Skip to main content
Quick navigation

Field level encryption with external storage

Let's demonstrate field level encryption

View the full demo in realtime

You can either follow all the steps manually, or watch the recording

Review the docker compose environment

As can be seen from docker-compose.yaml the demo environment consists of the following services:

  • gateway1
  • gateway2
  • kafka-client
  • kafka1
  • kafka2
  • kafka3
  • schema-registry
  • zookeeper
cat docker-compose.yaml

Starting the docker environment

Start all your docker processes, wait for them to be up and ready, then run in background

  • --wait: Wait for services to be running|healthy. Implies detached mode.
  • --detach: Detached mode: Run containers in the background
docker compose up --detach --wait

Creating virtual cluster teamA

Creating virtual cluster teamA on gateway gateway1 and reviewing the configuration file to access it

# Generate virtual cluster teamA with service account sa
token=$(curl \
--request POST "http://localhost:8888/admin/vclusters/v1/vcluster/teamA/username/sa" \
--header 'Content-Type: application/json' \
--user 'admin:conduktor' \
--silent \
--data-raw '{"lifeTimeSeconds": 7776000}' | jq -r ".token")

# Create access file
echo """
bootstrap.servers=localhost:6969
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username='sa' password='$token';
""" > teamA-sa.properties

# Review file
cat teamA-sa.properties

Creating topic customers on teamA

Creating on teamA:

  • Topic customers with partitions:1 and replication-factor:1
kafka-topics \
--bootstrap-server localhost:6969 \
--command-config teamA-sa.properties \
--replication-factor 1 \
--partitions 1 \
--create --if-not-exists \
--topic customers

Adding interceptor encrypt

We want to encrypt only two fields, with an in memory KMS.

Creating the interceptor named encrypt of the plugin io.conduktor.gateway.interceptor.EncryptPlugin using the following payload

{
"pluginClass" : "io.conduktor.gateway.interceptor.EncryptPlugin",
"priority" : 100,
"config" : {
"externalStorage" : true,
"fields" : [ {
"fieldName" : "password",
"keySecretId" : "password-secret",
"algorithm" : {
"type" : "AES_GCM",
"kms" : "IN_MEMORY"
}
}, {
"fieldName" : "visa",
"keySecretId" : "visa-secret",
"algorithm" : {
"type" : "AES_GCM",
"kms" : "IN_MEMORY"
}
} ]
}
}

Here's how to send it:

curl \
--request POST "http://localhost:8888/admin/interceptors/v1/vcluster/teamA/interceptor/encrypt" \
--header 'Content-Type: application/json' \
--user 'admin:conduktor' \
--silent \
--data @step-07-encrypt.json | jq

Listing interceptors for teamA

Listing interceptors on gateway1 for virtual cluster teamA

curl \
--request GET 'http://localhost:8888/admin/interceptors/v1/vcluster/teamA' \
--header 'Content-Type: application/json' \
--user 'admin:conduktor' \
--silent | jq

Let's verify there's a single entry in _encryptionConfig

Let's verify there's a single entry in _encryptionConfig in cluster kafka1

kafka-console-consumer \
--bootstrap-server localhost:19092,localhost:19093,localhost:19094 \
--topic _encryptionConfig \
--from-beginning \
--timeout-ms 10000 | jq

returns

Processed a total of 1 messages
[
{
"keySecretId": "password-secret",
"algorithm": {
"type": "AES_GCM",
"kms": "IN_MEMORY"
},
"fieldName": "password"
},
{
"keySecretId": "visa-secret",
"algorithm": {
"type": "AES_GCM",
"kms": "IN_MEMORY"
},
"fieldName": "visa"
}
]

Let's send unencrypted json

We are using regular kafka tools

Sending 2 events

{
"name" : "tom",
"username" : "tom@conduktor.io",
"password" : "motorhead",
"visa" : "#abc123",
"address" : "Chancery lane, London"
}
{
"name" : "laura",
"username" : "laura@conduktor.io",
"password" : "kitesurf",
"visa" : "#888999XZ;",
"address" : "Dubai, UAE"
}

with

echo '{"name":"tom","username":"tom@conduktor.io","password":"motorhead","visa":"#abc123","address":"Chancery lane, London"}' | \
kafka-console-producer \
--bootstrap-server localhost:6969 \
--producer.config teamA-sa.properties \
--topic customers

echo '{"name":"laura","username":"laura@conduktor.io","password":"kitesurf","visa":"#888999XZ;","address":"Dubai, UAE"}' | \
kafka-console-producer \
--bootstrap-server localhost:6969 \
--producer.config teamA-sa.properties \
--topic customers

Let's consume the message, and confirm tom and laura data is encrypted

Let's consume the message, and confirm tom and laura data is encrypted in cluster teamA

kafka-console-consumer \
--bootstrap-server localhost:6969 \
--consumer.config teamA-sa.properties \
--topic customers \
--from-beginning \
--timeout-ms 10000 | jq

returns

Processed a total of 2 messages
{
"name": "tom",
"username": "tom@conduktor.io",
"password": "AAAABQAAAAEAAAAzAYYsbXCwetf8wTasBgBslrbvxJqw5TrgtTgFDxY4djJBQtqC8gnk4L2xaoVc44sIGtAv5TpOoj2mrzTCifDIyMs3jwxKWWzmaG4TQQ/WqaNv3VL6lxPUV0kZTheTNFQ=",
"visa": "AAAABQAAAAEAAAAzARfG1Fa4n2v0w0NsfhSQXyxzb+ZMeuZuXtZDWpBioLsBUcLCuXkiWJUFmP4QwRhKTVyGAxhiMeFUpivPc60LSrWuOdJm+FtDOP1lUR184tdCPrtc6247L83ruKlR",
"address": "Chancery lane, London"
}
{
"name": "laura",
"username": "laura@conduktor.io",
"password": "AAAABQAAAAEAAAAzAYYsbXCwetf8wTasBgBslrbvxJqw5TrgtTgFDxY4djJBQtqC8gnk4L2xaoVc44sIGtAv/89SHEoU+0eBgHxzSTdFDdgheAJIJjNpCv/2Ob8tnqSE/abZ8cAHJpSLkg==",
"visa": "AAAABQAAAAEAAAAzARfG1Fa4n2v0w0NsfhSQXyxzb+ZMeuZuXtZDWpBioLsBUcLCuXkiWJUFmP4QwRhKTVyGDXkXV0Z+OJHeUO2Iv52g3jaXjbr4mJG+ffAcQbTIeD6pXH0s/m5ndOXUWf2W",
"address": "Dubai, UAE"
}

Adding interceptor decrypt

Let's add the decrypt interceptor to decipher messages

Creating the interceptor named decrypt of the plugin io.conduktor.gateway.interceptor.DecryptPlugin using the following payload

{
"pluginClass" : "io.conduktor.gateway.interceptor.DecryptPlugin",
"priority" : 100,
"config" : {
"topic" : "customers",
"kmsConfig" : {
"vault" : {
"uri" : "http://vault:8200",
"token" : "vault-plaintext-root-token",
"version" : 1
}
}
}
}

Here's how to send it:

curl \
--request POST "http://localhost:8888/admin/interceptors/v1/vcluster/teamA/interceptor/decrypt" \
--header 'Content-Type: application/json' \
--user 'admin:conduktor' \
--silent \
--data @step-12-decrypt.json | jq

Listing interceptors for teamA

Listing interceptors on gateway1 for virtual cluster teamA

curl \
--request GET 'http://localhost:8888/admin/interceptors/v1/vcluster/teamA' \
--header 'Content-Type: application/json' \
--user 'admin:conduktor' \
--silent | jq

Confirm message from tom and laura are decrypted

Confirm message from tom and laura are decrypted in cluster teamA

kafka-console-consumer \
--bootstrap-server localhost:6969 \
--consumer.config teamA-sa.properties \
--topic customers \
--from-beginning \
--timeout-ms 10000 | jq

returns

Processed a total of 2 messages
{
"name": "tom",
"username": "tom@conduktor.io",
"password": "motorhead",
"visa": "#abc123",
"address": "Chancery lane, London"
}
{
"name": "laura",
"username": "laura@conduktor.io",
"password": "kitesurf",
"visa": "#888999XZ;",
"address": "Dubai, UAE"
}

Read the underlying kafka data to reveal the magic

Read the underlying kafka data to reveal the magic in cluster kafka1

kafka-console-consumer \
--bootstrap-server localhost:19092,localhost:19093,localhost:19094 \
--topic teamAcustomers \
--from-beginning \
--timeout-ms 10000 \
--property print.headers=true | jq

returns

jq: parse error: Invalid numeric literal at line 1, column 18
Processed a total of 2 messages

Tearing down the docker environment

Remove all your docker processes and associated volumes

  • --volumes: Remove named volumes declared in the "volumes" section of the Compose file and anonymous volumes attached to containers.
docker compose down --volumes

Conclusion

Yes, encryption in the Kafka world can be simple!