This encrypt policy is used to encrypt portions of Kafka messages. The Encrypt policy uses AES-256-GCM for encryption, therefore keys must be 256 bits long.
Use this policy together with the Decrypt policy, which decrypts portions of a message using the same referenced key, to enforce standards for encryption across Kong Event Gateway clients.
Common use cases for the Encrypt policy:
|
Use case |
Description |
|---|---|
| Encrypt a message using a static key | Encrypt a message value using a static key. |
| Encrypt a message using an AWS key source | Encrypt a message value using an AWS key source. |
This policy runs during the produce phase.
sequenceDiagram autonumber participant client as Client participant egw as Event Gateway participant broker as Event broker client->>egw: produce message egw->>egw: encrypt message egw->>broker: send encrypted message broker->>egw: consume message egw->>egw: decrypt message egw->>client: send message
The Encrypt policy appends a kong/enc header to each message. This header identifies the encryption key by its ID for example when using a static key
the resulting message appears as follows:
{
"Partition": 0,
"Offset": 2,
"Headers": {
"kong/enc": "\u0000\u0001\u0000-static://019a537d-96ca-74f7-8903-aa99905e722d"
},
"Value": "deJ415liQWUEP8j33Yrb/7knuwRzHrHNRDQkkePePZ18MShhlY9A++ZFH/9uaHRb+Q=="
}
When decrypting, the Decrypt policy reads the key reference from the kong/enc header. It then retrieves the corresponding key from the configured key sources and uses it to decrypt the message.
You must define a key for the Encrypt policy. This policy supports the following key sources:
aws): An AWS key vault.static): An array of explicitly defined static keys.