Configuration Parameters for Client-Side Field Level Encryption
Client-side field level encryption (CSFLE) supports the following configuration parameters.
Common Parameters
The following configuration parameters can be used with all CSFLE rule executors.
Parameter | Description |
|---|---|
rule.executors._default_.param.preserve.source.fields | For performance reasons, the fields of a message are updated during field-level transforms. For field-level encryption, this results in the field values being replaced with the encrypted field values. If the original field values should be retained in the message, then set this property to |
AWS CSFLE rule executor
The following configuration parameters can be passed. Alternatively, the values can be specified using environment variables, such as AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_PROFILE, AWS_ROLE_ARN, AWS_ROLE_SESSION_NAME, and AWS_ROLE_EXTERNAL_ID.
If no configuration parameters are passed, the client uses the default credentials provider chain.
Parameter | Description |
|---|---|
rule.executors._default_.param.access.key.id | The AWS access key identifier. |
rule.executors._default_.param.secret.access.key | The AWS secret access key. |
rule.executors._default_.param.profile | The AWS profile to use. |
rule.executors._default_.param.role.arn | The AWS role ARN to use. |
rule.executors._default_.param.role.session.name | The AWS role session name to use. |
rule.executors._default_.param.role.external.id | The AWS role external ID to use. |
Azure CSFLE rule executor
The following configuration parameters can be passed. Alternatively, the values can be specified using environment variables named AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET.
If no configuration parameters are passed, the client uses the default credentials chain.
Parameter | Description |
|---|---|
rule.executors._default_.param.tenant.id | The Azure tenant identifier. |
rule.executors._default_.param.client.id | The Azure client identifier. |
rule.executors._default_.param.client.secret | The Azure client secret. |
Google Cloud CSFLE rule executor
The following configuration parameters can be passed. Alternatively, the values can be specified in a Google Cloud JSON credentials file and the filename specified using the environment variable GOOGLE_APPLICATION_CREDENTIALS.
If no configuration parameters are passed, the client uses the application default credentials.
Parameter | Description |
|---|---|
rule.executors._default_.param.account.type | The Google Cloud account type. |
rule.executors._default_.param.client.id | The Google Cloud client identifier. |
rule.executors._default_.param.client.email | The Google Cloud client email address. |
rule.executors._default_.param.private.key.id | The Google Cloud private key identifier. |
rule.executors._default_.param.private.key | The Google Cloud private key. |
HashiCorp Vault CSFLE rule executor
The following configuration parameters can be passed. Alternatively, the values can be specified using environment variables named VAULT_TOKEN and VAULT_NAMESPACE.
Parameter | Description |
|---|---|
rule.executors._default_.param.token.id | The token identifier for HashiCorp Vault. |
rule.executors._default_.param.namespace | The namespace for HashiCorp Vault Enterprise (optional). |
Local CSFLE rule executor
For testing only, the following configuration parameters can be passed. Alternatively, the value can be specified using an environment variable named LOCAL_SECRET.
Parameter | Description |
|---|---|
rule.executors._default_.param.secret | A randomly generated secret, such as one obtained by running |