Making Container and Kubernetes Decryption in the Cloud Possible

    by Nubeva 04 September 2019

    READ TIME: 2 min., 57 sec.

    tl;dr: Strong, end-to-end encryption is a top recommendation for securing applications across public, private and hybrid cloud infrastructures. Now, Nubeva's TLS Decrypt solution out-of-band, decrypted visibility in the cloud. Using breakthrough Symmetric Key Intercept technology, you can maximize encryption and security AND have the visibility you need into these workloads.


    Today, September 4, we announced TLS 1.3 decryption support for container and Kubernetes workloads. This breakthrough decryption technology delivers decrypted visibility to packets moving between containers and Kubernetes clusters as well as to-and-from them. is the only 100% out-of-band solution that serves as an easy overlay option and requires no code changes, library modifications or changes to architecture or operations. With our patent-pending symmetric key intercept approach, we eliminate the “either/or” conundrum of security or visibility.

    When or how would you want to decrypt traffic from your container or Kubernetes workloads? Great question. 

    There are many use cases, including these examples: 

    1. Threat Hunting: Encrypted packet traffic can hide security threats such as malware, phishing attempts, data exfiltration and internal data leaks. With a majority of traffic now encrypted, the data may be secure but security teams lose the visibility needed to monitor indicators of compromises, threats and active attacks. Decryption allows deep packet and payload inspection for threat hunters and their tools.
    2. Incident Response: Should an incident occur, the ability to access broad and pervasive (and preferably historical) decrypted traffic will enable incident responders to perform deep forensic analysis.
    3. Compliance: Certain industries like banking and healthcare face compliance standards for deep packet inspection, which is not possible without a decryption solution. This results in organizations delaying cloud adoption or suffering the consequences.
    4. Application and Network DevOps: While security teams benefit from decryption visibility in the cloud so will the DevOps team. Decrypted traffic enables rapid troubleshooting, debugging and support of applications or services in order to get a quick, complete and timely view of what is going wrong.

    Here’s how your IT team benefits when using TLS 1.3 Decrypt in your public, private or hybrid cloud environments

    • Deploy in any container environment. Nubeva’s solution operates independently of container management systems and can be deployed in any Linux container environment – pure Docker environments, Kubernetes, Amazon EKS, AKS, and Google Cloud GKE. 
    • Get visibility into packets from clusters, nodes, pods and microservices running in Kubernetes. Nubeva TLS 1.3 Decrypt works within any environment including those that run for a week or for mere milliseconds with no modifications to the cloud architecture. 
    • Compatible with all modern and TLS protocols and ciphers: Including TLS 1.3, 1.2, 1.1 and 1.0; all Diffie Hellman variants (DH, ECDH, ECDHE) and Perfect Forward Secrecy (PFS); pinned certificates; AES, AES-GCM and ChaCha20-Poly1305.
    • Supports TLS client and server sessions. Supports sessions to clients as well as workload sessions to other services, cloud platform services such as API calls and PaaS, and to third party and external services that support and are part of the application architecture.
    • Discovers and extracts symmetric keys for all containers and pods running on an instance or node. Nubeva’s Key Discovery Agent decouples workloads from key extraction functions, minimizes the load on the instance, and reduces deployment and maintenance overhead. 
    • Delivers extreme performance. Operates with negligible CPU and memory overhead. This key extraction agent consumes ~1% of compute resources on a single CPU core for all the workloads on a node with a few megabytes of memory. 
    • Supports any packet capture and broker system. In cloud, Nubeva works with AWS VPC traffic mirroring and Azure VTAPS. In private and hybrid clouds, the solution works with any tap, span, mirror or network packet broker system. And, it works with TCPdump and PCAP files as well as mass storage of PCAPs that need selective or bulk decryption.
    • Supports Windows Schannel, a variety of Linux flavors, and public, private and hybrid cloud environments.

    Containers and Kubernetes workloads are the here and now for software and applications in the cloud. Try our TLS 1.3 Decrypt solution for free and unlock visibility into these workloads. Click for more information.

    Tags: cloud visibility cloud computing decryption encryption kubernetes containers
    resources banner desktop

    Want to learn more?

    Request a Demo

    Subscribe Here!

    View video