How to Secure Zabbix Data Transfer with PSK and TLS Encryption

Authentication Overview

Because devices operate in a hybrid cloud, much data is transmitted over the public network, greatly increasing risk; therefore Zabbix uses PSK security authentication for data transfer, where the proxy collects agent data and sends it to the server, encrypting only the proxy‑to‑server channel.

Since version 3.0, Zabbix supports TLS 1.2 encryption between server, proxy, agent, zabbix_sender and zabbix_get, offering both certificate‑based PSA and pre‑shared key PSK encryption.

Encryption is optional for each component; the Zabbix proxy‑to‑server link can use either certificate or PSK encryption.

The Zabbix daemon listens on a port for both encrypted and unencrypted incoming connections, so enabling encryption does not require opening new firewall ports.

Encryption Limitations

During startup, private keys are stored in plain‑text files readable by Zabbix components.

PSK identities are entered in the Zabbix frontend and stored in the database as plain text.

Built‑in encryption does not protect communication between the web server and user browsers, between the frontend and server, or between the server (or proxy) and the database.

Each encrypted connection performs a full TLS handshake; session caching and tickets are not implemented.

Encryption adds latency depending on network delay (e.g., a 100 ms packet delay adds roughly 200 ms for a TCP handshake and up to 1000 ms for TLS setup).

Timeouts may need to be increased; otherwise some remote scripts or operations on proxies may fail.

Network discovery does not support encryption; checks performed by the Zabbix proxy will fail if the proxy rejects unencrypted connections.

Encryption Methods

Zabbix supports two encryption methods:

Certificate‑based PSA encryption (commonly used with Zabbix proxy).

Pre‑shared key PSK encryption (commonly used with Zabbix agent).

Supported Encryption Libraries

Zabbix supports four encryption libraries, each with different capabilities:

GnuTLS: Requires version ≥ 3.1.18; supports both PSA and PSK.

OpenSSL: Supports versions 1.0.1, 1.0.2c, 1.1.0; version 1.1.1 works only with Zabbix 3.0.23, 3.4.15, 4.0.1. PSK support may lack full confidentiality in older versions.

LibreSSL: A fork of OpenSSL after the Heartbleed bug; does not support PSK, only certificate‑based encryption; supported from LibreSSL 2.7.4 onward.

mbed TLS: Formerly PolarSSL; supports versions 1.3.9; does not support mbed TLS 2.x; supports both PSA and PSK.

To compile Zabbix with a specific library, add the corresponding --with-gnutls, --with-openssl, --with-mbedtls options.

Encryption Parameters

TLSConnect (in server/proxy/agent config) can be unencrypted, psk, or cert; used by proxies/agents in active mode when connecting to the server.

TLSAccept (in server/proxy/agent config) can be unencrypted, psk, or cert; used by proxies/agents in passive mode for incoming connections.

If a proxy or agent is set to PSA certificate encryption, it must operate in active mode to submit data to the server.

Cipher Suites

Cipher suites are internally configured during Zabbix startup based on the selected encryption library and are not user‑configurable.

Cipher suite order (high to low):

Cipher suites using certificates:

Cipher suites using PSK:

Using PSK Encryption

Four encryption libraries can be used for PSK; the guide focuses on GnuTLS and OpenSSL. Each PSK consists of a non‑secret identity string and a secret hexadecimal key.

Example PSK identity: Proxy PSK ID 001 Zabbix (must not contain sensitive data). Example PSK value:

e560cb0d918d26d31b4f642181f5f570ad89a390931102e5391d08327ba434e9

.

The Zabbix web interface allows PSK identities up to 128 characters and keys up to 2048 bits; users must ensure components support these lengths.

GnuTLS‑based PSK Encryption

1) Install GnuTLS (version ≥ 3.1.18):

yum install gnutls.x86_64 gnutls-devel.x86_64 gnutls-dane.x86_64 gnutls-utils.x86_64 -y

gnutls-cli --version

2) Compile Zabbix proxy with GnuTLS:

./configure --prefix=/usr/local/zabbix \
    --enable-proxy \
    --enable-agent \
    --enable-ipv6 \
    --enable-java \
    --with-sqlite3 \
    --with-net-snmp \
    --with-libcurl \
    --with-libxml2 \
    --with-zlib \
    --with-libevent \
    --with-libpcre \
    --with-iconv \
    --with-openipmi \
    --with-gnutls \
    --with-ssh2

3) Generate a PSK and set permissions:

psktool -u psk_identity -p database.psk -s 32

echo '5a504503a51fb29bfea62e4576808dd4258c5f8cd03928c90a04704464bbbbd8' > /usr/local/zabbix/etc/zabbix_agentd.conf.d/zabbix_agentd.psk

chown -Rf zabbix /usr/local/zabbix/etc/zabbix_proxy.conf.d/zabbix_proxy.psk

chmod 600 /usr/local/zabbix/etc/zabbix_proxy.conf.d/zabbix_proxy.psk

4) Edit the proxy configuration:

vim /usr/local/zabbix/etc/zabbix_proxy.conf

TLSConnect=psk    # specify encryption for active mode
TLSPSKFile=/usr/local/zabbix/etc/zabbix_proxy.conf.d/zabbix_proxy.psk
TLSPSKIdentity=xxxxxxx   # custom PSK name

5) In the Zabbix web UI, select the proxy, choose the encryption method, and fill in the PSK information.

6) Configure the agent with the same PSK settings (except via the web UI):

OpenSSL‑based PSK Encryption

Key differences from GnuTLS are in the compile options and key generation.

1) Compile Zabbix with OpenSSL:

./configure --prefix=/usr/local/zabbix \
    --enable-proxy \
    --enable-agent \
    --enable-ipv6 \
    --enable-java \
    --with-sqlite3 \
    --with-net-snmp \
    --with-libcurl \
    --with-libxml2 \
    --with-zlib \
    --with-libevent \
    --with-libpcre \
    --with-iconv \
    --with-openipmi \
    --with-openssl=\
    --with-ssh2

2) Generate a 32‑byte key using OpenSSL:

openssl rand -hex 32

af8ced32dfe8714e548694e2d29e1a14ba6fa13f216cb35c19d0feb1084b0429

After obtaining the key, the configuration steps are identical to the GnuTLS case.

Certificate‑Based PSA Encryption

Certificate encryption is more complex and requires obtaining a CA certificate, signing certificates, and keys; refer to the official Zabbix documentation for details.

Zabbix Certificate Encryption Documentation

☆ END ☆