Attention: This version of Event Streams has reached End of Support. For more information about supported versions, see the support matrix.

Encrypting your data

Network connections into the Event Streams deployment are secured using TLS. By default, data within the Event Streams deployment is not encrypted. To secure this data, you must ensure that any storage and communication channels are encrypted as follows:

  • Encrypt data at rest by using disk encryption or encrypting volumes using dm-crypt.
  • Encrypt internal network traffic by using TLS encryption for communication between pods.
  • Encrypt messages in applications.

Enabling encryption between pods

By default, TLS encryption for communication between pods is disabled. You can enable it when installing Event Streams, or you can enable it later as described in this section.

To enable TLS encryption for your existing Event Streams installation, use the UI or the command line.

  • To enable TLS by using the UI, follow the instructions in modifying installation settings, and set the Pod to pod encryption field of the Global install settings section to Enabled.
  • To enable TLS by using the command line, follow the instructions in modifying installation settings, and set the global.security.tlsInternal parameter to enabled as follows:

    helm upgrade --reuse-values --set global.security.tlsInternal=enabled <release_name> <charts.tgz> --tls

    For example:
    helm upgrade --reuse-values --set global.security.tlsInternal=enabled eventstreams ibm-eventstreams-prod-1.3.0.tgz --tls

Warning: If you enable TLS encryption between pods, the message browser will not display message data from before the upgrade.

Important: Enabling TLS encryption between pods might impact the connection to Event Streams.