Nubeva TLS Decrypt Overview

Nubeva TLS Decrypt is the industries only out-of-band solution for performing decryption at scale that supports TLS 1.3 and all legacy protocols. Nubeva's Symmetric Key Intercept Architecture allows you to decrypt and, therefore, inspect every packet coming in and out of critical workloads or from storage without bottlenecks. With 70% of network traffic being encrypted, Nubeva delivers the ability to restore visibility and enables end-to-end security. 

Nubeva TLS Architecture

Talk to Experts Get Started

Industry Challenge


With the introduction of the new encryption standard, TLS 1.3, Elliptic-curve Diffie–Hellman (ECDH), Perfect Forward Secrecy (PFS) and pinned certificates; combined with modern, distributed nature our cloud application architectures, traditional decryption methods are failing. With the introduction of ephemeral keys, out-of-band monitoring no longer works. Decryption with man-in-the-middle intercepts is not practical to place everywhere. In today’s TLS 1.3 world, organizations are being forced to choose between embracing aggressive encryption for increased security or reduce encryption practices to enable monitoring, which is increasingly difficult with third party services. Until now... 

How Nubeva's Symmetric Key Intercept Works?

Nubeva’s TLS Decrypt introduced a new way to decrypt new modern encryption protocols called Symmetric Key Intercept. Our architecture runs in parallel as an overlay solution to your network monitoring practices.  Here is how Nubeva TLS Decrypt works: 

  1. Discover and extracts the final symmetric keys from certificate after the handshake to rederive the symmetric key.
  2. Decryption occurs on tools of choice for full time monitoring, on-demand monitoring or point decryption on key servers pending.
  3. Utilize the Nubeva Controller buffer and forward function for scale and resilience. 
Login Screen
Nubeva Sensor

Nubeva Sensor - Key Discovery

  • Simply deploy our TLS discovery probe on critical workloads in your public or private cloud including containers and kubernetes
  • Sensor discovers the symmetric TLS keys out of memory using AI-based signatures without application modification, without man in the middle. 
  • Sensor works with any cipher because it works after the handshake. 
  • Solution works for any session type - front side - backside - client-side - server-side, to and within containers etc. 
  • Discovers the specific session keys, encrypts them and send to symmetric key database.
Learn More

Nubeva Decryptor


  • Deploy the Nubeva universal decryption containerized agent on any tool. 
  • Decryptor receives traffic from any packet source whether Azure VTAPs,  Amazon VPC Traffic Mirrors our pulls from storage. 
  • Matches the packet-level traffic with corresponding keys called from the secure database 
  • Outputs the encrypted packet capture and the decrypted traffic on tools of choice 


Get a Demo

Nubeva Controller

  • Kubernetes deployment for Symmetric key store and forward for buffering, scaling with optional retention.
  • Apply your assigned identity and access management rules and required security measures.  
  • Discovered TLS symmetric keys are delivered to the key database over encrypted links and are stores in fully encrypted form
  • The Nubeva Controller awaits API call for decryption to forward keys
  • Ask us about our private deployment options 
Get a Demo
Nubeva Controller-2
Why Nubeva? 

Key Benefits

Total TLS/SSL Coverage

Supports all TLS encryption ciphers including TLS 1.3  and TLS 1.2 with PFS and ECDH and supports both TLS client and TLS server side connections.

Learn More

100% Passive,
Overlay Solution

Nubeva requires no app or library changes, has no network or architecture restrictions and has no certificates or PKI requirements.

Learn More

Born-In-The Cloud

Nubeva TLS decrypt is modular, auto-scales and auto-updates.  We support restocking and regular workload refreshes without impact.

Learn More

High Security

Data and keys never leave your environment and the secure database is hosted in your subscription with your IAM rules. Data is never transmitted over the network in clear text form.

Learn More

Open-Flexible Architecture

Universal solution that works with any packet source or from storage, with any tool, any use case for any cloud including AWS, Azure and Google for public, private and hybrid deployments.

Learn More

Low Total Cost
of Ownership

Nubeva is offered at <1/5th the cost of traditional decryption solutions and it is easy to get started and use, thereby unlocking modern decrypted visibility for everyone, anywhere.

Learn More

Get Started for Free for Limited Time

Nubeva TLS Decryption solution is available for free trial
for a limited time. Create your free account and well get your started.

Free Preview Account