Enable TLS connections¶
This guide describes how to a TLS-enabled secure Flower server (SuperLink) can be
started and how a Flower client (SuperNode) can establish a secure connections to
it.
A complete code example demonstrating a secure connection can be found here.
The code example comes with a README.md file which explains how to start it.
Although it is already TLS-enabled, it might be less descriptive on how it does so.
Stick to this guide for a deeper introduction to the topic.
Certificates¶
Using TLS-enabled connections requires certificates to be passed to the server and
client. For the purpose of this guide we are going to generate self-signed certificates.
As this can become quite complex we are going to ask you to run the script in
examples/advanced-tensorflow/certificates/generate.sh with the following command
sequence:
$ cd examples/advanced-tensorflow/certificates && \
./generate.sh
This will generate the certificates in
examples/advanced-tensorflow/.cache/certificates.
The approach for generating TLS certificates in the context of this example can serve as an inspiration and starting point, but it should not be used as a reference for production environments. Please refer to other sources regarding the issue of correctly generating certificates for production environments. For non-critical prototyping or research projects, it might be sufficient to use the self-signed certificates generated using the scripts mentioned in this guide.
Server (SuperLink)¶
Navigate to the examples/advanced-tensorflow folder (here) and use the
following terminal command to start a server (SuperLink) that uses the previously
generated certificates:
$ flower-superlink \
--ssl-ca-certfile .cache/certificates/ca.crt \
--ssl-certfile .cache/certificates/server.pem \
--ssl-keyfile .cache/certificates/server.key
When providing certificates, the server expects a tuple of three certificates paths: CA certificate, server certificate and server private key.
Clients (SuperNode)¶
Use the following terminal command to start a client (SuperNode) that uses the previously generated certificates:
$ flower-supernode \
--root-certificates .cache/certificates/ca.crt \
--superlink 127.0.0.1:9092 \
--clientappio-api-address 0.0.0.0:9095 \
--node-config="partition-id=0 num-partitions=10"
When setting root_certificates, the client expects a file path to PEM-encoded root
certificates.
In another terminal, start a second SuperNode that uses the same certificates:
$ flower-supernode \
--root-certificates .cache/certificates/ca.crt \
--superlink 127.0.0.1:9092 \
--clientappio-api-address 0.0.0.0:9096 \
--node-config="partition-id=1 num-partitions=10"
Note that in the second SuperNode, if you run both on the same machine, you must specify
a different port for the ClientAppIO API address to avoid clashing with the first
SuperNode.
Executing flwr run with TLS¶
The root certificates used for executing flwr run is specified in the
pyproject.toml of your app.
[tool.flwr.federations.local-deployment]
address = "127.0.0.1:9093"
root-certificates = "./.cache/certificates/ca.crt"
Note that the path to the root-certificates is relative to the root of the project.
Now, you can run the example by executing the following:
$ flwr run . local-deployment --stream
Conclusion¶
You should now have learned how to generate self-signed certificates using the given
script, start an TLS-enabled server and have two clients establish secure connections to
it. You should also have learned how to run your Flower project using flwr run with
TLS enabled.
Note
For running a Docker setup with TLS enabled, please refer to Enable TLS for Secure Connections.
Additional resources¶
These additional sources might be relevant if you would like to dive deeper into the topic of certificates: