End-to-EndEncryption for Apache Kafka
Encryption becomes easy
Conduktor is here to take care of encryption in Apache Kafka
- AWS, Azure, GCP, Vault support
We support the most popular KMS solutions with full key rotation
- No impact on applications
No matter what client or language you use, our end-to-end encryption solution requires no client configuration
- Configured centrally
Enforce encryption standards from a central location to ensure no policy violations and seamless application onboarding
- Encrypt down to field level
Choose which fields are encrypted and how
- Mix KMS
You can encrypt one field with one KMS and another field with another KMS
- Mix algorithms
Choose the relevant encryption algorithm to support your security requirements

How does it look?
Let's walkthrough some of the magic
Define once, centrally
Down to the field level, and take note:
You can use different KMS
You can use different algorithms{ "topic": "customer", "fields": [ { "name": "password", "keySecretId": "password-secret-key", "algorithm": { "type": "AES_GCM", "kms": "VAULT" } }, { "name": "visa", "keySecretId": "visa-secret-key", "algorithm": { "type": "AES_GCM", "kms": "AZURE" } } ] }
Jack sends data
Use any Kafka client of your choice, without worrying about encryption
$ echo '{ "name": "Jack", "password": "P@assw0d", "visa": "visa 21591", "address": "38 Chancery Lane, London" }' | kafka-json-schema-console-producer --bootstrap-server encryption:9092 --topic customer --producer.config jack.properties
Marie can't access any encrypted fields
She has no access to any KMS and she can't see password or visa fields
$ kafka-json-schema-console-consumer --bootstrap-server encryption:9092 --topic customer --consumer.config marie.properties --from-beginning | jq . { "username": "Jack", "password": "ATwXoQmUZ26GKTU5FQzl5gFFRRnffdHUB+0J37KSiejvug==", "visa": "AV0C2uS8+NyLeTkNT6kYiBTGRnl2sgrlf6LnJcXGg+46AQ==", "address": "38 Chancery Lane, London" }
Eric can access visa, but not password
Eric can decrypt the visa field, but he does not have access to password KMS: he can't decrypt it.
$ kafka-json-schema-console-consumer --bootstrap-server encryption:9092 --topic customer --consumer.config eric.properties --from-beginning | jq . { "username": "Jack", "password": "ATwXoQmUZ26GKTU5FQzl5gFFRRnffdHUB+0J37KSiejvug==", "visa": "visa 21591", "address": "38 Chancery Lane, London" }
Joan can access everything
Joan has access to all keys and she can see everything
$ kafka-json-schema-console-consumer --bootstrap-server encryption:9092 --topic customer --consumer.config joan.properties --from-beginning | jq . { "username": "Jack", "password": "P@assw0d", "visa": "visa 21591", "address": "38 Chancery Lane, London" }
Your data is secured withoutimpacting your existing applications
Arrange a demo to find out everything you can safeguard with Conduktor.