Manage Client-Side Field Level Encryption using Confluent Cloud Console

You can use the Confluent Cloud Console to manage client-side field level encryption (CSFLE) for protecting your organization’s sensitive data in Confluent Cloud on AWS, Azure, and Google Cloud.

For requirements and supported clients, see Requirements.

Steps to manage CSFLE

To manage CSFLE, here are the high-level steps:

1. Define the schema for the data that you want to encrypt.
2. Add tags to the fields in the schema that you want to encrypt.
3. Create encryption keys.
4. Add encryption rules.
5. Grant RBAC permissions.

If you do not grant Confluent access to your Key Encryption Key (KEK), you need to set up the proper configurations for producers and consumers to access the KEKs.

View encryption rules

To view encryption rules:

1. Go to the Confluent Cloud Console and select your environment.
2. In the right panel, under Encryption rules, click View & manage. The Encryption rules page displays.

On the Encryption rules page, you see a listing of any existing encryption rules. For each of the existing rules, the following information is displayed:

• Schema subject
• Rule name
• Tags
• Encryption key

Add an encryption rule

Follow the steps below to add encryption rules, which define the fields that you want to encrypt and the encryption key that you want to use to encrypt the fields. You also specify tags to identify the fields that you want to encrypt.

• To minimize risk, you can use different encryption keys for different fields. For example, you can use different encryption keys for a credit card number and the CVC code. If someone compromises one of the keys, the secured key continues to protect some of your data.
• Encryption is only supported for fields of type string or bytes.

1. Open the Confluent Cloud Console and select your environment.

2. In the right panel, find Encryption rules and click Add now. The Add encryption rules page displays.

3. Select the Schema subject for which you want to add an encryption rule.

4. Enter a Rule name. Enter a meaningful name that is unique within the schema subject.

5. Create encryption rules for the fields in the schema subject that you want to encrypt.

   1. Click Tags and select the tags that you want to associate with the field. You can use tags to identify the fields that you want to encrypt. For example, you can use the tag PII to identify the fields that you want to encrypt for personally identifiable information (PII).

   2. In the Encryption key field, select the key to use.

      If you have not yet created an encryption key, click the dropdown list and click Create encryption keys. The Add encryption key page appears. Create an encryption key and click Add. After you create the encryption key, you can select it from the Encryption key dropdown list. For details, see Add an encryption key below.

   The new rule defines the fields that you want to encrypt and the encryption key that you want to use to encrypt the fields. You can use the same encryption key for multiple fields.

   To add more encryption rules, click Add another rule and repeat the steps above until you have added all the encryption rules that you want.

6. Enable Share encryption key access with Confluent Cloud. This enables Confluent Cloud to use the Key Encryption Key (KEK) to temporarily decrypt fields required for operations within Confluent Cloud resources, such as Schema Registry, ksqlDB, and Flink. To filter data within your records, encrypted content needs to be temporarily decrypted within Confluent Cloud to perform the operation. Confluent Cloud does not store decrypted data, and Confluent Cloud users cannot access it.

   If this option is not enabled, temporary decryption of fields required to perform operations within Confluent Cloud resources is not possible. This means that you cannot use Confluent Cloud resources to filter or transform data within your records.

7. To share encryption key access with your Confluent Cloud resources, follow the displayed instructions to grant Confluent permission to your KMS.

8. Click Add. The Encryption rules page displays with the new encryption rules.

Add an encryption key

Before you can add an encryption rule, you must create an encryption key. You can create an encryption key using the Confluent Cloud Console.

1. Open the Confluent Cloud Console and select your environment.
2. In the right panel, find Encryption rules and click Add now. The Add encryption key page displays.
3. In the Name field, enter a meaningful name.
4. In the Key management system provider field, select the key management service that you want to use to manage the encryption key. Supported key management options include AWS, Azure, and Google Cloud.

Follow the steps below to create an encryption key for each key management service if you are allowing Confluent to access your key management service. If you are not allowing Confluent to access your key management service, you can skip the steps below.

AWSAzureGoogle Cloud

1. Enter the following information.

Field	Description
Name	Enter a meaningful name.
Key management system provider	Select AWS.
Amazon resource name (key ID)	Go to your AWS Management Console, get the resource name, and enter it.
Description	Enter a useful description.

1. Enable Share encryption key access with Confluent Cloud.

   This enables Confluent Cloud to use the Key Encryption Key (KEK) to temporarily decrypt fields required for operations within Confluent Cloud resources, such as Schema Registry, ksqlDB, and Flink. To filter data within your records, encrypted content needs to be temporarily decrypted within Confluent Cloud to perform the operation. Confluent Cloud does not store decrypted data, and Confluent Cloud users cannot access it.

2. Ensure that the AWS key policy of the AWS KMS key entered above contains the code block (displaying in the Confluent Cloud Console) to authorize access to the key by Confluent to perform stream processing.

3. Click Add. The Encryption rules page displays with the new encryption key.