Package io.confluent.kafka.schemaregistry.encryption

Class EncryptionExecutor

java.lang.Object

io.confluent.kafka.schemaregistry.encryption.EncryptionExecutor

All Implemented Interfaces:

RuleBase, RuleExecutor, AutoCloseable, org.apache.kafka.common.Configurable

public class EncryptionExecutor
extends Object
implements RuleExecutor

In envelope encryption, a user generates a data encryption key (DEK) locally, encrypts data with the DEK, sends the DEK to a KMS to be encrypted (with a key managed by KMS - KEK), and then stores the encrypted DEK. At a later point, a user can retrieve the encrypted DEK for the encrypted data, use the KEK from KMS to decrypt the DEK, and use the decrypted DEK to decrypt the data.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
class	EncryptionExecutor.EncryptionExecutorTransform

Field Summary

Fields

Modifier and Type	Field	Description
static final String	CACHE_EXPIRY_SECS
static final String	CACHE_SIZE
static final String	CLOCK
static final byte[]	EMPTY_AAD
static final String	ENCRYPT_ALTERNATE_KMS_KEY_IDS
static final String	ENCRYPT_DEK_ALGORITHM
static final String	ENCRYPT_DEK_EXPIRY_DAYS
static final String	ENCRYPT_KEK_NAME
static final String	ENCRYPT_KMS_KEY_ID
static final String	ENCRYPT_KMS_TYPE
static final String	KMS_TYPE_SUFFIX
protected static final int	LATEST_VERSION
protected static final byte	MAGIC_BYTE
protected static final int	MILLIS_IN_DAY
static final String	TYPE
protected static final int	VERSION_SIZE

Fields inherited from interface io.confluent.kafka.schemaregistry.rules.RuleBase

DEFAULT_NAME

Constructor Summary

Constructors

Constructor	Description
EncryptionExecutor()

Method Summary

Modifier and Type	Method	Description
boolean	addOriginalConfigs()
void	close()
void	configure(Map<String,?> configs)
protected byte[]	generateDek(DekFormat dekFormat)
Map<DekFormat,Cryptor>	getCryptors()
EncryptionExecutor.EncryptionExecutorTransform	newTransform(RuleContext ctx)
void	setSchemaRegistryClient(SchemaRegistryClient schemaRegistryClient)
Object	transform(RuleContext ctx, Object message)
String	type()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

TYPE

public static final String TYPE

See Also:

• Constant Field Values

ENCRYPT_KEK_NAME

public static final String ENCRYPT_KEK_NAME

See Also:

• Constant Field Values

ENCRYPT_KMS_KEY_ID

public static final String ENCRYPT_KMS_KEY_ID

See Also:

• Constant Field Values

ENCRYPT_KMS_TYPE

public static final String ENCRYPT_KMS_TYPE

See Also:

• Constant Field Values

ENCRYPT_DEK_ALGORITHM

public static final String ENCRYPT_DEK_ALGORITHM

See Also:

• Constant Field Values

ENCRYPT_DEK_EXPIRY_DAYS

public static final String ENCRYPT_DEK_EXPIRY_DAYS

See Also:

• Constant Field Values

ENCRYPT_ALTERNATE_KMS_KEY_IDS

public static final String ENCRYPT_ALTERNATE_KMS_KEY_IDS

See Also:

• Constant Field Values

KMS_TYPE_SUFFIX

public static final String KMS_TYPE_SUFFIX

See Also:

• Constant Field Values

EMPTY_AAD

public static final byte[] EMPTY_AAD

CACHE_EXPIRY_SECS

public static final String CACHE_EXPIRY_SECS

See Also:

• Constant Field Values

CACHE_SIZE

public static final String CACHE_SIZE

See Also:

• Constant Field Values

CLOCK

public static final String CLOCK

See Also:

• Constant Field Values

LATEST_VERSION

protected static final int LATEST_VERSION

See Also:

• Constant Field Values

MAGIC_BYTE

protected static final byte MAGIC_BYTE

See Also:

• Constant Field Values

MILLIS_IN_DAY

protected static final int MILLIS_IN_DAY

See Also:

• Constant Field Values

VERSION_SIZE

protected static final int VERSION_SIZE

See Also:

• Constant Field Values

Constructor Details

EncryptionExecutor

public EncryptionExecutor()

Method Details

addOriginalConfigs

public boolean addOriginalConfigs()

Specified by:

addOriginalConfigs in interface RuleBase

setSchemaRegistryClient

public void setSchemaRegistryClient(SchemaRegistryClient schemaRegistryClient)

Specified by:

setSchemaRegistryClient in interface RuleBase

configure

public void configure(Map<String,?> configs)

Specified by:

configure in interface org.apache.kafka.common.Configurable

Specified by:

configure in interface RuleBase

type

public String type()

Specified by:

type in interface RuleBase

transform

public Object transform(RuleContext ctx,
 Object message)
                 throws RuleException

Specified by:

transform in interface RuleExecutor

Throws:

RuleException

newTransform

public EncryptionExecutor.EncryptionExecutorTransform newTransform(RuleContext ctx)
                                                            throws RuleException

Throws:

RuleException

getCryptors

public Map<DekFormat,Cryptor> getCryptors()

generateDek

protected byte[] generateDek(DekFormat dekFormat)
                      throws GeneralSecurityException

Throws:

GeneralSecurityException

close

public void close()
           throws RuleException

Specified by:

close in interface AutoCloseable

Specified by:

close in interface RuleBase

Throws:

RuleException