For Zabbix communication encryption, two types are supported:
- Pre-Shared Key (PSK)
- Certificate-based encryption
The PSK type is very easy to set up but is likely harder to scale. Certificate-based encryption can be more complicated to set up but easier to manage on a larger scale and is potentially more secure.
This encryption is supported between all Zabbix components; server, proxy, agent, and even zabbix_sender and zabbix_get.
For outgoing connections (such as server-to-agent or proxy-to-server), only one type may be used (we need to choose between no encryption or PSK or certificate-based). For incoming connections, multiple types may be accepted. This way, an agent could work with encryption by default for active or passive items from the server, and then work without encryption with zabbix_get for debugging.