Get Rewarded! We will reward you with up to €50 credit on your account for every tutorial that you write and we publish!
ProductsContributeDocsCareer

Installing and Securing Valkey on Ubuntu

profile picture
Author
Riyaz
Published
2026-03-03
Time to read
7 minutes reading time
Table of Contents

Introduction

Valkey is a fully open-source, high-performance in-memory key-value store backed by the Linux Foundation. It was created in 2024 as a community fork of Redis 7.2, after Redis Inc. moved to a proprietary licensing model. Valkey maintains the permissive BSD 3-Clause license. It supports the same rich set of data structures as Redis — strings, hashes, lists, sets, sorted sets, and more — while introducing improvements such as multi-threaded I/O for better performance on modern multi-core servers.

In this tutorial, you will install Valkey on an Ubuntu 24.04 server, configure it for production use, secure it with a password and firewall rules, and verify that it works correctly. By the end, you will have a running Valkey instance that is not exposed to the public internet and is protected against unauthorized access.

Prerequisites

  • A server running Ubuntu 24.04 (with Hetzner cloud servers, any shared-CPU type works; CX22 or higher recommended)
  • A non-root user with sudo privileges, or access as root
  • Basic familiarity with the Linux command line

Step 1 - Update the System and Install Valkey

Start by ensuring the system package list is up to date and all existing packages are upgraded.

sudo apt update && sudo apt upgrade -y

Ubuntu 24.04's default package repositories include Valkey. Install the valkey and valkey-tools packages:

sudo apt install -y valkey valkey-tools

The valkey package includes the server daemon (valkey-server), while valkey-tools provides the valkey-cli command-line client. After installation, the systemd service is enabled and started automatically.

Verify the service is running:

sudo systemctl status valkey-server

You should see output indicating the service is active (running). You can also check the installed version:

valkey-server --version

Step 2 - Configure Valkey

The main Valkey configuration file is located at /etc/valkey/valkey.conf. Before making changes, create a backup:

sudo cp /etc/valkey/valkey.conf /etc/valkey/valkey.conf.bak

Open the configuration file in a text editor:

sudo nano /etc/valkey/valkey.conf

Step 2.1 - Bind to a Specific Address

By default, Valkey listens on all interfaces (0.0.0.0). For a single-server setup where only local applications need to connect, you should restrict it to the loopback interface.

Find the bind directive and update it:

bind 127.0.0.1 -::1

If you have multiple cloud servers connected via a Hetzner private network and need Valkey to be reachable from those servers, add the private network IP of your server as well:

bind 127.0.0.1 10.0.0.2 -::1

Replace 10.0.0.2 with your server's actual private network IP address.

Step 2.2 - Set a Strong Password

Valkey supports password authentication. Find the requirepass directive (it is commented out by default), uncomment it, and set a strong password:

requirepass YourVeryStrongPasswordHere

Use a randomly generated password for production. You can generate one with:

openssl rand -base64 32

Step 2.3 - Disable Dangerous Commands

To reduce the attack surface, you can rename or disable commands that are rarely needed in production but could cause damage if misused — particularly FLUSHALL, FLUSHDB, DEBUG, and CONFIG. Find the rename-command directives and add the following lines:

rename-command FLUSHALL ""
rename-command FLUSHDB ""
rename-command DEBUG ""
rename-command CONFIG ""

Setting a command to an empty string "" disables it entirely. If you still need CONFIG for management purposes, rename it to something unpredictable instead:

rename-command CONFIG "SOME_RANDOM_STRING_HERE"

Step 2.4 - Set a Memory Limit

To prevent Valkey from consuming all available RAM, configure a maximum memory limit and an eviction policy. Add or update the following directives:

maxmemory 256mb
maxmemory-policy allkeys-lru

The allkeys-lru policy evicts the least recently used keys first when the memory limit is reached, which is appropriate for a caching use case. For a primary data store (not just a cache), consider noeviction or volatile-lru instead.

Step 2.5 - Enable Persistence (Optional)

Valkey stores data in memory by default, which means data is lost on restart. For workloads that require durability, enable RDB snapshotting. Find the save directives in the configuration file:

save 900 1
save 300 10
save 60 10000

These lines tell Valkey to save a snapshot if at least 1 key changed in 900 seconds, 10 keys changed in 300 seconds, or 10,000 keys changed in 60 seconds. Adjust to fit your needs. The snapshot file (dump.rdb) is saved to the directory specified by the dir directive.

Save and close the configuration file, then restart the Valkey service to apply the changes:

sudo systemctl restart valkey-server

Step 3 - Secure Valkey with a Firewall

If Valkey is only used locally on the same server, the loopback binding from Step 2.1 is sufficient. However, if you bound Valkey to a private network IP, you should also use a firewall to ensure the Valkey port (6379) is only accessible from trusted hosts.

Install and configure ufw if it is not already active:

sudo apt install -y ufw
sudo ufw allow OpenSSH
sudo ufw enable

Block public access to the Valkey port:

sudo ufw deny 6379

If you have trusted servers on a private network that need access, allow them specifically:

sudo ufw allow from 10.0.0.0/24 to any port 6379

Replace 10.0.0.0/24 with the CIDR range of your Hetzner private network.

Check the firewall status:

sudo ufw status

Step 4 - Verify the Installation

Connect to Valkey using valkey-cli. Since you set a password, authenticate immediately after connecting:

valkey-cli

Inside the interactive client, run:

AUTH YourVeryStrongPasswordHere

You should receive an OK response. Now run a quick test with a few basic commands:

SET greeting "Hello from Valkey"
GET greeting
PING

The expected output is:

OK
"Hello from Valkey"
PONG

You can also pass the password directly from the command line using the -a flag:

valkey-cli -a YourVeryStrongPasswordHere PING

To verify the server information, including the Valkey version and memory usage, run:

valkey-cli -a YourVeryStrongPasswordHere INFO server

Step 5 - Enable the Valkey Service on Boot

Ensure Valkey starts automatically whenever the server reboots:

sudo systemctl enable valkey-server

You can verify it is set to start on boot:

sudo systemctl is-enabled valkey-server

The output should be enabled.

Conclusion

You have successfully installed and secured Valkey on Ubuntu 24.04. Your setup includes:

  • Valkey bound to the loopback interface (and optionally a private network interface), keeping it off the public internet
  • Password authentication via requirepass
  • Dangerous commands disabled via rename-command
  • A memory limit with LRU eviction to prevent runaway memory usage
  • A UFW firewall rule blocking external access to the Valkey port
  • Systemd configured to start Valkey automatically on boot

From here, you can connect your applications to Valkey using any Redis-compatible client library — Valkey is fully compatible with the Redis protocol, so no code changes are needed if you are migrating from Redis. For workloads requiring horizontal scaling or high availability, consider exploring Valkey Cluster or Valkey Sentinel.

License: MIT
Want to contribute?

Get Rewarded: Get up to €50 in credit! Be a part of the community and contribute. Do it for the money. Do it for the bragging rights. And do it to teach others!

Submit an articleFind out more
Report Issue
Try Hetzner Cloud

Get €20/$20 free credit!

Valid until: 31 December 2026 Valid for: 3 months and only for new customers
Get started
Want to contribute?

Get Rewarded: Get up to €50 credit on your account for every tutorial you write and we publish!

Find out more
Report Issue