Enable PSK Encryption for Zabbix Agents

Video Lecture

Enable PSK Encryption for Zabbix Agent on Linux Enable PSK Encryption for Zabbix Agent on Linux Enable PSK Encryption for Zabbix Agent on Linux

Description

By default, agent communication is done in clear text.

For encryption we have an option to use PSK-based encryption.

PSK means pre shared key.

The PSK option consists of two important values, the PSK identity and the PSK Secret.

The secret should be minimum a 128-bit (16-byte PSK, entered as 32 hexadecimal digits) up to 2048-bit (256-byte PSK, entered as 512 hexadecimal digits)

You can generate a 256 bit PSK secret on your server with openssl using the command

1
openssl rand -hex 32

Or you can just generate a random 256 bit 32 byte hex using this button below


In this lecture, I also save it straight to a file.

I first create and navigate to a folder

1
mkdir /home/zabbix/
1
cd /home/zabbix

I then run,

1
openssl rand -hex 32 > secret.psk

I also make sure that only the Zabbix user can read the file.

1
chown zabbix:zabbix secret.psk
1
chmod 640 secret.psk

I then reconfigure the Zabbix agent configuration file.

1
sudo nano /etc/zabbix/zabbix_agentd.conf

and change the options near the bottom,

1
2
3
4
TLSConnect=psk
TLSAccept=psk
TLSPSKFile=/home/zabbix/secret.psk
TLSPSKIdentity=[any text]

Danger

The TLSPSKIdentity value you decide will not be encrypted on transport, so don't use anything sensitive.

I then restart the agent

1
sudo service zabbix-agent restart

I then go into the Zabbix Server User interface and configure the PSK encryption options for the host.

I select the

'Connections to host' = PSK

'Connections from host' = PSK

'PSK Identity' = [what ever you used in the Zabbix agent config]

'PSK' = [the long hex string generated from the OpenSSL command above]

After a minute or two, the Zabbix Server and Agent will successfully communicate using PSK encryption.

PSK behind a Proxy

Setting up PSK encryption on Agents behind a proxy is not necessary if they are all running on the same internal private network, unless your security policy also recommends a certain level of encryption on your internal networks as well.

What you should do first instead, is enable PSK for communications between your Zabbix Server and Zabbix Proxy.

You should create a new secret, and add the PSK Identity and Secret to Administration-->Proxies-->[Your proxy]-->Encryption and also adjust the settings inside the proxies own conf file at /etc/zabbix/zabbix_proxy.conf

Warning

If setting up PSK encryption for agents behind a Zabbix proxy, ensure your have Zabbix Server <--> Proxy PSK enabled first. This is because, when you start the Proxy, or do a config_cache_reload, the Proxy will download all it's host settings from the server, and this also includes the servers copy of the secret. The proxy needs to know the secret since it is now managing the communications on behalf of the server.

If you want PSK encryption for any Agents behind a proxy, then you continue to set up the Agents as normal by creating a new secret, editing there Configuration-->Hosts-->[Your Host]-->Encryption page, and also editing their own conf file at /etc/zabbix/zabbix_agentd.conf.

Remember that, since your Agents Host configuration in the Zabbix UI will be set as Monitored by Proxy, the PSK settings will be applicable for communications happening between the Zabbix Proxy and the Agent that it is monitoring. Not between the Zabbix Server and the Agent behind the proxy.

You can also add PSK Encryption between your Zabbix Proxy and its own local Agent if you want. You would set its PSK settings in the Proxy Agents host configuration at Configuration-->Hosts-->[Your proxy]-->Encryption, and modify the settings in the agents on conf file at /etc/zabbix/zabbix_agentd.conf. Remember, this is only applicable to communications between the Zabbix Proxy, and its own Agent process.

When setting up PSK encryption for the Zabbix Server, Proxy and Agents, you may see an error in the Proxy logs,

cannot send proxy data to server at "zabbix.your-domain.tld": connection of type "TLS with PSK" is not allowed for proxy "your-proxy".

Check that your Zabbix Server <--> Proxy PSK settings are correct first. Don't get confused between the Proxies own optional agent process, and its main Proxy process which is required.

Troubleshooting

Check the zabbix agent logs at

1
tail -f /var/log/zabbix/zabbix_agentd.log