How to encrypt Erlang rpc calls (and Mnesia replication) and other traffic?
Well, since it all runs over IP, one option would be to use IPSec between your nodes. Encrypted VPN connections could also do the trick. Neither of these require any changes on the Erlang side of things, nor will the Erlang programs or runtime be aware that the encryption is happening, except in the (hopefully) rare case of attacks that cause communication to fail, in which case it will look as if the other node is down.
You can use an SSH tunnel to pass all erlang communications through it, using the -rsh ssh parameter, you will want to set up certificate-based authentication for ssh (i.e. no passwords). Then you can simply use something along the lines of
erl -rsh ssh ....
For additional details, please see:
- Pooling and Automated Code Distribution with Erlang
- Starting a set of Erlang cluster nodes with SSH
This is now possible out of the box with the use of the inet_tls_dist
custom distribution module. There is a guide in the documentation on how to use inet_tls_dist
module as the distribution module to get encrypted communications between cluster nodes. I'm not sure when all these features where introduced, but I know they are present in Erlang 18.2 and newer.
Erlang Solutions also wrote a blog post on this.