Let's start with a simple situation, a single new host for which the Zabbix server will accept PSK-encrypted incoming connections only for the ones we'll send some values to using zabbix_sender. For that to work, both the Zabbix server and zabbix_sender must be compiled with TLS support. The PSK configuration consists of a PSK identity and key. The identity is some string that isn't considered to be secret; it isn't encrypted during the communication, so don't put sensitive information in the identity string. The key is a hexadecimal string.

We could just type the key in manually, but a slightly easier method might be using the openssl command:

$ openssl rand -hex 64

This will generate a 512-bit key, which we'll use in a moment. Navigate to Configuration | Hosts, click on Create host, and fill in these values:

• Host name: Encrypted host
• Groups: Have only Linux servers in theGroups block

Switch to the Encryption tab, and in the Connections from host section, leave only PSK marked. In the PSK identity field, enter secret and paste the key we generated earlier in the PSK field:

When done, click on the Add button at the bottom. Take a look at the Agent encryption column for this host:

The first block has only one field and currently says NONE. For connections to the agent, only one type was possible, so this column must be showing the currently selected types for outgoing connections from the server perspective. The second block has three fields. We could choose a combination of the acceptable incoming connection types, so this column must be showing what types of incoming connections from the server perspective are accepted for this host.

Now, click on Items next to Encrypted host, and click on Create item. Fill in these values:

• Name: Beers in the fridge
• Type: Zabbix trapper
• Key: fridge.beers

Click on the Add button at the bottom. Let's try to send a value now, like we did in Chapter 10, Advanced Item Monitoring:

$ zabbix_sender -z 127.0.0.1 -s "Encrypted host" -k fridge.beers -o 1

That should fail:

info from server: "processed: 0; failed: 1; total: 1; seconds spent: 0.000193"

Notice how the processed count is 0 and the failed count is 1. Let's check the Zabbix server log file:

26868:20181228:165704.100 connection of type "unencrypted" is not allowed for host "Encrypted host"

Now, that's actually quite a helpful message; we didn't specify any encryption for zabbix_sender, but we did require an encrypted connection for our host. 

Now is the time to get the PSK working for zabbix_sender. Run it with the --help parameter, and look at the TLS connection options section. Oh yes, there're quite a lot of those. Luckily, for PSK encryption, we only need three of them: --tls-connect, --tls-psk-identity, and --tls-psk-file. Before running the command, create a file in the current directory called zabbix_encrypted_host_psk.txt, and paste the hexadecimal key we generated earlier into it.

Run zabbix_sender again, but with three additional encryption parameters:

$ zabbix_sender -z 127.0.0.1 -s "Encrypted host" -k fridge.beers -o 1 --tls-connect psk --tls-psk-identity secret --tls-psk-file zabbix_encrypted_host_psk.txt

We set the connection type to psk with the --tls-connect flag and specified the PSK identity and key file now.

This time, the value should be sent successfully:

info from server: "processed: 1; failed: 0; total: 1; seconds spent: 0.000070"

To be sure, verify that this item now has data in the frontend.