Sensitive data is sent through insecure network regions across different software defined networks (SDNs) over an encrypted path without requiring encryption applications at the source or destination hosts. One or more special-purpose encryptors are strategically placed within each SDN, which can act as an encryptor or decryptor, of both the data packet content and the header. Using the controller and a special encryption service application, the encrypted IP packets are forwarded from an encryptor, closest to the source, towards a decryptor, closest to the destination, utilizing a tagging method. Each encryptor has a static and globally unique tag. Each controller advertises to other controllers its encryptor information: IP of the encryptor, the IP block of the users the encryptor is responsible for and the unique encryptor tag(s). Each forwarder along the flow path is instructed by its respective controller how to forward packets towards the destination according to the tag.