ThoughtSpot supports encryption of data in transit within a cluster (traffic flowing between multiple nodes in a cluster). Encryption in transit within the cluster is primarily needed for cloud deployments of ThoughtSpot. This is accomplished using IPSec.
IPSec operates in two modes: tunnel mode and transport mode. ThoughtSpot recommends using transport mode to set up IPSec for encrypting in-transit data.
Note: While IPSec provides additional security, it also reduces network bandwidth between nodes.
ThoughtSpot supports IPSec encryption using strongSwan (an open-source IPSec-based VPN solution for Linux and other UNIX based operating systems).
- Use IPSec in Transport mode for host-to-host IPSec communication.
- Use the strongSwan package.
- Use AES-GCM for ESP protocol (since it provides authenticated encryption and provides better network bandwidth).
Note: IPSec is supported in ThoughtSpot software versions starting from 220.127.116.11
- Enabling IPSec: Run following command on any ThoughtSpot node after cluster has been configured and right built has been deployed:
# tscli ipsec enable.
- Disabling IPSec: Run following command on any node of the cluster:
# tscli ipsec disable.
- Checking status of IPSec: Run following command on any node of the cluster
# tscli ipsec status.
- IPSec configuration and settings are NOT persistent across cluster backup/restore and will have to be re-enabled.
- Adding a node in an IPSec enabled cluster: IPSec settings are automatically configured across nodes as a nodes get added to a ThoughtSpot cluster that has IPSec enabled.
- Removing a node in IPSec enabled cluster: IPSec settings are not impacted when nodes get removed from a ThoughtSpot cluster that has IPSec enabled. If any failure occurs during node removal, IPSec would need to re-enabled by using the following command:
tscli ipsec enable.
Manually enable/disable IPSec on a single node(if any IPSec related failure occurs on that node):
Manually enable and start strongSwan:
sudo systemctl enable strongswan
sudo systemctl start strongswan
Manually stop and disable strongSwan:
sudo systemctl stop strongswan
sudo systemctl disable strongswan
Note: You can check
/etc/strongswan/ipsec.secretson each node to verify that they are consistent across all nodes.
The following ports must be open between nodes to allow IPSec encryption:
- UDP port 500 (for IKE)
- UDP port 4500 (for IPSec over IDP)
- IP Protocol 50 (ESP)