Home / Event Gateway / Event Gateway Policies
Edit
Report

Encrypt Fields

Overview Examples Configuration reference
Related Documentation
Event Gateway Documentation
Incompatible with
on-prem
Minimum Version
Event Gateway - 1.2
Tags
#event-gateway
Related Resources
Decrypt Fields policy
Virtual clusters
Policies
Static keys
Encrypt and decrypt Kafka message fields with Kong Event Gateway
Encrypt and decrypt Kafka message fields dynamically with Kong Event Gateway

The Encrypt Fields policy is used to encrypt fields of Kafka messages that have been validated to conform to a schema.

This policy uses AES-256-GCM for encryption, therefore keys must be 256 bits long.

Use the Encrypt Fields policy together with the Decrypt Fields policy, which decrypts fields of a message using the same referenced key, to enforce standards for encryption across Kong Event Gateway clients.

Use cases

Common use cases for the Encrypt Fields policy:

Use case

Description
Encrypt a message field using a static key Encrypt a message field using a static key.
Encrypt a message field using an AWS key source Encrypt a message field using an AWS key source.
Encrypt a message field using a dynamic list of field paths Encrypt a message field using a dynamic list of field paths

How it works

This policy runs during the produce phase, after schema validation has taken place.

  1. A Kafka client produces a message and sends it to Event Gateway.
  2. Event Gateway encrypts the specified values using the provided key.
  3. Event Gateway sends the encrypted message to the Kafka broker, which processes it using the key.
  4. Event Gateway decrypts the specified values using the provided key, then sends the message to the client.
 
sequenceDiagram
  autonumber
  participant client as Client
  participant egw as Event Gateway
  participant broker as Event broker

  client->>egw: produce message
  egw->>egw: encrypt message
  egw->>broker: send encrypted message
  broker->>egw: consume message
  egw->>egw: decrypt message
  egw->>client: send message

The Encrypt Fields policy appends a kong/enc header to each message. This header identifies the encryption key by its ID, for example when using a static key. Only the fields matched by the policy are encrypted, while the rest of the value structure is left intact. In the following message, the personal.ssn field is encrypted, but the sibling personal.name field is left in plaintext:

{
	"Partition": 0,
	"Offset": 0,
	"Headers": {
		"kong/enc": "\u0000\u0004\u0000-static://019a537d-96ca-74f7-8903-aa99905e722d"
	},
	"Value": "{\"personal\":{\"name\":\"Jane Doe\",\"ssn\":\"AHry69Jl4oJzafOlu/xOjVa37hpfYTAVXoAolj94NoBQSKz7dkEF/gg=\"}}"
}

When decrypting, the Decrypt Fields policy reads the key reference from the kong/enc header. It then retrieves the corresponding key from the configured key sources and uses it to decrypt only the matched fields.

Key sources

You must define a key for the Encrypt Fields policy. This policy supports the following key sources:

  • AWS (aws): An AWS key vault.
  • Static (static): An array of explicitly defined static keys.
Something wrong?
Report an Issue | Edit this Page
View all Kong documentation

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help?

Ask in our Slack Community
Contact Support