Traffic encryption is a mechanism of securing the exchange of traffic between CPE devices through links. For example, you can encrypt traffic that is transmitted over unsecured connections.
The controller automatically generates keys for encrypting and decrypting traffic and sends the keys to CPE devices. Traffic is encrypted on the source CPE device using the encryption key. The destination CPE device decrypts the traffic using the decryption key.
The keys are regularly updated to deprive third parties of the opportunity to encrypt or decrypt the transmitted traffic if a key is intercepted. You can specify the length of time after which the keys are updated on CPE devices using the topology.link.encryption.key.update.interval.minutes controller property.
Traffic encryption is supported only on CPE devices running Kaspersky SD-WAN software.
If traffic encryption is enabled on a CPE device, all outbound links that involve this CPE device send encrypted traffic (including new links that will be established later). If traffic encryption is disabled on a CPE device, it sends unencrypted traffic. If you disable traffic encryption on a CPE device that had been encrypting its outgoing traffic, the keys generated by the SD-WAN Controller for encrypting and decrypting traffic are deleted from all related CPE devices.
You can also enable or disable traffic encryption on links. For example, you can enable traffic encryption on a CPE device, but disable it on a link built with the participation of this CPE device. When enabling or disabling traffic encryption on a link, you need to configure the opposite-direction link in the same way.