Solution icon
Security - Encryption

End-to-EndEncryption for Apache Kafka

Some messages cannot be sent without encryption. Conduktor makes it simple

Encryption becomes easy

Conduktor is here to take care of encryption in Apache Kafka

  • Feature icon
    AWS, Azure, GCP, Vault support

    We support the most popular KMS solutions with full key rotation

  • Feature icon
    No impact on applications

    No matter what client or language you use, our end-to-end encryption solution requires no client configuration

  • Feature icon
    Configured centrally

    Enforce encryption standards from a central location to ensure no policy violations and seamless application onboarding

  • Feature icon
    Encrypt down to field level

    Choose which fields are encrypted and how

  • Feature icon
    Mix KMS

    You can encrypt one field with one KMS and another field with another KMS

  • Feature icon
    Mix algorithms

    Choose the relevant encryption algorithm to support your security requirements

Whiteboard bottom visual

How does it look?

Let's walkthrough some of the magic

  • Define once, centrally

    Down to the field level, and take note:
    You can use different KMS
    You can use different algorithms

    OSX Dots{ "topic": "customer", "fields": [ { "name": "password", "keySecretId": "password-secret-key", "algorithm": { "type": "AES_GCM", "kms": "VAULT" } }, { "name": "visa", "keySecretId": "visa-secret-key", "algorithm": { "type": "AES_GCM", "kms": "AZURE" } } ] }
  • Jack sends data

    Use any Kafka client of your choice, without worrying about encryption

    OSX Dots$ echo '{ "name": "Jack", "password": "P@assw0d", "visa": "visa 21591", "address": "38 Chancery Lane, London" }' | kafka-json-schema-console-producer --bootstrap-server encryption:9092 --topic customer --producer.config jack.properties
  • Marie can't access any encrypted fields

    She has no access to any KMS and she can't see password or visa fields

    OSX Dots$ kafka-json-schema-console-consumer --bootstrap-server encryption:9092 --topic customer --consumer.config marie.properties --from-beginning | jq . { "username": "Jack", "password": "ATwXoQmUZ26GKTU5FQzl5gFFRRnffdHUB+0J37KSiejvug==", "visa": "AV0C2uS8+NyLeTkNT6kYiBTGRnl2sgrlf6LnJcXGg+46AQ==", "address": "38 Chancery Lane, London" }
  • Eric can access visa, but not password

    Eric can decrypt the visa field, but he does not have access to password KMS: he can't decrypt it.

    OSX Dots$ kafka-json-schema-console-consumer --bootstrap-server encryption:9092 --topic customer --consumer.config eric.properties --from-beginning | jq . { "username": "Jack", "password": "ATwXoQmUZ26GKTU5FQzl5gFFRRnffdHUB+0J37KSiejvug==", "visa": "visa 21591", "address": "38 Chancery Lane, London" }
  • Joan can access everything

    Joan has access to all keys and she can see everything

    OSX Dots$ kafka-json-schema-console-consumer --bootstrap-server encryption:9092 --topic customer --consumer.config joan.properties --from-beginning | jq . { "username": "Jack", "password": "P@assw0d", "visa": "visa 21591", "address": "38 Chancery Lane, London" }

Your data is secured withoutimpacting your existing applications

Arrange a demo to find out everything you can safeguard with Conduktor.