| title | Server Configuration: PolyBase Network Encryption |
|---|---|
| description | Set the configuration option for PolyBase network encryption in SQL Server settings. |
| author | MikeRayMSFT |
| ms.author | mikeray |
| ms.reviewer | hudequei, randolphwest |
| ms.date | 08/26/2025 |
| ms.service | sql |
| ms.subservice | polybase |
| ms.topic | conceptual |
[!INCLUDE appliesto-ss-xxxx-xxxx-pdw-md]
Display or changes the global configuration settings for PolyBase network encryption. This configuration option controls whether PolyBase encrypts the communication channels between the SQL Server instance and the PolyBase Engine, which runs in the same server.
The possible values are described in the following table:
| Value | Meaning |
|---|---|
0 |
Disabled |
1 (default) |
Enabled |
Enabled is the default setting in SQL Server versions for security compliance.
When enabled, the communication between SQL Server and PolyBase components is encrypted.
Beginning with [!INCLUDE sssql25-md], a valid certificate is required to encrypt the communication between PolyBase services and SQL Server.
When disabled:
- Communication isn't encrypted
- No certificate or extra checks are required.
Disabled encryption configuration can be suitable for environments that are fully trusted, isolated or when no certificate can be provided.
This change takes effect immediately.
The following example enables this setting.
EXECUTE sp_configure 'show advanced options', 1;
GO
RECONFIGURE;
GO
EXECUTE sp_configure 'polybase network encryption', 1;
GO
RECONFIGURE;
GOThe following example disables this setting.
EXECUTE sp_configure 'show advanced options', 1;
GO
RECONFIGURE;
GO
EXECUTE sp_configure 'polybase network encryption', 0;
GO
RECONFIGURE;
GOBeginning with [!INCLUDE sssql25-md], a valid certificate is required for secure connections.
To encrypt the communication between PolyBase components and SQL Server, you need:
- The certificate must be signed by a trusted Certificate Authority (CA).
- Its Subject Name or Subject Alternative Name should match the SQL Server's Fully Qualified Domain Name (FQDN).
After the certificate is installed on the server, update the SQL Server instance as follows.
-
Add the certificate to the PolyBase configuration table.
To add the certificate to the configuration table, update the following example for your instance run the query:
UPDATE DWConfiguration.[dbo].[configuration_properties] SET value = '<CertificateSerialNumber>' WHERE [key] = '<CertificateSerialNumber>' AND [id] = `<Server Name>`
-
Enable PolyBase Network Encryption through
sp_configure. -
Restart the SQL Services.
All users can execute sp_configure with no parameters or the @configname parameter.
Requires ALTER SETTINGS server-level permission or membership in the sysadmin fixed server role to change a configuration value or to run RECONFIGURE.
[!INCLUDE sssql25-md] RC 0 has the following known PolyBase issues:
- PolyBase services on [!INCLUDE sssql25-md] won't work unless there's a trusted certificate, or if PolyBase network encryption is set to
0. - SQL Server on Linux currently only supports PolyBase network encryption set to
0.