Tutorials
- Conduktor tutorial overview
- Configure audit log topic
- Configure Chargeback
- Configure SQL
- Configure custom deserializers
- Reprocess messages
- Self-service quick start
- SNI routing
- Deploy Conduktor on AWS
- Migrate to new Gateway security mode
- Configure encryption and decryption
- Customize logs
- Manage service accounts and ACLs using Gateway
- Create Partner Zones using multi-cluster Gateway
On this page
- Overview
- Encryption examples
- Schema based encryption examples
- Simple encrypt on produce
- Field level encryption on produce
- Field-level encryption on produce with secured template
- Schema-based field level encryption on produce
- Full message level encryption on produce
- Full message level encryption on produce with secured template
- Encryption on consume
- Schema-based field level encryption on consume
- Encryption on consume with secured template
- Decryption examples
- Decrypt all fields
- Decrypt all fields with secured template
- Decrypt specific fields
- Decrypt specific fields with secured template
- Decrypt full message
- Decrypt full message with secured template
Tutorials
Configure encryption and decryption
Overview
This feature is available with Conduktor Shield only.
Encryption examples
Schema based encryption examples
- Fields containing specific information with (
keySecretId,algorithm,tagsmatch) will be encrypted. - Field would be encrypted with the associated
keySecretId,algorithm, if any missed, would be encrypted with the associated default ones in the Interceptor configuration. - Field would be encrypted with defaultSecret, defaultAlgorithm when
tagshas element with is in the Interceptor configuration.
conduktor.):
Copy
Ask AI
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Customer",
"type": "object",
"properties": {
"name": { "type": "string" },
"username": { "type": "string" },
"password": { "type": "string", "conduktor.keySecretId": "password-secret", "conduktor.algorithm": "AES128_GCM"},
"visa": { "type": "string", "conduktor.keySecretId": "password-visa"},
"address": {
"type": "object",
"properties": {
"location": { "type": "string", "conduktor.tags": ["MY_TAG", "PII", "GDPR", "MY_OTHER_TAG"]},
"town": { "type": "string" },
"country": { "type": "string" }
}
}
}
}
passwordwould be encrypted with the associated keySecretId, algorithm etc.visawould be encryption with the associated keySecretId and the default algorithm provided in the Interceptor configuration.locationwould be encrypted with defaultSecret, defaultAlgorithm because tags hasPIIwith is in the Interceptor configuration.- fields containing no specific information (
keySecretId,algorithm,tagswithout match) are left untouched.
conduktor.):
Copy
Ask AI
{
"type": "record",
"name": "User",
"fields": [
{"name": "name", "type": "string", "conduktor.algorithm": "AES128_GCM"},
{"name": "age", "type": "int", "conduktor.keySecretId": "age-secret"},
{"name": "email", "type": "string"},
{
"name": "address",
"type": {
"type": "record",
"name": "AddressRecord",
"fields": [
{"name": "street", "type": "string", "conduktor.keySecretId": "street-secret"},
{"name": "city", "type": "string", "conduktor.keySecretId": "city-secret", "conduktor.algorithm": "AES128_GCM"}
]
}
},
{"name": "hobbies", "type": {"type": "array", "items": "string"}},
{
"name": "friends",
"type": {
"type": "array",
"items": {
"type": "record",
"name": "Friend",
"fields": [
{"name": "name", "type": "string", "conduktor.tags": ["MY_TAG", "PII", "GDPR", "MY_OTHER_TAG"]},
{"name": "age", "type": "int"}
]
}
}
}
]
}
conduktor.):
In Protobuf, since we are using the Confluent schema registry, we use the (confluent.field_meta).params (with type map<string, string) for field options. Here’s how it can be defined:
Copy
Ask AI
syntax = "proto3";
option java_package = "schema.protobuf";
option java_outer_classname = "User";
message Student {
string name = 1 [(confluent.field_meta).params = {conduktor.keySecretId: "name-secret", conduktor.algorithm: "AES128_GCM"}];
int32 age = 2 [(confluent.field_meta).params = {conduktor.keySecretId: "age-secret"}];
string email = 3 [(confluent.field_meta).params = {conduktor.keySecretId: "email-secret"}];
Address address = 4;
repeated string hobbies = 5;
repeated Friend friends = 6;
message Address {
string street = 1 [(confluent.field_meta).params = {conduktor.keySecretId: "street-secret", conduktor.algorithm: "AES128_GCM"}];
string city = 2 [(confluent.field_meta).params = {conduktor.keySecretId: "city-secret"}];
}
message Friend {
string name = 1 [(confluent.field_meta).params = {conduktor.tags: "[\"PII\", \"MY_TAG\"]"}];
int32 age = 2 [(confluent.field_meta).params = {conduktor.keySecretId: "friend-age-secret"}];
}
}
Simple encrypt on produce
Copy
Ask AI
{
"name": "myEncryptionPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.EncryptPlugin",
"priority": 100,
"config": {
"topic": ".*",
"recordValue": {
"fields": [
{
"fieldName": "password",
"keySecretId": "password-secret",
"algorithm": "AES128_GCM"
}
]
}
}
}
Field level encryption on produce
Copy
Ask AI
{
"name": "myEncryptPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.EncryptPlugin",
"priority": 100,
"config": {
"topic": ".*",
"schemaRegistryConfig": {
"host": "http://schema-registry:8081"
},
"kmsConfig": {
"vault": {
"uri": "http://vault:8200",
"token": "vault-plaintext-root-token",
"version": 1
},
"azure": {
"tokenCredential": {
"clientId": "azure_client_id",
"tenantId": "azure_tenant_id",
"clientSecret": "azure_client_secret"
}
}
},
"recordValue": {
"fields": [
{
"fieldName": "password",
"keySecretId": "vault-kms://vault:8200/transit/keys/password-secret",
"algorithm": "AES128_GCM"
},
{
"fieldName": "visa",
"keySecretId": "vault-kms://vault:8200/transit/keys/{{record.header.test-header}}-visa-secret-{{record.key}}-{{record.value.username}}-{{record.value.education.account.accountId}}",
"algorithm": "AES128_GCM"
},
{
"fieldName": "education.account.username",
"keySecretId": "azure-kms://my-key-vault.vault.azure.net/keys/conduktor-gateway/4ceb7a4d1f3e4738b23bea870ae8745d",
"algorithm": "AES128_GCM"
}
]
}
}
}
Field-level encryption on produce with secured template
Copy
Ask AI
{
"name": "myEncryptPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.EncryptPlugin",
"priority": 100,
"config": {
"topic": ".*",
"schemaRegistryConfig": {
"host": "http://schema-registry:8081",
"additionalConfigs": {
"schema.registry.url": "${SR_URL}",
"basic.auth.credentials.source": "${SR_BASIC_AUTH_CRED_SRC}",
"basic.auth.user.info": "${SR_BASIC_AUTH_USER_INFO}"
}
},
"kmsConfig": {
"vault": {
"uri": "http://vault:8200",
"token": "${VAULT_TOKEN}",
"version": 1
}
}
},
"recordValue": {
"fields": [
{
"fieldName": "password",
"keySecretId": "vault-kms://vault:8200/transit/keys/password-secret",
"algorithm": "AES128_GCM"
},
{
"fieldName": "visa",
"keySecretId": "vault-kms://vault:8200/transit/keys/{{record.header.test-header}}-visa-secret-{{record.key}}-{{record.value.username}}-{{record.value.education.account.accountId}}",
"algorithm": "AES128_GCM"
},
{
"fieldName": "education.account.username",
"keySecretId": "vault-kms://vault:8200/transit/keys/{{record.header.test-header}}-secret-key-account-username-{{record.topic}}",
"algorithm": "AES128_GCM"
}
]
}
}
}
Schema-based field level encryption on produce
Copy
Ask AI
{
"name": "mySchemaBasedEncryptPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.EncryptSchemaBasedPlugin",
"priority": 100,
"config": {
"topic": ".*",
"schemaRegistryConfig": {
"host": "http://schema-registry:8081"
},
"kmsConfig": {
"vault": {
"uri": "http://vault:8200",
"token": "vault-plaintext-root-token",
"version": 1
}
}
},
"defaultKeySecretId": "vault-kms://vault:8200/transit/keys/myDefaultKeySecret",
"defaultAlgorithm": "AES128_EAX",
"tags": ["PII", "ENCRYPTION"],
"namespace": "conduktor."
}
}
Full message level encryption on produce
Copy
Ask AI
{
"name": "myEncryptPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.EncryptPlugin",
"priority": 100,
"config": {
"topic": ".*",
"schemaRegistryConfig": {
"host": "http://schema-registry:8081"
},
"kmsConfig": {
"vault": {
"uri": "http://vault:8200",
"token": "vault-plaintext-root-token",
"version": 1
}
}
},
"recordValue": {
"payload": {
"keySecretId": "vault-kms://vault:8200/transit/keys/{{record.header.test-header}}-secret-key-account-username-{{record.topic}}",
"algorithm": "AES128_GCM"
}
}
}
}
Full message level encryption on produce with secured template
Copy
Ask AI
{
"name": "myEncryptPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.EncryptPlugin",
"priority": 100,
"config": {
"topic": ".*",
"schemaRegistryConfig": {
"host": "http://schema-registry:8081",
"additionalConfigs": {
"schema.registry.url": "${SR_URL}",
"basic.auth.credentials.source": "${SR_BASIC_AUTH_CRED_SRC}",
"basic.auth.user.info": "${SR_BASIC_AUTH_USER_INFO}"
}
},
"kmsConfig": {
"vault": {
"uri": "http://vault:8200",
"token": "${VAULT_TOKEN}",
"version": 1
}
}
},
"recordValue": {
"payload": {
"keySecretId": "vault-kms://vault:8200/transit/keys/{{record.header.test-header}}-secret-key-account-username-{{record.topic}}",
"algorithm": "AES128_GCM"
}
}
}
}
Encryption on consume
Copy
Ask AI
{
"name": "myEncryptPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.FetchEncryptPlugin",
"priority": 100,
"config": {
"topic": ".*",
"schemaRegistryConfig": {
"host": "http://schema-registry:8081"
},
"kmsConfig": {
"vault": {
"uri": "http://vault:8200",
"token": "vault-plaintext-root-token",
"version": 1
}
},
"recordValue": {
"fields": [
{
"fieldName": "password",
"keySecretId": "vault-kms://vault:8200/transit/keys/password-secret",
"algorithm": "AES128_GCM"
},
{
"fieldName": "visa",
"keySecretId": "vault-kms://vault:8200/transit/keys/{{record.header.test-header}}-visa-secret-{{record.key}}-{{record.value.username}}-{{record.value.education.account.accountId}}",
"algorithm": "AES128_GCM"
},
{
"fieldName": "education.account.username",
"keySecretId": "vault-kms://vault:8200/transit/keys/{{record.header.test-header}}-secret-key-account-username-{{record.topic}}",
"algorithm": "AES128_GCM"
}
]
}
}
}
Schema-based field level encryption on consume
Copy
Ask AI
{
"name": "mySchemaBasedEncryptPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.FetchEncryptSchemaBasedPlugin",
"priority": 100,
"config": {
"topic": ".*",
"schemaRegistryConfig": {
"host": "http://schema-registry:8081"
},
"kmsConfig": {
"vault": {
"uri": "http://vault:8200",
"token": "vault-plaintext-root-token",
"version": 1
}
}
},
"defaultKeySecretId": "vault-kms://vault:8200/transit/keys/myDefaultKeySecret",
"defaultAlgorithm": "AES128_EAX",
"tags": ["PII", "ENCRYPTION"],
"namespace": "conduktor."
}
}
Encryption on consume with secured template
Copy
Ask AI
{
"name": "myEncryptPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.FetchEncryptPlugin",
"priority": 100,
"config": {
"topic": ".*",
"schemaRegistryConfig": {
"host": "http://schema-registry:8081",
"additionalConfigs": {
"schema.registry.url": "${SR_URL}",
"basic.auth.credentials.source": "${SR_BASIC_AUTH_CRED_SRC}",
"basic.auth.user.info": "${SR_BASIC_AUTH_USER_INFO}"
}
},
"kmsConfig": {
"vault": {
"uri": "http://vault:8200",
"token": "${VAULT_TOKEN}",
"version": 1
}
},
"recordValue": {
"fields": [
{
"fieldName": "password",
"keySecretId": "vault-kms://vault:8200/transit/keys/password-secret",
"algorithm": "AES128_GCM"
},
{
"fieldName": "visa",
"keySecretId": "vault-kms://vault:8200/transit/keys/{{record.header.test-header}}-visa-secret-{{record.key}}-{{record.value.username}}-{{record.value.education.account.accountId}}",
"algorithm": "AES128_GCM"
},
{
"fieldName": "education.account.username",
"keySecretId": "vault-kms://vault:8200/transit/keys/{{record.header.test-header}}-secret-key-account-username-{{record.topic}}",
"algorithm": "AES128_GCM"
}
]
}
}
}
Decryption examples
Decrypt all fields
Copy
Ask AI
{
"name": "myDecryptPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.DecryptPlugin",
"priority": 100,
"config": {
"topic": ".*",
"schemaRegistryConfig": {
"host": "http://schema-registry:8081"
},
"kmsConfig": {
"vault": {
"uri": "http://vault:8200",
"token": "vault-plaintext-root-token",
"version": 1
}
}
}
}
Decrypt all fields with secured template
Copy
Ask AI
{
"name": "myDecryptPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.DecryptPlugin",
"priority": 100,
"config": {
"topic": ".*",
"schemaRegistryConfig": {
"host": "http://schema-registry:8081",
"additionalConfigs": {
"schema.registry.url": "${SR_URL}",
"basic.auth.credentials.source": "${SR_BASIC_AUTH_CRED_SRC}",
"basic.auth.user.info": "${SR_BASIC_AUTH_USER_INFO}"
}
},
"kmsConfig": {
"vault": {
"uri": "http://vault:8200",
"token": "${VAULT_TOKEN}",
"version": 1
}
}
}
}
Decrypt specific fields
Copy
Ask AI
{
"name": "myDecryptPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.DecryptPlugin",
"priority": 100,
"config": {
"topic": ".*",
"schemaRegistryConfig": {
"host": "http://schema-registry:8081"
},
"kmsConfig": {
"vault": {
"uri": "http://vault:8200",
"token": "vault-plaintext-root-token",
"version": 1
}
},
"recordValueFields": [
"visa",
"education.account.username"
],
"recordKeyFields": [
"bank.accountNo"
],
"recordHeaderFields": [
"account.username"
]
}
}
Decrypt specific fields with secured template
Copy
Ask AI
{
"name": "myDecryptPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.DecryptPlugin",
"priority": 100,
"config": {
"topic": ".*",
"schemaRegistryConfig": {
"host": "http://schema-registry:8081",
"additionalConfigs": {
"schema.registry.url": "${SR_URL}",
"basic.auth.credentials.source": "${SR_BASIC_AUTH_CRED_SRC}",
"basic.auth.user.info": "${SR_BASIC_AUTH_USER_INFO}"
}
},
"kmsConfig": {
"vault": {
"uri": "http://vault:8200",
"token": "${VAULT_TOKEN}",
"version": 1
}
},
"recordValueFields": [
"visa",
"education.account.username"
],
"recordKeyFields": [
"bank.accountNo"
],
"recordHeaderFields": [
"account.username"
]
}
}
Decrypt full message
Copy
Ask AI
{
"name": "myDecryptPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.DecryptPlugin",
"priority": 100,
"config": {
"topic": ".*",
"kmsConfig": {
"vault": {
"uri": "http://vault:8200",
"token": "vault-plaintext-root-token",
"version": 1
}
}
}
}
Decrypt full message with secured template
Copy
Ask AI
{
"name": "myDecryptPlugin",
"pluginClass": "io.conduktor.gateway.interceptor.DecryptPlugin",
"priority": 100,
"config": {
"topic": ".*",
"kmsConfig": {
"vault": {
"uri": "http://vault:8200",
"token": "${VAULT_TOKEN}",
"version": 1
}
}
}
}
Was this page helpful?
Assistant
Responses are generated using AI and may contain mistakes.