# Set up encryption

### In-Flight (TLS) Encryption

In-flight encryption for UltiHash can be configured on two different levels:

* Internal Ingress object - part of the UltiHash deployment on Kubernetes
* External load balancer - a proxy that fronts Kubernetes cluster and distributes traffic to its nodes

#### Configure TLS on the Ingress level

The Helm chart deploys UltiHash with a dedicated [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/#what-is-ingress) object by default. The object is located in the same namespace as the deployed UltiHash cluster and can be found by executing the command below (replace `<namespace>` with the Kubernetes namespace where your UltiHash cluster is deployed):

```bash
kubectl get ingress -n <namespace>
```

The Ingress object can be configured in a custom way via Helm values:

```yaml
entrypoint:
  ingress:
     # Make sure Ingress is enabled to expose UltiHash cluster outside your Kubernetes cluster
    enabled: true
     # Specify a domain name under which the UltiHash cluster will be accessible outside the Kubernetes cluster          
    host: example.domain.name
    # Add annotations specific for your Ingress controller if required          
    annotations: {} 
    # Configure in-flight encryption by using TLS    
    tls: []
```

To enable TLS encryption at Ingress level perform the following actions:

* register a domain name for UltiHash cluster in your private or public DNS server (for example `example.domain.name`)
* generate TLS private key and certificate bound to your registered domain name
* create a Kubernetes secret in your UltiHash namespace with TLS credentials as shown [here](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) (assume the secret's name is `secret-tls`)
* enable the Ingress object using your domain name and the corresponding TLS secret in the helm values:

```yaml
entrypoint:
 ingress:
   enabled: true         
   host: example.domain.name       
   annotations: {}   
   tls:
    - hosts:
      - example.domain.name
      secretName: secret-tls
```

#### Configure TLS encryption on the external load balancer level

The TLS configuration for an external load balancer heavily depends on the type of the used load balancer. Please refer to the documentation of your load balancer.

[This guide](https://aws.amazon.com/blogs/aws/new-tls-termination-for-network-load-balancers/) shows the TLS configuration for a [network load balancer](https://aws.amazon.com/elasticloadbalancing/network-load-balancer/) on AWS (the recommended load balancer type to use on AWS for higher performance).

In the case of [Nginx Inress controller](https://docs.nginx.com/nginx-ingress-controller/) on AWS EKS cluster, here is an example of a network load balancer configuration with TLS. To provision a network load balancer automatically, the [AWS load balancer controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/) has to be installed in advance. Modify the helm values of the [Nginx Ingress controller's helm chart](https://github.com/kubernetes/ingress-nginx/tree/main/charts/ingress-nginx) in the following way:

```yaml
controller:
  service:
    type: LoadBalancer
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-name: nlb-name                 # Specify the name for the load balancer
      service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing        # Specify the scheme for the load balancer (internal or internet-facing)
      service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
      service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: http
      service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: /healthz
      service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: 10254
      service.beta.kubernetes.io/aws-load-balancer-subnets: subnet-xxxx, mySubnet # Specify the subnet IDs or name in which the load balancer has to be provisioned
      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:eu-central-1:3223213123233:certificate/c6a3ff73-3eb8-4e72-9e68-2dsa4cce549c # Specify ARN of the ACM certificate (has to be provisioned in advance)
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
```

### Encryption at Rest

The configuration of at-rest encryption for UltiHash cluster depends on the CSI driver used on your Kubernetes cluster. Please refer to the documentation of your CSI driver.

The example below shows how to enable encryption at rest for data stored in UltiHash in the case of [AWS EBS CSI driver](https://github.com/kubernetes-sigs/aws-ebs-csi-driver?tab=readme-ov-file). The driver has to be installed in advance before deploying UltiHash cluster, please follow the [official guide](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/install.md). After the EBS CSI driver is installed, provision a storage class on your Kubernetes cluster with the configuration as shown below:

```yaml
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
 name: example-storage   # Specify a name for the storage class        
parameters:
 encrypted: "true"       # Enable the CSI driver to encrypt the EBS volumes it provisions
 type: gp3               # Select the required type of EBS volumes to provision ('gp2', 'gp3', 'io1', or other)
 # kmsKeyID: ""          # (optional): specify the KMS key to encrypt the provisioned EBS volumes. If omitted, the AWS-managed KMS key will be used 
provisioner: ebs.csi.aws.com
reclaimPolicy: Delete
volumeBindingMode: WaitForFirstConsumer
allowVolumeExpansion: true
```

To enable UltiHash cluster using the storage class above, specify it in the helm values of the UltiHash helm chart:

```yaml
etcd:
 persistence:
   storageClass: example-storage

database:
 primary:
   persistence:
     storageClass: example-storage

storage:
  storageClass: example-storage

deduplicator:
  storageClass: example-storage
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.ultihash.io/administration/set-up-encryption.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.