Encryption of data in transit within a cluster
ThoughtSpot can encrypt data in transit within a cluster.
ThoughtSpot supports encryption of data in transit within a cluster (traffic flowing between multiple nodes in a cluster). Encryption in transit within the cluster is primarily needed for cloud deployments of ThoughtSpot. This is accomplished using IPSec.
IPSec operates in two modes: tunnel mode and transport mode. ThoughtSpot recommends using transport mode to set up IPSec for encrypting in-transit data.
|While IPSec provides additional security, it also reduces network bandwidth between nodes.|
ThoughtSpot supports IPSec encryption using strongSwan (an open-source IPSec-based VPN solution for Linux and other UNIX based operating systems).
Use IPSec in Transport mode for host-to-host IPSec communication.
Use the strongSwan package.
Use AES-GCM for ESP protocol (since it provides authenticated encryption and provides better network bandwidth).
|IPSec is supported in ThoughtSpot software versions starting from 220.127.116.11|
Enabling IPSec: Run following command on any ThoughtSpot node after cluster has been configured and right built has been deployed:
# tscli ipsec enable.
Disabling IPSec: Run following command on any node of the cluster:
# tscli ipsec disable.
Checking status of IPSec: Run following command on any node of the cluster
# tscli ipsec status.
IPSec configuration and settings are NOT persistent across cluster backup/restore and will have to be re-enabled.
Adding a node in an IPSec enabled cluster: IPSec settings are automatically configured across nodes as a nodes get added to a ThoughtSpot cluster that has IPSec enabled.
Removing a node in IPSec enabled cluster: IPSec settings are not impacted when nodes get removed from a ThoughtSpot cluster that has IPSec enabled. If any failure occurs during node removal, IPSec would need to re-enabled by using the following command:
tscli ipsec enable.
Manually enable/disable IPSec on a single node(if any IPSec related failure occurs on that node):
Manually enable and start strongSwan:
sudo systemctl enable strongswan
sudo systemctl start strongswan
Manually stop and disable strongSwan:
sudo systemctl stop strongswan
sudo systemctl disable strongswan
You can check
/etc/strongswan/ipsec.secretson each node to verify that they are consistent across all nodes.