Page History

...

When receiving an encrypted record, the consumer will retrieve the key reference from the record and use this to obtain a copy of the actual key from its configured KeyProvider.

Image Added

New Interfaces

KeyProvider

The KeyProvider is instantiated by the Kafka clients and used to retrieve the appropriate key to encrypt & decrypt messages. 

Keys are referenced either by an object implementing KeyReference. 

The value for this parameter can be defined in two places:

...

a KeyReference object, which the provider will use to determine the correct underlying key.

KeyProviders will support two main methods for getting a key:

getKey(KeyReference key) - obtain an exact version of a key, this is mostly used by the Consumer to get a key for decrypting records

getCurrentKey(KeyReference key) - get the current version for a key, this is to accommodate rollover functionality for keys in later versions. As the KeyManager should not be concerned with key versions it will simply return a reference without a version and leave it to the KeyProvider implementation  to return the correct version of that key.

KeyManager

The KeyManager will determine which key is appropriate to encrypt a given record. 

It will be passed the ProducerRecord object and be able to use any of the fields within it for this determination

...

. 

KeyReference

A very simple interface, similar to KafkaPrincipal, which is used to refer to keys. The reference implementation will simply contain a String and a version, but this can be extended as necessary by users to accommodate proprietary key scenarios that exist for corporate customers.

...

The producer config will receive the following new properties:

Initial KeyProvider & KeyManager implementations

...