Microservices Integration: End-to-End Encryption
Secure microservices communication with quantum-resistant encryption in 10 minutes
🚀 Integrate first microservice now
Quick Start: Microservice Encryption
Estimated time: 10 minutes What you'll achieve: Encrypt data passed between microservices Requirements: AnkaSecure SDK, 2 microservices
Step 1/3: Add AnkaSecure SDK (3 minutes)
Maven (Java):
<dependency>
<groupId>com.ankasecure</groupId>
<artifactId>ankasecure-sdk</artifactId>
<version>3.0.0</version>
</dependency>
Configuration (application.yml):
ankasecure:
api-key: ${ANKASECURE_API_KEY}
endpoint: https://api.ankatech.co
algorithm: ML_KEM_1024 # Quantum-resistant default
Step 2/3: Encrypt in sender service (3 minutes)
@Service
public class PaymentService {
@Autowired
private AnkaSecureClient crypto;
@Autowired
private RestTemplate restTemplate;
public void processPayment(PaymentRequest payment) {
// Encrypt sensitive payment data
byte[] encrypted = crypto.encrypt(EncryptRequest.builder()
.algorithm("ML_KEM_1024")
.plaintext(payment.toJson().getBytes())
.build()).getCiphertext();
// Send encrypted data to Notification Service
restTemplate.postForObject(
"https://notification-service/notify",
new EncryptedPayload(encrypted),
Void.class
);
}
}
Step 3/3: Decrypt in receiver service (4 minutes)
@Service
public class NotificationService {
@Autowired
private AnkaSecureClient crypto;
@PostMapping("/notify")
public void sendNotification(@RequestBody EncryptedPayload payload) {
// Decrypt payment data
byte[] plaintext = crypto.decrypt(DecryptRequest.builder()
.ciphertext(payload.getCiphertext())
.build()).getPlaintext();
PaymentRequest payment = PaymentRequest.fromJson(new String(plaintext));
// Send notification (email, SMS, etc.)
emailService.send(payment.getCustomerEmail(), "Payment processed");
}
}
✅ Result: End-to-end encryption between microservices
Security: Even if Notification Service compromised, payment data is quantum-encrypted
🎯 Benefit: Defense-in-depth (TLS for transport + AnkaSecure for data)
What's next? - Per-service keys: Multi-tenant microservices - Performance optimization: Connection pooling - Service mesh: Istio integration
Why Encrypt Between Microservices?
Problem: TLS Alone Is Insufficient
Traditional microservices (TLS only):
Attack scenario: 1. Attacker compromises Service B (SQL injection, RCE) 2. Attacker reads memory (plaintext visible) 3. Sensitive data exposed (payment info, PII)
TLS protection: ❌ Only protects in transit (not at rest in Service B)
With AnkaSecure (TLS + data encryption):
Service A ──> Encrypt data with ML-KEM
──[TLS + Ciphertext]──> Service B
↓
Service B receives CIPHERTEXT
(even if compromised, data is quantum-encrypted)
Attack scenario: 1. Attacker compromises Service B 2. Attacker reads memory (only ciphertext visible) 3. Cannot decrypt without AnkaSecure key (stored separately)
Protection: ✅ End-to-end encryption (defense-in-depth)
Integration Patterns
Pattern 1: Per-Service Key Isolation
Scenario: Payment, User, Notification services (each has own key)
// Payment Service
@Configuration
public class PaymentCryptoConfig {
@Bean
public AnkaSecureClient paymentCrypto() {
return new AnkaSecureClient(apiKey, "payment-service-key");
}
}
// User Service
@Configuration
public class UserCryptoConfig {
@Bean
public AnkaSecureClient userCrypto() {
return new AnkaSecureClient(apiKey, "user-service-key");
}
}
Security: Payment Service CANNOT decrypt User Service data (key isolation)
Pattern 2: Shared Key with RBAC
Scenario: Multiple services share key, access controlled by permissions
# Generate shared key
curl -X POST https://api.ankatech.co/keys \
-d '{"algorithm":"ML_KEM_1024","purpose":"INTER_SERVICE"}'
# Grant permissions
curl -X POST https://api.ankatech.co/keys/shared-key/permissions \
-d '{
"serviceA": ["ENCRYPT", "DECRYPT"],
"serviceB": ["DECRYPT"], # Read-only
"serviceC": ["ENCRYPT"] # Write-only
}'
Benefit: Fine-grained access control (least privilege)
Pattern 3: Service Mesh Integration (Istio)
Scenario: Istio service mesh + AnkaSecure data encryption
Architecture:
Pod A Pod B
├─ App Container ├─ App Container
├─ Envoy Sidecar ├─ Envoy Sidecar
│ (mTLS transport) │ (mTLS transport)
└─ AnkaSecure Sidecar └─ AnkaSecure Sidecar
(data encryption) (data decryption)
Double protection: Istio mTLS (transport) + AnkaSecure ML-KEM (data)
EnvoyFilter (encrypt outbound):
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: ankasecure-encrypt
spec:
workloadSelector:
labels:
app: payment-service
configPatches:
- applyTo: HTTP_FILTER
patch:
operation: INSERT_BEFORE
value:
name: ankasecure.encryption
typed_config:
"@type": type.googleapis.com/ankasecure.EncryptionConfig
algorithm: ML_KEM_1024
Use Cases
Payment Processing Microservices
Services: Payment API → Fraud Detection → Transaction DB
// Payment API (encrypts sensitive data)
@PostMapping("/payments")
public ResponseEntity<String> createPayment(@RequestBody PaymentRequest req) {
// Encrypt PAN (Primary Account Number)
byte[] encryptedPAN = crypto.encrypt(EncryptRequest.builder()
.algorithm("ML_KEM_1024")
.plaintext(req.getPan().getBytes())
.build()).getCiphertext();
// Send to Fraud Detection (encrypted)
fraudService.analyze(new EncryptedPayment(encryptedPAN, req.getAmount()));
return ResponseEntity.ok("Payment processing");
}
// Fraud Detection Service (analyzes WITHOUT decrypting PAN)
@Service
public class FraudDetectionService {
public FraudScore analyze(EncryptedPayment payment) {
// Analyze based on amount, patterns (PAN stays encrypted!)
if (payment.getAmount() > 10000) {
return FraudScore.HIGH_RISK;
}
// PAN never decrypted (fraud detection doesn't need it)
}
}
// Transaction DB Service (stores encrypted only)
@Service
public class TransactionRepository {
public void save(EncryptedPayment payment) {
// Store ciphertext in database
db.insert("INSERT INTO payments (pan_encrypted) VALUES (?)",
payment.getEncryptedPAN());
// PAN never in plaintext in database!
}
}
Security: PAN encrypted end-to-end (Payment API → Fraud → DB)
Compliance: PCI DSS compliant (PAN never in plaintext)
User Service Data Isolation
Services: User Service, Analytics Service, Audit Service
Challenge: Analytics needs aggregates (NOT individual user data)
Solution: Encrypt user PII, analytics works on ciphertext metadata
// User Service (encrypts PII)
public void createUser(User user) {
UserRecord record = new UserRecord();
record.setId(user.getId());
// Encrypt PII
record.setEncryptedPII(crypto.encrypt(user.getPII()));
// Plaintext metadata (for analytics)
record.setCountry(user.getCountry());
record.setSignupDate(user.getSignupDate());
database.save(record);
}
// Analytics Service (analyzes metadata only)
public UserStats getStats() {
// Queries COUNT, country, signupDate (NOT PII)
return db.query("SELECT country, COUNT(*) FROM users GROUP BY country");
// PII stays encrypted (Analytics never decrypts)
}
Security: Analytics Service CANNOT access PII (even if compromised)
Performance Optimization
Connection Pooling
Problem: Creating new HTTPS connection per encryption (slow)
Solution: Reuse connections
@Configuration
public class AnkaSecureCon fig {
@Bean
public AnkaSecureClient client() {
return AnkaSecureClient.builder()
.apiKey(token)
.connectionPoolSize(50) // Reuse up to 50 connections
.keepAliveTimeout(Duration.ofMinutes(5))
.build();
}
}
Performance improvement: 7× faster (8ms → 1.5ms by eliminating TLS handshake)
Caching
Problem: Re-encrypting same data repeatedly (wasteful)
Solution: Cache ciphertexts
@Service
public class CachingEncryptionService {
@Cacheable(value = "ciphertexts", key = "#plaintext")
public byte[] encrypt(String plaintext) {
return crypto.encrypt(EncryptRequest.builder()
.algorithm("ML_KEM_1024")
.plaintext(plaintext.getBytes())
.build()).getCiphertext();
}
}
Performance: 100× faster for cache hits (0.1ms vs 7ms)
Trade-off: Memory usage (cache size)
What's Next?
Integrate with your microservices: - 🚀 Sidecar quick start (15-minute setup) - 📥 Download Spring Boot example (complete working app) - 📥 Download sidecar image (Docker Hub) - 📧 Request architecture review (free consultation)
Related patterns: - Kubernetes integration - Pod deployment - AWS S3 integration - Cloud storage - Performance optimization - Throughput tuning
Have questions? Email [email protected]
Last updated: 2026-01-07 | Works with Spring Boot, Node.js, Go, Python microservices