When receiving an encrypted record, the consumer will retrieve the key reference from the record and use this to obtain a copy of the actual key from its configured KeyProvider.
The KeyProvider is instantiated by the Kafka clients and used to retrieve the appropriate key to encrypt & decrypt messages.
Keys are referenced either by an object implementing KeyReference.
The value for this parameter can be defined in two places:
a KeyReference object, which the provider will use to determine the correct underlying key.
KeyProviders will support two main methods for getting a key:
getKey(KeyReference key) - obtain an exact version of a key, this is mostly used by the Consumer to get a key for decrypting records
getCurrentKey(KeyReference key) - get the current version for a key, this is to accommodate rollover functionality for keys in later versions. As the KeyManager should not be concerned with key versions it will simply return a reference without a version and leave it to the KeyProvider implementation to return the correct version of that key.
The KeyManager will determine which key is appropriate to encrypt a given record.
It will be passed the ProducerRecord object and be able to use any of the fields within it for this determination.
A very simple interface, similar to KafkaPrincipal, which is used to refer to keys. The reference implementation will simply contain a String and a version, but this can be extended as necessary by users to accommodate proprietary key scenarios that exist for corporate customers.
The producer config will receive the following new properties:
|encryption.keymanager-class||The class to use as KeyProvider.|
|encryption.keymanager.||Prefix to symbolize KeyProvider config. Anything with this prefix will be passed through to the KeyProvider upon initialization.|
|encryption.keyprovider-class||The class to use as KeyProvider.|
|encryption.keyprovider.||Prefix to symbolize KeyProvider config. Anything with this prefix will be passed through to the KeyProvider upon initialization.|
Initial KeyProvider & KeyManager implementations