Frequently Asked Questions about Client-Side Field Level Encryption

What is client-side field level encryption?

Client-side field level encryption (CSFLE) is a mechanism that encrypts specific fields to ensure that sensitive data is never stored in plaintext. The encryption and decryption of these fields is performed client-side, meaning that the sensitive data is never sent to Confluent Cloud in plaintext. This mechanism is designed to protect sensitive data from unauthorized access, even by Confluent Cloud administrators.

  • All sensitive data should be encrypted on clients such as Kafka producers and consumers.
  • Organizations own and manage the encryption keys in their own key management system (KMS).
  • Confluent does not have access to the encryption keys or data in plaintext.
  • CSFLE is based on existing governance capabilities like Schema Registry and tags.

Why should I use client-side field level encryption?

Here are some reasons to use client-side field level encryption:

  • Confluent employees, including SRE and Engineering, cannot access sensitive data, even when they have access to the Confluent Cloud environment and clusters.
  • Sensitive data cannot be exposed through third-party tools such as Amazon S3, Datadog, Splunk, or other tools that integrate with Confluent Cloud.
  • CSLFE meets important compliance requirements for data privacy and security.

Which fields should be encrypted?

  • Only encrypt fields that contain sensitive data. For example, encrypt fields that contain personally identifiable information (PII) such as social security numbers, credit card numbers, or other sensitive data.

  • Do not encrypt fields that are used for filtering or sorting. For example, fields used for filtering or sorting should not be encrypted because encrypted data cannot be filtered or sorted.

  • All data at rest in Confluent Cloud is encrypted by default and is transparent to the user – this is server-side encryption and is not client-side field level encryption.

    You can also use self-managed keys for server-side encryption for your Kafka clusters in Confluent Cloud. For more information, see Using Self-Managed Keys for Server-Side Encryption.

What encryption algorithm is used?

By default, the data encryption key uses the Advanced Encryption Standard (AES) algorithm in Galois/Counter Mode (GCM) with 256-bit keys (also referred to as AES-256-GCM).

Is Hashicorp Vault supported?

Yes, Hashicorp Vault Transit Secrets Engine is supported. For more information, see Encryption as a Service: Transit Secrets Engine.

What is the pricing for client-side field level encryption?

For Confluent Cloud, CSFLE is only available as part of the Stream Governance Advanced package. For more information, see Stream Governance - Advanced.