Securing Nacos with Zero‑Trust: TLS, Encryption, and Access Control

Background and Security Risks

Nacos is a widely used registration and configuration center in cloud‑native environments, but its configuration data often contains sensitive information such as passwords and database credentials. Exposing Nacos to the public network or running it without authentication creates serious security risks, including compromised client machines, intercepted traffic, server breaches, and database dumps.

Zero‑Trust Principles

Zero‑trust adopts the mantra “never trust, always verify,” emphasizing continuous verification, least‑privilege access, and micro‑segmentation to reduce attack surfaces. Applying these principles to Nacos helps mitigate the risks identified above.

Transport Security (TLS)

Nacos 2.x uses gRPC/Netty for communication, and TLS can be enabled to protect data in transit. TLS provides confidentiality, integrity, and mutual authentication. nacos.remote.server.rpc.tls.enable=true – enable TLS on the server. nacos.remote.server.rpc.tls.certChainFile={certFilePath} – path to the server certificate chain. nacos.remote.server.rpc.tls.certPrivateKey={keyPath} – path to the server private key. nacos.remote.server.rpc.tls.mutualAuth=true|false – enable/disable mutual authentication.

nacos.remote.server.rpc.tls.trustCollectionChainPath={trustFilePath}

– trusted client CA (required for mutual auth). nacos.remote.server.rpc.tls.compatibility=true|false – allow non‑TLS clients.

On the client side, similar properties are set, e.g., nacos.remote.client.rpc.tls.enable=true and the corresponding certificate and key paths.

Storage Security (Encryption)

To protect stored configuration, Nacos supports encryption plugins. Plaintext configuration is encrypted by an IConfigFilter before being persisted, producing ciphertext and an encrypted data key. The server stores only ciphertext + dataKey, and the client decrypts them locally when needed. This prevents exposure even if the server or database is compromised.

Access Control (Authentication & Authorization)

Nacos provides an authentication plugin that extracts identity information (e.g., username/password, AK/SK, or token) from the client, signs requests, and validates them on the server. Authorization follows the RBAC model (role‑based access control) with three entities:

Permission – defines allowed operations on resources.

Role – aggregates permissions.

User – assigned roles; supports MFA for administrators.

The default auth plugin uses RBAC tables (users, roles, permissions) stored in the database.

Implementation Steps

Enable TLS on both server and client using the configuration properties listed above.

Configure an encryption plugin (e.g., KMS) to encrypt sensitive configuration values before publishing.

Activate the auth plugin:

Set nacos.core.auth.enabled=true and nacos.core.auth.system.type=nacos.

Create users, roles, and permissions in the Nacos console or via API.

Replace the default admin password and assign appropriate roles.

After these steps, Nacos operates with encrypted transport, encrypted storage, and fine‑grained access control, aligning with zero‑trust security architecture.