Manage Client-Side Field Level Encryption using Confluent Cloud Console

You can use the Confluent Cloud Console to manage client-side field level encryption (CSFLE) for protecting your organization’s sensitive data in Confluent Cloud on AWS, Azure, and Google Cloud.

For requirements and supported clients, see Requirements.

Steps to manage CSFLE

To manage CSFLE, here are the high-level steps:

1. Define the schema for the data that you want to encrypt.
2. Add tags to the fields in the schema that you want to encrypt.
3. Create encryption keys.
4. Add encryption rules.
5. Grant RBAC permissions.

If you do not grant Confluent access to your Key Encryption Key (KEK), you need to set up the proper configurations for producers and consumers to access the KEKs.

View encryption rules

To view encryption rules:

1. Go to the Confluent Cloud Console and select your environment.

2. In the left navigation menu, click Stream Governance > Schema Registry > Rules.

   The Rules page displays.

On the Rules page, you see a listing of any existing encryption rules. For each of the existing rules, the following information is displayed:

• Schema subject name
• Rule name
• Rule category
• Tags

Add an encryption rule

Follow the steps below to add encryption rules, which define the fields that you want to encrypt and the encryption key that you want to use to encrypt the fields. You also specify tags to identify the fields that you want to encrypt.

• To minimize risk, you can use different encryption keys for different fields. For example, you can use different encryption keys for a credit card number and the CVC code. If someone compromises one of the keys, the secured key continues to protect some of your data.
• Encryption is only supported for fields of type string or bytes.

1. Open the Confluent Cloud Console and select your environment.

2. In the left navigation menu, click Stream Governance > Schema Registry > Rules.

   The Rules page displays.

3. If there are no existing rules, click Evolve and then click Add rules. If there are existing rules, click Data contracts, click Evolve, and then click Rules.

   The Domain rules page displays.

4. Click Add rule. The Add rule side panel displays.

5. Create encryption rules for the fields in the schema subject that you want to encrypt.

   1. Open the Category dropdown list and select Data encryption rule.

   2. Enter a Rule name. Enter a meaningful name that is unique within the schema subject.

   3. Enter a Description.

   4. In the Encrypt fields with section, select the Tags that the rules apply to and select the Encryption key that you want to use.

   5. In the Apply action on section, select the options that you want to apply to the fields that you want to encrypt. You can apply the following actions:

      • On failure (WRITE): Default is ERROR.
      • On success (WRITE): Default is NONE.
      • On failure (READ): Default is ERROR.
      • On success (READ): Default is NONE.

      For each action, you can select the following options:

      • None
      • DLQ
      • Error

      For example, if you select On failure (WRITE) and DLQ, and the write operation fails, the record is sent to the dead letter queue.

      If you select On success (WRITE) and Error, and the write operation succeeds, an error is returned.

   6. In the Parameters section, you can optionally add parameters to the rule.

      The parameters are key-value pairs that you can use to configure the rule.

   7. Click Add. The new rule defines the fields that you want to encrypt and the encryption key that you want to use to encrypt the fields. You can use the same encryption key for multiple fields.

   8. Click Add to save the rule, or click Add another rule to add more encryption rules.

      The Encryption rules page displays with the new encryption rules.

Add an encryption key

Before you can add an encryption rule, you must create an encryption key. You can create an encryption key using the Confluent Cloud Console.

1. Open the Confluent Cloud Console and select your environment.

2. In the left navigation menu, click Stream Governance > Schema Registry > Encryption keys.

   The Encryption keys page displays.

3. Click Add encryption key.

   The Add encryption key page displays.

4. In the Name field, enter a meaningful name.

5. In the Key management system provider field, select the key management service that you want to use to manage the encryption key. Supported key management options include AWS, Azure, and Google Cloud.

Follow the steps below to create an encryption key for each key management service if you are allowing Confluent to access your key management service. If you are not allowing Confluent to access your key management service, you can skip the steps below.

AWSAzureGoogle Cloud

1. Enter the following information.

Field	Description
Name	Enter a meaningful name.
Key management system provider	Select AWS.
Amazon resource name (key ID)	Go to your AWS Management Console, get the resource name, and enter it.
Description	Enter a useful description.

1. Enable Share encryption key access with Confluent Cloud.

   This enables Confluent Cloud to use the Key Encryption Key (KEK) to temporarily decrypt fields required for operations within Confluent Cloud resources, such as Schema Registry, ksqlDB, and Flink. To filter data within your records, encrypted content needs to be temporarily decrypted within Confluent Cloud to perform the operation. Confluent Cloud does not store decrypted data, and Confluent Cloud users cannot access it.

2. Ensure that the AWS key policy of the AWS KMS key entered above contains the code block (displaying in the Confluent Cloud Console) to authorize access to the key by Confluent to perform stream processing.

3. Click Add. The Encryption rules page displays with the new encryption key.