The Decrypt policy decrypts portions of Kafka messages that were previously encrypted using a referenced key.
Use this policy to enforce consistent decryption standards across Kong Event Gateway clients.
This policy uses AES-256-GCM for decryption, which requires keys to be 256 bits in length.
Use this policy together with the Encrypt policy, which encrypts portions of a message using the same referenced key.
Common use cases for the Decrypt policy:
|
Use case |
Description |
|---|---|
| Decrypt using a static key | Decrypt a message value based on a key reference name. |
| Decrypt using an AWS key source | Decrypt a message value using an AWS key source. |
This policy runs during the consume phase.
sequenceDiagram autonumber participant client as Client participant egw as Event Gateway participant broker as Event broker client->>egw: produce message egw->>egw: encrypt message egw->>broker: send encrypted message broker->>egw: consume message egw->>egw: decrypt message egw->>client: send message
The Encrypt policy appends a kong/enc header to each message. This header identifies the encryption key by its ID for example when using a static key
the resulting message appears as follows:
{
"Partition": 0,
"Offset": 2,
"Headers": {
"kong/enc": "\u0000\u0001\u0000-static://019a537d-96ca-74f7-8903-aa99905e722d"
},
"Value": "deJ415liQWUEP8j33Yrb/7knuwRzHrHNRDQkkePePZ18MShhlY9A++ZFH/9uaHRb+Q=="
}
When decrypting, the Decrypt policy reads the key reference from the kong/enc header. It then retrieves the corresponding key from the configured key sources and uses it to decrypt the message.
You must define a key for the Decrypt policy. This policy supports the following key sources:
aws): An AWS key vault.static): An array of explicitly defined static keys.