Home / Event Gateway / Event Gateway Policies
Edit
Report

Decrypt Fields

Overview Examples Configuration reference
Related Documentation
Event Gateway Documentation
Incompatible with
on-prem
Minimum Version
Event Gateway - 1.2
Tags
#event-gateway
Related Resources
Encrypt fields policy
Virtual clusters
Policies
Static keys
Encrypt and decrypt Kafka message fields with Kong Event Gateway
Encrypt and decrypt Kafka message fields dynamically with Kong Event Gateway

The Decrypt Policy decrypts fields of Kafka messages that were previously encrypted using a referenced key.
Use this policy to enforce consistent decryption standards across Kong Event Gateway clients.

This policy uses AES-256-GCM for decryption, therefore keys must be 256 bits long.

Use this policy together with the Encrypt fields policy, which encrypts fields of a message using the same referenced key.

Use cases

Common use cases for the Decrypt fields policy:

Use case

Description
Example: Decrypt a field using a static key Decrypt a message field based on a key reference name.
Example: Decrypt a field using an AWS key source Decrypt a message field using an AWS key source.
Example: Decrypt a message field using a dynamic list of field paths Decrypt a message field using a dynamic list of field paths

How it works

This policy runs during the consume phase, after schema validation has taken place.

  1. A Kafka client produces a message and sends it to Event Gateway.
  2. Event Gateway encrypts the specified values using the provided key.
  3. Event Gateway sends the encrypted message to the Kafka broker, which processes it using the key.
  4. Event Gateway decrypts the specified values using the provided key, then sends the message to the client.
 
sequenceDiagram
  autonumber
  participant client as Client
  participant egw as Event Gateway
  participant broker as Event broker

  client->>egw: produce message
  egw->>egw: encrypt message
  egw->>broker: send encrypted message
  broker->>egw: consume message
  egw->>egw: decrypt message
  egw->>client: send message

The Encrypt Fields policy appends a kong/enc header to each message. This header identifies the encryption key by its ID, for example when using a static key. Only the fields matched by the policy are encrypted, while the rest of the value structure is left intact. In the following message, the personal.ssn field is encrypted, but the sibling personal.name field is left in plaintext:

{
	"Partition": 0,
	"Offset": 0,
	"Headers": {
		"kong/enc": "\u0000\u0004\u0000-static://019a537d-96ca-74f7-8903-aa99905e722d"
	},
	"Value": "{\"personal\":{\"name\":\"Jane Doe\",\"ssn\":\"AHry69Jl4oJzafOlu/xOjVa37hpfYTAVXoAolj94NoBQSKz7dkEF/gg=\"}}"
}

When decrypting, the Decrypt Fields policy reads the key reference from the kong/enc header. It then retrieves the corresponding key from the configured key sources and uses it to decrypt only the matched fields.

Key sources

You must define a key for the Decrypt Fields policy. This policy supports the following key sources:

  • AWS (aws): An AWS key vault.
  • Static (static): An array of explicitly defined static keys.
Something wrong?
Report an Issue | Edit this Page
View all Kong documentation

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help?

Ask in our Slack Community
Contact Support