We are planning to install Navigator encrypt in our cluster to encrypt kafka data and as part of this we would like to know if it is mandatory to setup TLS? We would also like to know the performance impact navigator encrypt has on kafka, does navigator encrypt have any logs to look at in case of any issue and can it be managed by cloudera manager.
Setting up TLS is highly recommended. The key exchange between the KeyTrustee server and the Nav Encrypt client is encrypted with PGP on the wire; but, should still be encapsulated with TLS. See this doc.
The AES-NI based encrypt/decrypt based should all be done in the HW and have minimal performance impact.
You want to make sure that:
HW has AES enabled, this is the default these days
You have plenty of entropy available in the kernel. See this doc.