Skip to content

Encryption

The implementation of the Alternative Envoy filter within an Istio service mesh is a cornerstone for ensuring robust encryption practices, thereby guaranteeing data security across the network. This document outlines the encryption strategies employed to protect data both in transit and at rest, emphasizing the importance of these measures in maintaining data integrity and confidentiality within a distributed system.

Secure Data Transmission with HTTPS

HTTPS is utilized as the primary means for secure data transmission. By leveraging Transport Layer Security (TLS), HTTPS provides a secure channel over which data can be transmitted between clients and services. This prevents data interception and tampering by encrypting the data during transit.

Benefits of HTTPS:

  • Encryption: Ensures that data exchanged between the client and server is encrypted, protecting against eavesdropping and man-in-the-middle attacks.
  • Data Integrity: Guarantees that the data sent is not altered or corrupted during transfer.
  • Authentication: Verifies that the users are communicating with the intended website, building trust.

Encryption of Sensitive Data

Sensitive information, including JWT tokens and revocation lists, is encrypted not only in transit but also at rest. This dual-layer encryption strategy provides comprehensive protection against unauthorized access and potential data breaches.

Data in Transit:

  • End-to-End Encryption: For sensitive payloads, end-to-end encryption is employed, ensuring that data is encrypted from the source all the way to the destination without being decrypted at intermediary points.

Encryption Algorithms and Key Management

Choosing the right encryption algorithms and managing encryption keys effectively are critical aspects of a robust encryption strategy.

  • Algorithms: AES (Advanced Encryption Standard) for data at rest and TLS 1.3 for data in transit are recommended due to their strong security features and widespread support.
  • Key Management: Securely managing the keys involves generating, storing, rotating, and retiring encryption keys in a secure manner. A centralized key management system can help automate these processes, reducing the risk of human error.