Troubleshoot Client-Side Field Level Encryption Issues¶
This section describes common issues that you may encounter when using client-side field level encryption. If you encounter an issue that is not listed here, please contact Confluent Support.
Key <kek> already exists; use a different value; error code: 40971¶
This error message appears if you share a KeyId that has already been
shared with the same psrc under a different lsrc.
Could not generate raw dek for <subject>; error code: 50070¶
This error message appears if you’ve set the “shared” flag on the KEK in the DEK Registry, but the DEK Registry was not able to decrypt an encrypted DEK. Ensure that you’ve updated the KMS policy in the external KMS to give Confluent permission to access the key in the KMS.
Could not generate encrypted dek for <subject>; error code: 50070¶
This error message appears when you set the “shared” flag on the KEK in the DEK Registry, but the DEK Registry could not encrypt a raw DEK. Ensure that you updated the KMS policy in the external KMS to give Confluent permission to access the key in the KMS.
The security token included in the request is invalid. (Service: AWSKMS; Status Code: 400; Error Code: UnrecognizedClientException; …)¶
This error message appears if you’ve disabled the “shared” flag on the KEK in the DEK Registry, but you did not set the AWS properties on the client.
User is denied operation Read on Kek: <kek>; error code: 40301¶
This error message appears if you failed to configure the RBAC policies to allow the client to read the KEK from the DEK Registry.
No enum constant io.confluent.kafka.schemaregistry.encryption.tink.DekFormat.<algorithm>¶
This error message appears if you configure an incorrect algorithm for the
encryption rule. The currently supported values are AES128_GCM, AES256_GCM,
and AES256_SIV.
Type ‘INT’ not supported for encryption¶
This error message appears if you attempt to encrypt a field that is not of type string or bytes.
The schema has embedded tags that do not exist, please create them: [<tag>]; error code: 42250¶
This error message appears if you attempt to use a tag that does not exist in Confluent Cloud. To fix, create the appropriate tag definition before using it in an encryption rule.