Key Exchange	Encryption	Hash
`TLS_AES_256_GCM_SHA384`	ECDHE	AES-256-GCM	SHA-384
`TLS_AES_128_GCM_SHA256`	ECDHE	AES-128-GCM	SHA-256
`TLS_CHACHA20_POLY1305_SHA256`	ECDHE	ChaCha20-Poly1305	SHA-256

info

TLS 1.3 removes support for older, less secure cipher suites and eliminates the RSA key exchange in favor of ephemeral Diffie-Hellman, providing forward secrecy for all connections.

Client Configuration

Your client applications connect to Datafi over HTTPS. No special TLS configuration is required beyond using a modern HTTP client that supports TLS 1.3.

# Verify TLS version with curl
curl -v https://api.datafi.io/health 2>&1 | grep "SSL connection"
# Expected: SSL connection using TLSv1.3

Mutual TLS (Coordinator to Edge)

Communication between the Datafi coordinator and edge servers uses mutual TLS (mTLS). Both parties present and verify certificates, ensuring that only authorized edge servers can connect to the coordinator and vice versa.

How mTLS Works

Certificate Provisioning

When you register a new edge server, Datafi automatically provisions a unique certificate pair:

Edge certificate -- presented by the edge server to the coordinator.
Coordinator certificate -- presented by the coordinator to the edge server.

Both certificates are issued by Datafi's internal certificate authority (CA) and are scoped to the specific tenant.

Database TLS/SSL

Edge servers connect to your data sources using TLS/SSL. The specific protocol version depends on the database engine.

Database	Minimum TLS	Configuration
PostgreSQL	TLS 1.2	`sslmode=verify-full`
MySQL	TLS 1.2	`--ssl-mode=VERIFY_IDENTITY`
SQL Server	TLS 1.2	`Encrypt=yes;TrustServerCertificate=no`
MongoDB	TLS 1.2	`tls=true&tlsCAFile=ca.pem`
Snowflake	TLS 1.2	Enforced by default
BigQuery	TLS 1.2	Enforced by default

warning

Never set sslmode=disable or TrustServerCertificate=yes in production. These settings disable certificate verification and expose connections to man-in-the-middle attacks.

Certificate Management

Datafi stores and manages certificates using AWS S3 with server-side encryption.

Storage

certificate_storage:
  backend: s3
  bucket: datafi-certificates-prod
  encryption: AES-256 (SSE-S3)
  access: IAM role-based, no static credentials

Automatic Rotation

Certificates are automatically rotated on a configurable schedule. The rotation process is zero-downtime -- new certificates are provisioned and distributed before old ones expire.

Certificate Type	Default Rotation	Grace Period
Edge mTLS certificates	90 days	14 days
Coordinator mTLS certificates	90 days	14 days
Internal CA certificate	1 year	30 days

The rotation process:

A new certificate is generated 14 days before the current certificate expires.
The new certificate is distributed to the relevant services.
Both old and new certificates are accepted during the grace period.
The old certificate is revoked after the grace period ends.

Verification

You can verify the transport security configuration of your Datafi deployment using the following checks.

Verify Client-to-Coordinator TLS

# Check TLS version and cipher suite
openssl s_client -connect api.datafi.io:443 -tls1_3 < /dev/null 2>&1 | \
  grep -E "Protocol|Cipher"

Verify Edge mTLS

# Check edge server certificate details
openssl x509 -in /etc/datafi/edge-cert.pem -text -noout | \
  grep -E "Issuer|Subject|Not After"

Verify Database TLS

# PostgreSQL: Check SSL status
psql "host=db.example.com sslmode=verify-full" -c "SHOW ssl;"

Best Practices

Never disable TLS verification. Always use verify-full or equivalent modes for database connections.
Monitor certificate expiration. Set alerts for certificates approaching expiration to catch rotation failures.
Restrict certificate access. Limit access to certificate storage (S3 bucket) to the minimum required IAM roles.
Use private endpoints where possible. When deploying in cloud environments, use VPC endpoints or private links to keep traffic off the public internet.
Audit TLS connections. Log and monitor connection metadata to detect downgrade attempts or unexpected cipher suites.

Encryption Layers​

TLS 1.3 (Client to Coordinator)​

Cipher Suites​

Client Configuration​

Mutual TLS (Coordinator to Edge)​

How mTLS Works​

Certificate Provisioning​

Database TLS/SSL​

Certificate Management​

Storage​

Automatic Rotation​

Verification​

Verify Client-to-Coordinator TLS​

Verify Edge mTLS​

Verify Database TLS​

Best Practices​