Securing communication between Zabbix 6.4 server and agents

published on June 10, 2023

By default, any communication between the Zabbix server and the agents, is not encrypted.

Encrypting the data is not complicated and should only take a few minutes.

Creating the encryption key

Log in to the server that is running the Zabbix agent and run the following commands (remember to replace [servername] with the your own filename)

openssl rand -hex 256 | sudo tee /etc/zabbix/[servername.psk]
sudo chown zabbix:zabbix /etc/zabbix/[servername].psk
sudo chmod 640 /etc/zabbix/[servername].psk

Configure the Zabbix agent

Now that you have an encryption key you need to tell the agent to encrypt communication.

To do so edit the /etc/zabbix/zabbix_agent2.conf file and find the TLSConnect and TLSAccept lines. Uncomment these lines and change them to psk.

In the same file find the TLSPSKIdentity line, uncomment it and add the name of the server the agent is running on. Then find the TLSPSKFile line, uncomment it and add location of your .psk file you created above.

Finally, run sudo systemctl restart zabbix-agent2 to start using the new settings.

Update the Zabbix server

The final part of the task is to login to the Zabbix server frontend, select Data collection on the left - hand side, then select Hosts. In the display that appears click on the host you wish to update and then choose Encryption at the top of the screen.

Change Connections to host to PSK, in the Connections from host untick No encryption and tick PSK.

The PSK Identity field should contain the same server name you used in the previous step and the PSK field needs to contain the contents of the .psk file you created at the start of this post.

Conclusion

Back in the Hosts screen you should now see that you server is still available and that there are two green PSK boxes under Agent encryption. If this is the case you have successfully encrypted communications between the Zabbix server and the agent.

If you see red boxes then something has gone wrong. Either repeat the instructions above or hover over the red box to display an error. This error may give you a little more information on what is wrong and how you can resolve the problem.