This repository provides several demos of the Confluent Cloud feature Client-Side Field Level Encryption as well as Client-Side Payload Encryption.
It covers step-by-step guidelines for different KMS via folders:
| Scenario | Key Vault | Encryption type | KEK shared |
|---|---|---|---|
| Azure - Kotlin | Azure Key Vault | CSFLE | no |
| Azure - Python | Azure Key Vault | CSFLE | no |
| HashiCorp | HashiCorp Vault | CSFLE | no |
| AWS | AWS Key Management Service | CSFLE | no |
| GCP | GCP Key Management Service | CSFLE | no |
| AWS - Shared | AWS Key Management Service | CSFLE | yes |
| Azure - SM Connect | Azure Key Vault | CSFLE | no |
| Azure - CSPE | Azure Key Vault | CSPE | no |
- Confluent Cloud cluster with Advanced Stream Governance package
- For clients, Confluent Platform 7.4.2 or 7.5.1 are required.
We will produce personal data to Confluent Cloud in the following form
{
"id": "0",
"name": "Anna",
"birthday": "1993-08-01",
"timestamp": "2023-10-07T19:54:21.884Z"
}However, we set up the corresponding configurations to encrypt the birthday field.
We then start a consumer with the corresponding configurations to decrypt the field again.
In order to have a realistic scenario, we do not produce and consume via the CLI but develop a producer and consumer application with Kotlin.