You mean host autoregistration ?
Currently Zabbix does not support host autoregistration via encrypted connections.
Encryption can be configured for hosts already registered in Zabbix.
There is a feature request https://support.zabbix.com/browse/ZBXNEXT-3497 .

For certificate-based encryption having certificate only on Zabbix server is not enough.
The server will request agent certificate, so you need one.

Thx for the quick and complete reply !!!

So if i want to achieve what i need:
I need to use psk.
But I cannot configure the psk before the autoregistration.
So I need a script to configure the psk on the agent after the autoregistration.
But in that case I'm subject to a kind of "Spam"....

is it right ?

Other question if i am right, the psk is not crypted on the agent configuration file. So everybody who have physically access to the host can copy the host psk and usurpe it which is not so good.......
Am i right ?

So what is the better way to secure accross internet with the less possible and more automated possible configuration on the agent side ?

Marc

When encryption support was added to Zabbix it was decided to trust only explicitly configured encryption on both ends - on host and on server/proxy.
So, unknown hosts cannot come and register with their certificates/PSKs. That is why encrypted autoregistration was left out. Later it turned out to be a limitation for some users.
While autoregistration uses unencrypted connection you can restrict who can successfully register a host - see HostMetadata or HostMetadataItem parameters in zabbix_agentd.conf.

PSK itself is not in zabbix_agentd.conf. It is TLSPSKFile parameter which specifies the file where the unencrypted PSK is kept.
Here you can be creative - put the PSK file on encrypted volume, on in-memory file system etc.
Also, Zabbix server "knows" which PSK identity and PSK value is associated with which host - you can use unique PSK identity and value for each host and Zabbix server will check PSK match on every connection (ok, not a 100% protection, if connection comes from the valid host IP address).

thx for your reponse.

But since windows agent don't support tls, I will secure this using another way.

thx

Windows agent does support TLS when compiled with a crypto library.
See https://support.zabbix.com/browse/ZBXNEXT-3047 - there are even some precompiled unofficial binaries.

thx for the reponse.

I saw this discussion (and tested a deployment) but the need to manually install nssm and dlls to the hosts is blocking to achieve what I want.

I will use Zabbix tls support as far as a new version will support it more easily on windows host !!! It's a very great feature !

Just to be more clear about the reason for me to wait : I need an as standard and as simple as possible deployment on the windows hosts side.
The server side is less a problem for me.

For now I will use more DYI system ;-) like non standard port... ;-)

If somebody have other idea to hide and secure (vpn is too complex to configure on the host side ) data transmission ?