# Securing Kafka
## Encryption
Kafka in Condense supports Transport Layer Security (TLS), a protocol for encrypted communication.
Communication is always encrypted between Kafka components.
## Authentication
Kafka listeners use authentication to ensure a secure client connection to the Kafka cluster. Clients can also be configured for mutual authentication. Security credentials are created and managed by the Cluster and User Operator.
### **Supported authentication mechanisms**
* mTLS authentication (on listeners with TLS-enabled encryption)
* SASL SCRAM-SHA-512
* OAuth 2.0 token based authentication
* Custom authentication (supported by Kafka)
## Authorization
Authorization controls the operations that are permitted on Kafka brokers by specific clients or users.
### **Supported authorization mechanisms**
* Simple authorization using ACL rules
* OAuth 2.0 authorization (if you are using OAuth 2.0 token-based authentication)
* Open Policy Agent (OPA) authorization
* Custom authorization (supported by Kafka)
## **Federal Information Processing Standards (FIPS)**
Kafka in Condense can run on FIPS-enabled Kubernetes clusters to ensure data security and system interoperability if the native Kubernetes service of the cloud provider supports it.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.zeliot.in/condense/fully-managed-kafka/securing-kafka.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.