Data encryption in transit

🌐 This document is available in both English and Ukrainian. Use the language toggle in the top right corner to switch between versions.

1. General description

Data encryption in transit is the process of transforming information in such a way that it becomes unintelligible to unauthorized individuals who lack the corresponding keys for decryption. This process is employed to ensure the confidentiality and security of data during transmission.

Key concepts of data encryption in transit:

  • Confidentiality: One of the primary objectives of encryption is to safeguard the confidentiality of data. Encryption renders information incomprehensible to third parties attempting to intercept or view data during its transmission or storage.

  • Protection from unauthorized access: Encryption provides protection against unauthorized access to information since only individuals or systems with the correct keys can decrypt the encrypted data.

  • Data integrity: Another critical aspect of encryption is ensuring data integrity. During data transmission over a network, data may be susceptible to unwanted alterations. The application of encryption helps ensure that data has not been tampered with during transit.

  • Compliance with regulatory requirements: Encryption in transit is a fundamental security requirement of industry standards.

1.1. Encrypting traffic between users and Platform

To establish a secure communication channel and data exchange between users and the Platform, the cryptographic protocol TLS 1.2 is utilized.

All external traffic initially passes through an external load balancer, but the decryption operation (SSL Offload) occurs within the Platform itself, specifically within the main network component, Haproxy (router). Using the SSL Offload approach, cryptographic operations are performed on the platform’s router within the external traffic management subsystem, thus relieving internal services of this load and enhancing infrastructure performance. This contributes to improved speed, scalability, and security.

More details can be found at External traffic management subsystem.

The Let’s Encrypt certification authority (https://letsencrypt.org/) is used to provide trusted certificates for encrypting traffic within the target environment during Platform deployment.

Further details can be found at Replacing self-signed certificates with trusted certificates section.

1.2. Encryption of traffic within the Platform

The Platform for state registries, specifically the Cross-service communication management subsystem, employs the Service Mesh network pattern, one of its goals being the encryption of traffic between services. For dynamic certificate generation, distribution, and validation, a dedicated component, Citadel, is responsible.

More information about Service Mesh components can be found at Service Mesh: Platform and registry components

Communication between other internal services occurs over an open communication channel within a private network, utilizing private domain names.

This functionality is specific to the Ukrainian implementation and may not apply or function as described in other contexts or regions. Please consult the local guidelines or documentation if you are implementing this outside Ukraine.

To interact with external systems such as the Digital identity service (id.gov.ua), Citizen-facing solution services (diia.gov.ua), and the Accredited Certification Authority (ACA), only a secure data transmission channel is used.

To ensure secure data exchange for government registries and other information systems, the system of electronic interaction of state electronic information resources (SEVDEIR) "Trembita" is employed. All messages transmitted through this system are encrypted in accordance with national cryptographic standards.

For more details on the subsystem design, including integration, please refer to the relevant sections: