Varnish Cache Plus

Total Encryption (crypto)

Varnish 6.0


Varnish Total Encryption provides cache encryption and a VCL based crypto API. Varnish Total Encryption uses an innovative dual key encryption algorithm with one key securely stored in the Linux kernel and the other key generated from the client request. No keys are ever stored in Varnish or in cache and every object has its own unique key.

Click here to learn more about Varnish Total Encryption.

Example VCL

Memory Encryption

Encrypting malloc, file, and mse (non persistence) using a randomly generated master key.

include "total-encryption/random_key.vcl";

Disk Encryption

Encrypting mse with persistence enabled using a local secret key.

First, generate a new secret key:

$ cat /dev/urandom | head -c 1024 > /etc/varnish/disk_secret
$ sudo chmod 600 /etc/varnish/disk_secret
$ sudo chown root: /etc/varnish/disk_secret

Add the key to the varnishd systemd unit configuration. This allows the disk_secret to be securely read via the varnishd jail configuration:

ExecStart=/usr/sbin/varnishd ... -E /etc/varnish/disk_secret

For more information on how to do this, please see our systemd reference.

Use the secret key to encrypt cache:

include "total-encryption/secret_key.vcl";

Header Encryption

When using one of the above Total Encryption includes, you can optionally encrypt headers with the following VCL:

sub vcl_backend_response {
	# Encrypt beresp.http.Content-Type
	set beresp.http.Content-Type = crypto.hex_encode(crypto.aes_encrypt(beresp.http.Content-Type));

sub vcl_deliver {
	# Decrypt resp.http.Content-Type
	if (resp.http.Content-Type != "") {
		set resp.http.Content-Type = crypto.aes_decrypt(crypto.hex_decode(resp.http.Content-Type));

Skipping Encryption

Use crypto.aes_skip_response() to skip encryption or decryption in vcl_backend_response or vcl_deliver.

sub vcl_backend_response {
	if (beresp.http.Content-Type ~ "video") {

Alternate Encryption Cipher

By default Varnish Total Encryption uses Cipher Block Chaining (CBC) AES encryption. On some systems, Propagating Cipher Block Chaining (PCBC) is available hardware accelerated. If so, use the following VCL to use PCBC AES encryption:

sub vcl_init {
	te_opts.set("algorithm", "pcbc(aes)");