Padlock icons and "https" pages are now a common sight as you browse the internet. We use the internet daily to send sensitive information, including emails, financial transactions, and other communications.

While Kafka still supports sending such data as plain text, it has evolved with the times and now supports more than just unencrypted credentials.

In this article, we will look at the more secure options available in Aiven for Apache Kafka services:

  • TLS (or SSL)



Transport Layer Security

Transport Layer Security (TLS, also known as SSL, or Secure Sockets Layer) is becoming the standard for internet traffic. This method involves a certificate for your domain that is provided by a Certificate Authority (for example, With this certificate and the right technical setup, you can use to encrypt the traffic to your service.

Aiven sets up TLS encryption by default for all Kafka services and handles the application, renewal, and configuration of certificates.

There are two ways you can use TLS with Kafka:

  1. TLS encryption: Your Kafka client validates the certificate for your Kafka broker.

  2. TLS authentication: Your Kafka client validates the certificate for your Kafka broker and your Kafka broker validates the certificate for your Kafka client.

Simple Authentication and Security Layer

Simple Authentication and Security Layer (SASL) acts as a layer that allows alternative login methods for your service. For example, if you use Active Directory for authentication, SASL supports a Kerberos login method to provide access.

In this article, we will focus on SASL/PLAIN and SASL/SCRAM.


This method is the easiest to enable and uses a combination of username and password to log in over a TLS connection, meaning that your traffic is encrypted. If you use SASL/PLAIN without TLS, anyone can read your credentials when you send them.


SCRAM stands for Salted Challenge Response Authentication Mechanism. It is a mechanism that allows a client to identify itself to a server without sending a plain-text password. A key benefit of this is that it does not reveal the password to servers that do not already have it, for example if a client connects to the wrong server even if that server has a valid TLS certificate.

A brief explanation of this is that it creates a random "salt", which is then used to create an "identity" that holds:

  • The "salt"

  • The number of iterations to use (4096 by default)

  • StoredKey (the hash of the client's key)

  • ServerKey

This identity is then stored in Zookeeper by default.

Enabling different authentication methods in Aiven

  1. Log in to the Aiven web console and select your service.

  2. On the Overview page, scroll down to Advanced configuration.

  3. Switch on kafka.authentication_methods.sasl to enable SASL authentication.

For code examples of how to connect to your Kafka service with different authentication methods, see the following articles:

Did this answer your question?