Traffic encryption is a mechanism of securing the exchange of traffic between CPE devices through links. For example, you can encrypt traffic that is transmitted over unsecured links.
The controller automatically generates keys for encrypting and decrypting traffic and sends the keys to CPE devices. Traffic is encrypted on the source CPE device using the encryption key. The destination CPE device decrypts the traffic using the decryption key.
The keys are regularly updated to deprive third parties of the opportunity to encrypt or decrypt the transmitted traffic if a key is intercepted. You can specify the length of time after which the keys are updated on CPE devices using the topology.link.encryption.key.update.interval.minutes controller property.
Traffic encryption is supported only on CPE devices running Kaspersky SD-WAN software.
You can enable traffic encryption on a CPE device or on a link. A CPE device with traffic encryption enabled forwards encrypted traffic over all of its links, including new links that will be established in the future. When traffic encryption is enabled on a link, the CPE device transmits encrypted traffic over that link. When traffic encryption is disabled, the keys generated by the controller for encrypting and decrypting traffic are deleted from all attached CPE devices. By default, traffic encryption is disabled on CPE devices and links.
For example, you can enable traffic encryption on a CPE device and disable traffic encryption on one of the links of that CPE device. In this case, the CPE device transmits encrypted traffic over all its links, except for the link on which traffic encryption is disabled.