Overview
This feature is available with Conduktor Shield only.
Encryption examples
Schema based encryption examples
- Fields containing specific information with (
keySecretId,algorithm,tagsmatch) will be encrypted. - Field would be encrypted with the associated
keySecretId,algorithm, if any missed, would be encrypted with the associated default ones in the Interceptor configuration. - Field would be encrypted with defaultSecret, defaultAlgorithm when
tagshas element with is in the Interceptor configuration.
conduktor.):
Copy
Ask AI
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Customer",
"type": "object",
"properties": {
"name": { "type": "string" },
"username": { "type": "string" },
"password": { "type": "string", "conduktor.keySecretId": "vault-kms://vault:8200/transit/keys/password-secret", "conduktor.algorithm": "AES128_GCM"},
"visa": { "type": "string", "conduktor.keySecretId": "vault-kms://vault:8200/transit/keys/password-visa"},
"address": {
"type": "object",
"properties": {
"location": { "type": "string", "conduktor.tags": ["MY_TAG", "PII", "GDPR", "MY_OTHER_TAG"]},
"town": { "type": "string" },
"country": { "type": "string" }
}
}
}
}
passwordwould be encrypted with the associated keySecretId, algorithm etc.visawould be encryption with the associated keySecretId and the default algorithm provided in the Interceptor configuration.locationwould be encrypted with defaultSecret, defaultAlgorithm because tags hasPIIwith is in the Interceptor configuration.- fields containing no specific information (
keySecretId,algorithm,tagswithout match) are left untouched.
conduktor.):
Copy
Ask AI
{
"type": "record",
"name": "User",
"fields": [
{"name": "name", "type": "string", "conduktor.algorithm": "AES128_GCM"},
{"name": "age", "type": "int", "conduktor.keySecretId": "vault-kms://vault:8200/transit/keys/age-secret"},
{"name": "email", "type": "string"},
{
"name": "address",
"type": {
"type": "record",
"name": "AddressRecord",
"fields": [
{"name": "street", "type": "string", "conduktor.keySecretId": "vault-kms://vault:8200/transit/keys/street-secret"},
{"name": "city", "type": "string", "conduktor.keySecretId": "vault-kms://vault:8200/transit/keys/city-secret", "conduktor.algorithm": "AES128_GCM"}
]
}
},
{"name": "hobbies", "type": {"type": "array", "items": "string"}},
{
"name": "friends",
"type": {
"type": "array",
"items": {
"type": "record",
"name": "Friend",
"fields": [
{"name": "name", "type": "string", "conduktor.tags": ["MY_TAG", "PII", "GDPR", "MY_OTHER_TAG"]},
{"name": "age", "type": "int"}
]
}
}
}
]
}
conduktor.):
In Protobuf, since we are using the Confluent schema registry, we use the (confluent.field_meta).params (with type map<string, string) for field options. Here’s how it can be defined:
Copy
Ask AI
syntax = "proto3";
option java_package = "schema.protobuf";
option java_outer_classname = "User";
message Student {
string name = 1 [(confluent.field_meta).params = {conduktor.keySecretId: "vault-kms://vault:8200/transit/keys/name-secret", conduktor.algorithm: "AES128_GCM"}];
int32 age = 2 [(confluent.field_meta).params = {conduktor.keySecretId: "vault-kms://vault:8200/transit/keys/age-secret"}];
string email = 3 [(confluent.field_meta).params = {conduktor.keySecretId: "vault-kms://vault:8200/transit/keys/email-secret"}];
Address address = 4;
repeated string hobbies = 5;
repeated Friend friends = 6;
message Address {
string street = 1 [(confluent.field_meta).params = {conduktor.keySecretId: "vault-kms://vault:8200/transit/keys/street-secret", conduktor.algorithm: "AES128_GCM"}];
string city = 2 [(confluent.field_meta).params = {conduktor.keySecretId: "vault-kms://vault:8200/transit/keys/city-secret"}];
}
message Friend {
string name = 1 [(confluent.field_meta).params = {conduktor.tags: "[\"PII\", \"MY_TAG\"]"}];
int32 age = 2 [(confluent.field_meta).params = {conduktor.keySecretId: "vault-kms://vault:8200/transit/keys/friend-age-secret"}];
}
}
Simple encrypt on produce
- curl
- Conduktor CLI
Copy
Ask AI
curl \
--request PUT \
--url 'http://localhost:8888/gateway/v2/interceptor' \
--header 'Authorization: Basic YWRtaW46Y29uZHVrdG9y' \
--header 'Content-Type: application/json' \
--data-raw '{
"name": "myEncryptionPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.EncryptPlugin",
"priority": 100,
"config": {
"topic": ".*",
"recordValue": {
"fields": [
{
"fieldName": "password",
"keySecretId": "vault-kms://vault:8200/transit/keys/password-secret",
"algorithm": "AES128_GCM"
}
]
}
}
}'
Field level encryption on produce
- curl
- Conduktor CLI
Copy
Ask AI
curl \
--request PUT \
--url 'http://localhost:8888/gateway/v2/interceptor' \
--header 'Authorization: Basic YWRtaW46Y29uZHVrdG9y' \
--header 'Content-Type: application/json' \
--data-raw '{
"name": "myEncryptPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.EncryptPlugin",
"priority": 100,
"config": {
"topic": ".*",
"schemaRegistryConfig": {
"host": "http://schema-registry:8081"
},
"kmsConfig": {
"vault": {
"uri": "https://vault:8200",
"token": "vault-plaintext-root-token",
"trustStore": {
"trustStorePath": "/security/truststore.jks"
}
},
"azure": {
"tokenCredential": {
"clientId": "azure_client_id",
"tenantId": "azure_tenant_id",
"clientSecret": "azure_client_secret"
}
}
},
"recordValue": {
"fields": [
{
"fieldName": "password",
"keySecretId": "vault-kms://vault:8200/transit/keys/password-secret",
"algorithm": "AES128_GCM"
},
{
"fieldName": "visa",
"keySecretId": "vault-kms://vault:8200/transit/keys/{{record.header.test-header}}-visa-secret-{{record.key}}-{{record.value.username}}-{{record.value.education.account.accountId}}",
"algorithm": "AES128_GCM"
},
{
"fieldName": "education.account.username",
"keySecretId": "azure-kms://https://my-key-vault.vault.azure.net/keys/conduktor-gateway/4ceb7a4d1f3e4738b23bea870ae8745d",
"algorithm": "AES128_GCM"
}
]
}
}
}'
Field-level encryption on produce with secured template
- curl
- Conduktor CLI
Copy
Ask AI
curl \
--request PUT \
--url 'http://localhost:8888/gateway/v2/interceptor' \
--header 'Authorization: Basic YWRtaW46Y29uZHVrdG9y' \
--header 'Content-Type: application/json' \
--data-raw '{
"name": "myEncryptPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.EncryptPlugin",
"priority": 100,
"config": {
"topic": ".*",
"schemaRegistryConfig": {
"host": "http://schema-registry:8081",
"additionalConfigs": {
"schema.registry.url": "${SR_URL}",
"basic.auth.credentials.source": "${SR_BASIC_AUTH_CRED_SRC}",
"basic.auth.user.info": "${SR_BASIC_AUTH_USER_INFO}"
}
},
"kmsConfig": {
"vault": {
"uri": "https://vault:8200",
"token": "${VAULT_TOKEN}",
"version": 1
"trustStore": {
"trustStorePath": "/security/truststore.jks"
}
}
},
"recordValue": {
"fields": [
{
"fieldName": "password",
"keySecretId": "vault-kms://vault:8200/transit/keys/password-secret",
"algorithm": "AES128_GCM"
},
{
"fieldName": "visa",
"keySecretId": "vault-kms://vault:8200/transit/keys/{{record.header.test-header}}-visa-secret-{{record.key}}-{{record.value.username}}-{{record.value.education.account.accountId}}",
"algorithm": "AES128_GCM"
},
{
"fieldName": "education.account.username",
"keySecretId": "vault-kms://vault:8200/transit/keys/{{record.header.test-header}}-secret-key-account-username-{{record.topic}}",
"algorithm": "AES128_GCM"
}
]
}
}
}'
Schema-based field level encryption on produce
- curl
- Conduktor CLI
Copy
Ask AI
curl \
--request PUT \
--url 'http://localhost:8888/gateway/v2/interceptor' \
--header 'Authorization: Basic YWRtaW46Y29uZHVrdG9y' \
--header 'Content-Type: application/json' \
--data-raw '{
"name": "mySchemaBasedEncryptPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.EncryptSchemaBasedPlugin",
"priority": 100,
"config": {
"topic": ".*",
"schemaRegistryConfig": {
"host": "http://schema-registry:8081"
},
"kmsConfig": {
"vault": {
"uri": "https://vault:8200",
"token": "vault-plaintext-root-token",
"version": 1
"trustStore": {
"trustStorePath": "/security/truststore.jks"
}
}
},
"defaultKeySecretId": "vault-kms://vault:8200/transit/keys/myDefaultKeySecret",
"defaultAlgorithm": "AES128_EAX",
"tags": ["PII", "ENCRYPTION"],
"namespace": "conduktor."
}
}'
Full message level encryption on produce
- curl
- Conduktor CLI
Copy
Ask AI
curl \
--request PUT \
--url 'http://localhost:8888/gateway/v2/interceptor' \
--header 'Authorization: Basic YWRtaW46Y29uZHVrdG9y' \
--header 'Content-Type: application/json' \
--data-raw '{
"name": "myEncryptPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.EncryptPlugin",
"priority": 100,
"config": {
"topic": ".*",
"schemaRegistryConfig": {
"host": "http://schema-registry:8081"
},
"kmsConfig": {
"vault": {
"uri": "https://vault:8200",
"token": "vault-plaintext-root-token",
"trustStore": {
"trustStorePath": "/security/truststore.jks"
}
}
},
"recordValue": {
"payload": {
"keySecretId": "vault-kms://vault:8200/transit/keys/{{record.header.test-header}}-secret-key-account-username-{{record.topic}}",
"algorithm": "AES128_GCM"
}
}
}
}'
Full message level encryption on produce with secured template
- curl
- Conduktor CLI
Copy
Ask AI
curl \
--request PUT \
--url 'http://localhost:8888/gateway/v2/interceptor' \
--header 'Authorization: Basic YWRtaW46Y29uZHVrdG9y' \
--header 'Content-Type: application/json' \
--data-raw '{
"name": "myEncryptPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.EncryptPlugin",
"priority": 100,
"config": {
"topic": ".*",
"schemaRegistryConfig": {
"host": "http://schema-registry:8081",
"additionalConfigs": {
"schema.registry.url": "${SR_URL}",
"basic.auth.credentials.source": "${SR_BASIC_AUTH_CRED_SRC}",
"basic.auth.user.info": "${SR_BASIC_AUTH_USER_INFO}"
}
},
"kmsConfig": {
"vault": {
"uri": "https://vault:8200",
"token": "${VAULT_TOKEN}",
"trustStore": {
"trustStorePath": "/security/truststore.jks"
}
}
},
"recordValue": {
"payload": {
"keySecretId": "vault-kms://vault:8200/transit/keys/{{record.header.test-header}}-secret-key-account-username-{{record.topic}}",
"algorithm": "AES128_GCM"
}
}
}
}'
Encryption on consume
- curl
- Conduktor CLI
Copy
Ask AI
curl \
--request PUT \
--url 'http://localhost:8888/gateway/v2/interceptor' \
--header 'Authorization: Basic YWRtaW46Y29uZHVrdG9y' \
--header 'Content-Type: application/json' \
--data-raw '{
"name": "myEncryptPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.FetchEncryptPlugin",
"priority": 100,
"config": {
"topic": ".*",
"schemaRegistryConfig": {
"host": "http://schema-registry:8081"
},
"kmsConfig": {
"vault": {
"uri": "http://vault:8200",
"token": "vault-plaintext-root-token",
"version": 1
}
},
"recordValue": {
"fields": [
{
"fieldName": "password",
"keySecretId": "vault-kms://vault:8200/transit/keys/password-secret",
"algorithm": "AES128_GCM"
},
{
"fieldName": "visa",
"keySecretId": "vault-kms://vault:8200/transit/keys/{{record.header.test-header}}-visa-secret-{{record.key}}-{{record.value.username}}-{{record.value.education.account.accountId}}",
"algorithm": "AES128_GCM"
},
{
"fieldName": "education.account.username",
"keySecretId": "vault-kms://vault:8200/transit/keys/{{record.header.test-header}}-secret-key-account-username-{{record.topic}}",
"algorithm": "AES128_GCM"
}
]
}
}
}'
Schema-based field level encryption on consume
- curl
- Conduktor CLI
Copy
Ask AI
curl \
--request PUT \
--url 'http://localhost:8888/gateway/v2/interceptor' \
--header 'Authorization: Basic YWRtaW46Y29uZHVrdG9y' \
--header 'Content-Type: application/json' \
--data-raw '{
"name": "mySchemaBasedEncryptPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.FetchEncryptSchemaBasedPlugin",
"priority": 100,
"config": {
"topic": ".*",
"schemaRegistryConfig": {
"host": "http://schema-registry:8081"
},
"kmsConfig": {
"vault": {
"uri": "https://vault:8200",
"token": "vault-plaintext-root-token",
"trustStore": {
"trustStorePath": "/security/truststore.jks"
}
}
},
"defaultKeySecretId": "vault-kms://vault:8200/transit/keys/myDefaultKeySecret",
"defaultAlgorithm": "AES128_EAX",
"tags": ["PII", "ENCRYPTION"],
"namespace": "conduktor."
}
}'
Encryption on consume with secured template
- curl
- Conduktor CLI
Copy
Ask AI
curl \
--request PUT \
--url 'http://localhost:8888/gateway/v2/interceptor' \
--header 'Authorization: Basic YWRtaW46Y29uZHVrdG9y' \
--header 'Content-Type: application/json' \
--data-raw '{
"name": "myEncryptPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.FetchEncryptPlugin",
"priority": 100,
"config": {
"topic": ".*",
"schemaRegistryConfig": {
"host": "http://schema-registry:8081",
"additionalConfigs": {
"schema.registry.url": "${SR_URL}",
"basic.auth.credentials.source": "${SR_BASIC_AUTH_CRED_SRC}",
"basic.auth.user.info": "${SR_BASIC_AUTH_USER_INFO}"
}
},
"kmsConfig": {
"vault": {
"uri": "https://vault:8200",
"token": "${VAULT_TOKEN}",
"trustStore": {
"trustStorePath": "/security/truststore.jks"
}
}
},
"recordValue": {
"fields": [
{
"fieldName": "password",
"keySecretId": "vault-kms://vault:8200/transit/keys/password-secret",
"algorithm": "AES128_GCM"
},
{
"fieldName": "visa",
"keySecretId": "vault-kms://vault:8200/transit/keys/{{record.header.test-header}}-visa-secret-{{record.key}}-{{record.value.username}}-{{record.value.education.account.accountId}}",
"algorithm": "AES128_GCM"
},
{
"fieldName": "education.account.username",
"keySecretId": "vault-kms://vault:8200/transit/keys/{{record.header.test-header}}-secret-key-account-username-{{record.topic}}",
"algorithm": "AES128_GCM"
}
]
}
}
}'
Decryption examples
Decrypt all fields
Copy
Ask AI
{
"name": "myDecryptPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.DecryptPlugin",
"priority": 100,
"config": {
"topic": ".*",
"schemaRegistryConfig": {
"host": "http://schema-registry:8081"
},
"kmsConfig": {
"vault": {
"uri": "https://vault:8200",
"token": "vault-plaintext-root-token",
"trustStore": {
"trustStorePath": "/security/truststore.jks"
}
}
}
}
}
Decrypt all fields with secured template
Copy
Ask AI
{
"name": "myDecryptPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.DecryptPlugin",
"priority": 100,
"config": {
"topic": ".*",
"schemaRegistryConfig": {
"host": "http://schema-registry:8081",
"additionalConfigs": {
"schema.registry.url": "${SR_URL}",
"basic.auth.credentials.source": "${SR_BASIC_AUTH_CRED_SRC}",
"basic.auth.user.info": "${SR_BASIC_AUTH_USER_INFO}"
}
},
"kmsConfig": {
"vault": {
"uri": "https://vault:8200",
"token": "${VAULT_TOKEN}",
"trustStore": {
"trustStorePath": "/security/truststore.jks"
}
}
}
}
}
Decrypt specific fields
Copy
Ask AI
{
"name": "myDecryptPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.DecryptPlugin",
"priority": 100,
"config": {
"topic": ".*",
"schemaRegistryConfig": {
"host": "http://schema-registry:8081"
},
"kmsConfig": {
"vault": {
"uri": "https://vault:8200",
"token": "vault-plaintext-root-token",
"trustStore": {
"trustStorePath": "/security/truststore.jks"
}
}
},
"recordValueFields": [
"visa",
"education.account.username"
],
"recordKeyFields": [
"bank.accountNo"
],
"recordHeaderFields": [
"account.username"
]
}
}
Decrypt specific fields with secured template
Copy
Ask AI
{
"name": "myDecryptPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.DecryptPlugin",
"priority": 100,
"config": {
"topic": ".*",
"schemaRegistryConfig": {
"host": "http://schema-registry:8081",
"additionalConfigs": {
"schema.registry.url": "${SR_URL}",
"basic.auth.credentials.source": "${SR_BASIC_AUTH_CRED_SRC}",
"basic.auth.user.info": "${SR_BASIC_AUTH_USER_INFO}"
}
},
"kmsConfig": {
"vault": {
"uri": "https://vault:8200",
"token": "${VAULT_TOKEN}",
"trustStore": {
"trustStorePath": "/security/truststore.jks"
}
}
},
"recordValueFields": [
"visa",
"education.account.username"
],
"recordKeyFields": [
"bank.accountNo"
],
"recordHeaderFields": [
"account.username"
]
}
}
Decrypt full message
Copy
Ask AI
{
"name": "myDecryptPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.DecryptPlugin",
"priority": 100,
"config": {
"topic": ".*",
"kmsConfig": {
"vault": {
"uri": "https://vault:8200",
"token": "vault-plaintext-root-token",
"trustStore": {
"trustStorePath": "/security/truststore.jks"
}
}
}
}
}
Decrypt full message with secured template
Copy
Ask AI
{
"name": "myDecryptPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.DecryptPlugin",
"priority": 100,
"config": {
"topic": ".*",
"kmsConfig": {
"vault": {
"uri": "https://vault:8200",
"token": "${VAULT_TOKEN}",
"trustStore": {
"trustStorePath": "/security/truststore.jks"
}
}
}
}
}