Skip to content

Encryption of data in transit

Encryption of data is essential for organizations to meet compliance, regulatory and internal information security requirements for encrypted data.

kdb Insights Enterprise supports end to end encryption of data.

  • Data that enters kdb Insights Enterprise via stream processors, reliable transport, kxi APIs and the UI is encrypted using various methods including TLS.

  • kdb Insights Enterprise can encrypt data in transit between internal services and across nodes. This is delivered using Istio.

For new kdb Insights Enterprise installations encryption of data in transit is turned on by default.

For upgrades to kdb Insights Enterprise, using the kdb Insights CLI, the default behavior is to keep the existing pre-upgrade setting.

The current status of encryption of data in transit on your installation is visible on the System information menu in the UI.

What is required for encryption of data in transit

When installing a new version of kdb Insights Enterprise all of the requirements to enable encryption in transit are installed and set up for you.

These include:

  • Installing Istio - Istio is a service mesh that extends Kubernetes to provide traffic management, telemetry, security, and policy for complex deployments.

  • Updating the NGINX ingress to enable mTLS traffic between the nginx controller and the kdb Insights Enterprise API Gateway nginx controller workload

  • Updating Prometheus:

    • To enable the collection of metrics with mTLS
    • To collect the Standard Istio metrics at the recommended 15s scrape interval

    Refer to Encryption in transit metrics for more information on how to monitor Istio.

Upgrading

When you upgrade from an older version of kdb Insights Enterprise, data encryption in transit isn't enabled by default.

To enable encryption in transit, during execution of the upgrade command, the CLI prompts you about whether to enable the feature.

Alternatively, you can add the following section to your helm values.yaml file before running the upgrade command:

global:
  encryption:
    enabled: true

When you run the upgrade command after adding this section, kdb Insights Enterprise enables encryption in transit during the upgrade process.

Considerations

Feedhandlers

The kdb Insights Enterprise feedhandler does not have encryption enabled by default. If encryption is enabled in your kdb Insights Enterprise deployment, you need to update the encryption settings of your feedhandler. For information on how to do this, reach out to your KX support contact.

Resource usage and performance

Enabling encryption requires extra memory and CPU resources. Istio requests 2GiB of memory and 500 mCPUs, and each kdb Insights pod requires an extra 128 MiB of memory and 100 mCPU. Therefore, for a single database with one Data Access Process and one pipeline, this equates to 8.5GiB and 5800 mCPUs. Each additional database adds 1.5GiB and 1200 mCPUs.

Encryption adds a small amount of latency when enabled, up to 10% depending on your infrastructure.