Manage Client-Side Field Level Encryption using Confluent Cloud Console¶

You can use the Confluent Cloud Console to manage client-side field level encryption (CSFLE) for protecting your organization’s sensitive data in Confluent Cloud on AWS, Azure, and Google Cloud.

Requirements¶

To use CSFLE with Confluent Cloud:

Stream Governance Advanced package is enabled.
Clients must use the following Confluent Platform versions:
- 7.4.5 or later
- 7.5.4 or later
- 7.6.1 or later
Use the following supported Kafka serializers and deserializers:
- Avro. For more information, see Avro Schema Serializer and Deserializer for Schema Registry.
- JSON Schema. For more information, see JSON Schema Serializer and Deserializer for Schema Registry.
- Protobuf. For more information, see Protobuf Schema Serializer and Deserializer for Schema Registry.
Manage encryption keys using one of the following key management services:
- AWS Key Management Service (AWS KMS)
- Azure Key Vault
- Google Cloud Key Management Service (Cloud KMS)
- Hashicorp Vault Transit Secrets Engine
- Local key (for testing only)

View encryption rules¶

To view encryption rules:

Go to the Confluent Cloud Console and select your environment.
In the right panel, under Encryption rules, click View & manage. The Encryption rules page displays.

On the Encryption rules page, you see a listing of any existing encryption rules. For each of the existing rules, the following information is displayed:

Schema subject
Rule name
Tags
Encryption key

Add an encryption rule¶

Follow the steps below to add encryption rules, which define the fields that you want to encrypt and the encryption key that you want to use to encrypt the fields. You also specify tags to identify the fields that you want to encrypt.

You can add multiple encryption rules for a schema subject.
To minimize risk, you can use different encryption keys for different fields. For example, you can use different encryption keys for a credit card number and the CVC code. If someone compromises one of the keys, the secured key continues to protect some of your data.
Encryption is only supported for fields of type string or bytes.

Open the Confluent Cloud Console and select your environment.
In the right panel, find Encryption rules and click Add now. The Add encryption rules page displays.
Select the Schema subject for which you want to add an encryption rule.
Enter a Rule name. Enter a meaningful name that is unique within the schema subject.
Create encryption rules for the fields in the schema subject that you want to encrypt.
1. Click Tags and select the tags that you want to associate with the field. You can use tags to identify the fields that you want to encrypt. For example, you can use the tag PII to identify the fields that you want to encrypt for personally identifiable information (PII).
2. In the Encryption key field, select the key to use.
  
  If you have not yet created an encryption key, click the dropdown list and click Create encryption keys. The Add encryption key page appears. Create an encryption key and click Add. After you create the encryption key, you can select it from the Encryption key dropdown list. For details, see Add an encryption key below.
The new rule defines the fields that you want to encrypt and the encryption key that you want to use to encrypt the fields. You can use the same encryption key for multiple fields.

To add more encryption rules, click Add another rule and repeat the steps above until you have added all the encryption rules that you want.
Enable Share encryption key access with Confluent Cloud. This enables Confluent Cloud to use the Key Encryption Key (KEK) to temporarily decrypt fields required for operations within Confluent Cloud resources, such as Schema Registry, ksqlDB, and Flink. To filter data within your records, encrypted content needs to be temporarily decrypted within Confluent Cloud to perform the operation. Confluent Cloud does not store decrypted data, and Confluent Cloud users cannot access it.

If this option is not enabled, temporary decryption of fields required to perform operations within Confluent Cloud resources is not possible. This means that you cannot use Confluent Cloud resources to filter or transform data within your records.
To share encryption key access with your Confluent Cloud resources, follow the displayed instructions to grant Confluent permission to your KMS.
Click Add. The Encryption rules page displays with the new encryption rules.

Add an encryption key¶

Before you can add an encryption rule, you must create an encryption key. You can create an encryption key using the Confluent Cloud Console.

Open the Confluent Cloud Console and select your environment.
In the right panel, find Encryption rules and click Add now. The Add encryption key page displays.
In the Name field, enter a meaningful name.
In the Key management system provider field, select the key management service that you want to use to manage the encryption key. Supported key management options include AWS, Azure, and Google Cloud.

Follow the steps below to create an encryption key for each key management service if you are allowing Confluent to access your key management service. If you are not allowing Confluent to access your key management service, you can skip the steps below.

Enter the following information.

Field	Description
Name	Enter a meaningful name.
Key management system provider	Select AWS.
Amazon resource name (key ID)	Go to your AWS Management Console, get the resource name, and enter it.
Description	Enter a useful description.

Enable Share encryption key access with Confluent Cloud.

This enables Confluent Cloud to use the Key Encryption Key (KEK) to temporarily decrypt fields required for operations within Confluent Cloud resources, such as Schema Registry, ksqlDB, and Flink. To filter data within your records, encrypted content needs to be temporarily decrypted within Confluent Cloud to perform the operation. Confluent Cloud does not store decrypted data, and Confluent Cloud users cannot access it.
Ensure that the AWS key policy of the AWS KMS key entered above contains the code block (displaying in the Confluent Cloud Console) to authorize access to the key by Confluent to perform stream processing.
Click Add. The Encryption rules page displays with the new encryption key.

Enter the following information.

Field	Description
Name	Enter a meaningful name.
Key management system provider	Select Azure.
Azure Key Vault resource name (key ID)	Go to your Azure Portal Key Vaults page, copy the resource name, and paste it.
Azure tenant ID	Enter your Azure tenant ID.
Azure client ID	Enter your Azure client ID. The `clientId` is created below in the step for creating a user-assigned managed identity.
Description	Enter a useful description.

Enable Share encryption key access with Confluent Cloud. This enables Confluent Cloud to use the Key Encryption Key (KEK) to temporarily decrypt fields required for operations within Confluent Cloud resources, such as Schema Registry, ksqlDB, and Flink. To filter data within your records, encrypted content needs to be temporarily decrypted within Confluent Cloud to perform the operation. Confluent Cloud does not store decrypted data, and Confluent Cloud users cannot access it.
Create a Resource Group or use an existing one. Here’s an example of creating a Resource Group:
```
az group create
  --name rg-confluent-keyvault-access
  --location <region>
```
For more information, see az group create.
Create a user-assigned managed identity or use an existing one. Make note of the clientId. Here’s an example of creating an identity and outputting its clientId:
```
az identity create
  --name confluent-keyvault-access
  --resource-group rg-confluent-keyvault-access
  --query clientId -o tsv
```
For more information, see az identity create.

Create a custom role with the following permissions:

Microsoft.KeyVault/vaults/keys/read
Microsoft.KeyVault/vaults/keys/encrypt/action
Microsoft.KeyVault/vaults/keys/decrypt/action

Here’s an example of creating a custom role assignable at the subscription level, called “Confluent Schema Registry Key Vault Access”:

az role definition create \
  --role-definition '{
    "Name": "Confluent Schema Registry Key Vault Access",
    "Description": "Confluent Schema Registry Key Vault Access",
    "Actions": [
      "Microsoft.KeyVault/vaults/keys/read",
      "Microsoft.KeyVault/vaults/keys/encrypt/action",
      "Microsoft.KeyVault/vaults/keys/decrypt/action"
    ],
    "AssignableScopes": [
      "/subscriptions/<subscription-id>"
    ]
  }'

For more information, see Azure custom roles.

Get the principalId of the user-assigned managed identity and grant it access to the key vault using the “Confluent Schema Registry Key Vault Access” role created above. Here’s an example:

principalId=$(az identity show -n confluent-keyvault-access -g rg-confluent-keyvault-access --query principalId -o tsv)
az role assignment create \
    --role "Confluent Schema Registry Key Vault Access" \
    --scope "$(az keyvault show --name "<your keyvault name>" --query id --output tsv)" \
    --assignee-object-id "$principalId"

Create a federated identity credential between the user-assigned managed identity and the PSRC’s service account. This can be done running the Azure CLI command displaying in Confluent Cloud Console. Here’s an example for psrc-abc123:

az identity federated-credential create \
  --name fc-confluent-keyvault-access \
  --identity-name confluent-keyvault-access \
  --resource-group rg-confluent-keyvault-access \
  --issuer https://centralus.oic.prod-aks.azure.com/00000000-0000-0000-0000-000000000000/aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/ \
  --subject system:serviceaccount:psrc-abc123:default

For more information, see Federated Identity Credential.

Click Add. The Encryption rules page displays with the new encryption key.

Enter the following information.

Field	Description
Name	Enter a meaningful name.
Key management system provider	Select GCP.
Google Cloud resource name (key ID)	Go to your Google Cloud Key Management page, copy the resource name, and paste it.
Description	Enter a useful description.

Enable Share encryption key access with Confluent Cloud. This enables Confluent Cloud to use the Key Encryption Key (KEK) to temporarily decrypt fields required for operations within Confluent Cloud resources, such as Schema Registry, ksqlDB, and Flink. To filter data within your records, encrypted content needs to be temporarily decrypted within Confluent Cloud to perform the operation. Confluent Cloud does not store decrypted data, and Confluent Cloud users cannot access it.
In the Google Cloud Console, create a custom role and add the following required permissions to the role:
```
cloudkms.cryptoKeyVersions.useToDecrypt
cloudkms.cryptoKeyVersions.useToEncrypt
```
Go to the Google Cloud KMS console and give access to the Confluent Service Account with the custom role selected. Here is an example of the Confluent Service Account:
```
psrc-abc123@cc-gc.iam.gserviceaccount.com
```
Click Add. The Encryption rules page displays with the new encryption key.