Apache Kafka Consumer and Producer Interceptor to encrypt and decrypt in-transit data using HashiCorp Vault Transit secrets engine.
This interceptors could be added to Kafka Connectors via configuration and to other off-the-shelf components like Kafka REST Proxy, KSQL and so on.
mvn packagemvn testHere's some example configuration to use Vault Transit Interceptor.
Add Interceptor to Producer Configuration:
properties.put("interceptor.classes", "it.bitrock.kafkavaulttransitinterceptor.EncryptingProducerInterceptor");
properties.put("key.serializer", "org.apache.kafka.common.serialization.StringSerializer");
properties.put("value.serializer", "org.apache.kafka.common.serialization.StringSerializer");
properties.put("interceptor.value.serializer", "...");interceptor.value.serializer must be configured according to the kind of value you want to write in Kafka, which you would have usually put in value.serializer.
properties.put("interceptor.classes", "it.bitrock.kafkavaulttransitinterceptor.DecryptingConsumerInterceptor");
properties.put("key.deserializer", "org.apache.kafka.common.deserialization.StringDeserializer");
properties.put("value.deserializer", "org.apache.kafka.common.deserialization.StringDeserializer");
properties.put("interceptor.value.deserializer", "...");interceptor.value.deserializer must be configured according to the kind of value you want to write in Kafka, which you would have usually put in value.deserializer.
Encryption is now done on the client side and only the keys are managed through Vault.
Valure serializer/deserializer require a change in the default setting:
- in the Producer:
value.serializertoorg.apache.kafka.common.serialization.ByteArraySerializer
- in the Consumer:
value.deserializertoorg.apache.kafka.common.deserialization.ByteArrayDeserializer
Initial release encryption and keys are managed by Vault Transit Engine.