You only distribute the private key to relays, and then only if you want the relays to decrypt client reports ; so the relay can bundle multiple reports together, re-encrypt them, and send them to the server in larger batches to reduce workload on the server.
To add some additional context, communications between Clients and Relays are encrypted by default via HTTPS when possible. If you would like, you can enable an additional layer of security we refer to as Message Level Encryption (MLE) which is essentially end-to-end encryption for Client data being sent upstream.
As suggested above, you can simply enable MLE via BESAdmin to enable this feature, and do not need to distribute any keys unless you would like to designate decrypting relays for the purposes of load distribution and scalability.
Aram,
Thank you for your respond. Do you have an article on how exactly to enable MLE? Also would i be able to see that in the logs on client side that encryption is being used for communication?
You should be able to follow the steps outlined in the link you reference above. Ultimately, all you have to do is generate an encryption key, and ensure that the report encryption status is ‘enabled’.
On Linux server you can encrypt clients by completing the following steps as super user:
Generate the key:
./besadmin.sh -reportencryption -generatekey -privateKeySize=max -deploynow=no
-outkeypath=<path> -sitePvkLocation=<path+license.pvk> -sitePvkPassword=<password>
copy to clipboard
Activate the key:
./besadmin.sh -reportencryption -deploynow=yes
-sitePvkLocation=<path+license.pvk> - sitePvkPassword=<password>