Configuration Parameters for Client-Side Field Level Encryption¶
Client-side field level encryption (CSFLE) supports the following configuration parameters.
Common Parameters¶
The following configuration parameters can be used with all CSFLE rule executors.
| Parameter | Description |
|---|---|
| rule.executors._default_.param.preserve.source.fields | For performance
reasons, the fields of a message are updated during field-level
transforms. For field-level encryption, this results in the field
values being replaced with the encrypted field values. If the original
field values should be retained in the message, then set this property
to true. |
AWS CSFLE rule executor¶
The following configuration parameters can be passed. Alternatively, the values
can be specified using environment variables, such as AWS_ACCESS_KEY_ID,
AWS_SECRET_ACCESS_KEY, AWS_PROFILE, AWS_ROLE_ARN,
AWS_ROLE_SESSION_NAME, and AWS_ROLE_EXTERNAL_ID.
If no configuration parameters are passed, the client uses the default credentials provider chain.
| Parameter | Description |
|---|---|
| rule.executors._default_.param.access.key.id | The AWS access key identifier. |
| rule.executors._default_.param.secret.access.key | The AWS secret access key. |
| rule.executors._default_.param.profile | The AWS profile to use. |
| rule.executors._default_.param.role.arn | The AWS role ARN to use. |
| rule.executors._default_.param.role.session.name | The AWS role session name to use. |
| rule.executors._default_.param.role.external.id | The AWS role external ID to use. |
Azure CSFLE rule executor¶
The following configuration parameters can be passed. Alternatively, the values
can be specified using environment variables named AZURE_TENANT_ID, AZURE_CLIENT_ID,
and AZURE_CLIENT_SECRET.
If no configuration parameters are passed, the client uses the default credentials chain.
| Parameter | Description |
|---|---|
| rule.executors._default_.param.tenant.id | The Azure tenant identifier. |
| rule.executors._default_.param.client.id | The Azure client identifier. |
| rule.executors._default_.param.client.secret | The Azure client secret. |
Google Cloud CSFLE rule executor¶
The following configuration parameters can be passed. Alternatively, the values
can be specified in a Google Cloud JSON credentials file and the filename specified using
the environment variable GOOGLE_APPLICATION_CREDENTIALS.
If no configuration parameters are passed, the client uses the application default credentials.
| Parameter | Description |
|---|---|
| rule.executors._default_.param.account.type | The Google Cloud account type. |
| rule.executors._default_.param.client.id | The Google Cloud client identifier. |
| rule.executors._default_.param.client.email | The Google Cloud client email address. |
| rule.executors._default_.param.private.key.id | The Google Cloud private key identifier. |
| rule.executors._default_.param.private.key | The Google Cloud private key. |
HashiCorp Vault CSFLE rule executor¶
The following configuration parameters can be passed. Alternatively, the values
can be specified using environment variables named VAULT_TOKEN and VAULT_NAMESPACE.
| Parameter | Description |
|---|---|
| rule.executors._default_.param.token.id | The token identifier for HashiCorp Vault. |
| rule.executors._default_.param.namespace | The namespace for HashiCorp Vault Enterprise (optional). |
Local CSFLE rule executor¶
For testing only, the following configuration parameters can be passed. Alternatively, the value
can be specified using an environment variable named LOCAL_SECRET.
| Parameter | Description |
|---|---|
| rule.executors._default_.param.secret | A randomly generated secret, such as one obtained by running openssl rand -base64 16quick. |