 All right, so yeah, hi, I'm Vihang. I'm one of the engineers at Pixie and I'm here to sort of talk to you about a new feature we just, we recently added to Pixie. However, before we get into some of the very nitty gritty details about end to end encryption, I want to start by quickly doing a recap of the data model and how your data is collected and stored in Pixie. So this is like a very high level rough architecture of what, how your data flows through Pixie. So data collected by Pixie, what the work that the Stirling team is doing, all of that data is stored just locally in your cluster. Our script execution framework also runs within your own cluster. So the data processing itself is also happening within the cluster itself. So when the Pixie client, let's say you're running the UI as Omit should, or maybe you're using a Pixie CLI or something like that. When the client needs some data to render, what happens is the client spends the script to the cluster and then all of the data processing is done in the cluster and then the script results are sent back to the client. So in one of the models, what happens is that the client will directly connect to the cluster to fetch the process data. So this is what we call direct mode and this is what we are indicating on the right side of the graph you're seeing. In this situation, you know, your client is directly fetching the result data from the cluster. A disadvantage of direct mode that we had to address here at Pixie when we're testing our own product and also we have noticed elsewhere is that in this scenario, your clusters might actually be behind some firewalls and then now you have to like punch some holes in these firewalls for all of the Pixie clients to be able to access these clusters and get the script results from. So to address that challenge and simplify sort of the firewall configuration, we built a way for the Pixie cloud to proxy the script results. This is what we call pass through mode and so this pass through mode is a convenience method where Pixie cloud is just proxying the data between the cluster and the clients. The data isn't persisted anywhere in the cloud. It's just a proxy for the data. And then just a quick reminder like Pixie cloud itself is also open source. So when we open source Pixie, it's not just the Vazir parts of Pixie but also cloud. So folks in the community can run Pixie cloud themselves. And so in pass through mode, it would still be flowing through an instance of Pixie cloud that is controlled by you. No matter which of these two data transfer modes you use, all of these connections do still use TLS. So the data is always point to point encrypted in transit. However, even in this scenario, it is still possible that you might want to use Pixie cloud for the convenience, but you might be running a Pixie cloud instance in an environment you don't fully trust. So we really wanted to address that scenario where you're using pass through mode with Pixie cloud, you like that convenience, but you still want to sort of protect your data in transit. So to address that, we decided to work on end-to-end encryption. So end-to-end encryption will provide an additional layer of security where the data itself gets encrypted at the Pixie Vazir and will stay encrypted during transit and only the client will decrypt the data. So we can dive into some of the details behind how we implemented this end-to-end encryption. So thankfully there is an IETF proposed standard for data encryption. It's called a JOSC or I don't know what the pronunciation is, I didn't see any guidelines for it, but basically this was a new standard that was proposed for encryption of JavaScript data. Even though this is not a completely accepted internet standard yet, it's just a proposed standard, there's already client libraries in many different languages. So we were able to use the cryptography API which is supported by all major browsers to do this on the client side when you're using the UI and then for the CLI, which we've written in Golang, we use JWX and then Golang and Python APIs use JWX and Oslo respectively. So basically you can get end-to-end encryption no matter which of the Pixie clients you're using. And then let's walk through like an example of how end-to-end encryption would work from the UI. So what happens is before we can make any requests to Vizier for data, the browser first has to generate a key pair. So as I mentioned earlier, we use the web crypto API for this that all major browsers support. And the first thing that the browser does is generates a key pair. This key pair is then, the public key from this key pair is then sent to Viziers on every request to run a script. So anytime you want to get script results, the UI, the browser will send this public key along with the rest of the request to the Viziers. As before, all of the data processing is done in Vizier side. However, now there's an additional step before Vizier responds with the data. The Vizier will use this public key and encrypt the table data before sending any response out. And now the response that Vizier responds with on a successful script execution will be encrypted with this public key. And this encrypted table data then is sent back to the client either through Pixie Cloud if you're using pass through mode or directly if you're using a direct mode connection. And then the browser which generated the key pair to begin with has access to the private key off the key pair which is still controlled by the browser. It wasn't sent to anyone else. And so the browser can use the private key to decrypt the results and render the UI and so on and so forth. So yeah, a reminder that the private key will never leave the browser. In fact, the private key is scoped to the session storage on the browser. So the same user using Pixie on different computers and different browsers will have different key pairs and these private keys will be local to their browser session storage. As far as the CLI and the APIs go, they behave the same way. You just replace the browser with either a Go-based binary or the Go or Python API clients that are equal and instead of using the web crypto API they will use the libraries in Go and Python, the crypto libraries there. So that's sort of a very quick view on how into an encryption words. And this basically now gives you this additional guarantee that if you're using pass-through mode your data is still encrypted even when it's proxying through Pixie Cloud. And that sort of gives you the freedom of having full guarantee that no one can sort of look at this data in the cloud no matter what environment Pixie Cloud's running in.