By default, Galera Cluster transmits data unencrypted. Even if you secure MariaDB using the TLS system variables as described in Securing Connections for Client and Server, the nodes continue to communicate with each other without encryption. While this may be acceptable when the nodes are running on a private network, it does pose a security risk when they are running in different data centers connecting through the internet.
Securing Internal Connections
In order to secure the interal communications of Galera Cluster, you need to pass the TLS configuration to the wsrep Provider. These are handled through a series of Socket Protocol options set on the
wsrep_provider_options system variable.
[mysqld] ... ssl_cert=/path/to/server-cert.pem ssl_key=/path/to/server-key.pem ssl_ca=/path/to/ca.pem wsrep_provider_options="socket.ssl_cert=/path/to/server-cert.pem;socket.ssl_key=server-key.pem;socket.ssl_ca=/path/to/ca.pem"
By setting both the MariaDB Server TLS system variables as well as the Socket Protocol wsrep Provider options, you can configure the server to secure both external client connections and some State Snapshot Transfer methods as well as internal Galera Cluster communications.
State Snapshot Transfers
Scripts responsible for State Snapshot Transfer are external to the MariaDB Server and the Galera Cluster process. Physical methods like rsync may require some additional configurations to secure the transfer between the node.
With logical methods, (that is, those that require login credentials), like Mariabackup and MySQLDump, you can secure their communications by requiring TLS of the administrative backup user. Use the guide at Securing Connections for Client and Server for more information on user configuration.