Configuration Settings for Client-Side Field Level Encryption¶
Client-side field level encryption (CSFLE) supports the following configuration parameters.
Common Parameters¶
The following configuration parameters can be used with all CSFLE rule executors.
| Parameter | Description |
|---|---|
| rule.executors._default_.param.preserve.source.fields | For performance
reasons, the fields of a message are updated during field-level
transforms. For field-level encryption, this results in the field
values being replaced with the encrypted field values. If the original
field values should be retained in the message, then set this property
to true. |
AWS CSFLE rule executor¶
The following configuration parameters can be passed. Alternatively, the values
can be specified using environment variables named AWS_ACCESS_KEY_ID and
AWS_SECRET_ACCESS_KEY.
| Parameter | Description |
|---|---|
| rule.executors._default_.param.access.key.id | The AWS access key identifier. |
| rule.executors._default_.param.secret.access.key | The AWS secret access key. |
Azure CSFLE rule executor¶
The following configuration parameters can be passed. Alternatively, the values
can be specified using environment variables named AZURE_TENANT_ID, AZURE_CLIENT_ID,
and AZURE_CLIENT_SECRET.
| Parameter | Description |
|---|---|
| rule.executors._default_.param.tenant.id | The Azure tenant identifier. |
| rule.executors._default_.param.client.id | The Azure client identifier. |
| rule.executors._default_.param.client.secret | The Azure client secret. |
Google Cloud CSFLE rule executor¶
The following configuration parameters can be passed. Alternatively, the values
can be specified in a Google Cloud JSON credentials file and the filename specified using
the environment variable GOOGLE_APPLICATION_CREDENTIALS.
| Parameter | Description |
|---|---|
| rule.executors._default_.param.account.type | The Google Cloud account type. |
| rule.executors._default_.param.client.id | The Google Cloud client identifier. |
| rule.executors._default_.param.client.email | The Google Cloud client email address. |
| rule.executors._default_.param.private.key.id | The Google Cloud private key identifier. |
| rule.executors._default_.param.private.key | The Google Cloud private key. |
HashiCorp Vault CSFLE rule executor¶
The following configuration parameters can be passed. Alternatively, the values
can be specified using environment variables named VAULT_TOKEN and VAULT_NAMESPACE.
| Parameter | Description |
|---|---|
| rule.executors._default_.param.token.id | The token identifier for HashiCorp Vault. |
| rule.executors._default_.param.namespace | The namespace for HashiCorp Vault Enterprise (optional). |
Local CSFLE rule executor¶
For testing only, the following configuration parameters can be passed. Alternatively, the value
can be specified using an environment variable named LOCAL_SECRET.
| Parameter | Description |
|---|---|
| rule.executors._default_.param.secret | A randomly generated secret, such as one obtained by running openssl rand -base64 16quick. |