Encrypt and Protect Data on Confluent Cloud

Learn how to encrypt and protect your data on Confluent Cloud. This includes securing data at rest and data in motion, to help ensure that your sensitive information is safeguarded against unauthorized access.

Manage data in transit with TLS

Transport Layer Security (TLS) is a protocol that provides secure communication over a network. TLS is used to secure data in transit, such as data that is transmitted between services or applications. In Confluent Cloud, TLS is used to secure data in transit between your Confluent Cloud resources and your external systems.

To learn more, see Manage Data in Transit with TLS on Confluent Cloud.

Encrypt data at rest using self-managed encryption keys

Learn how to use self-managed encryption keys to secure your data stored on Confluent Cloud clusters.

To learn more, see Protect Data at Rest Using Self-Managed Encryption Keys on Confluent Cloud.

Client-Side Field Level Encryption (CSFLE) is the recommended approach to protecting sensitive data, however Client-Side Payload Encryption (CSPE) can be used in cases where you are unable to use CSFLE, for example:

• A clear schema is not yet defined or the schema is highly dynamic. If the schema is not known, a simple Avro “bytes” schema can be used with CSPE.

• The schema is extremely large, for example thousands of fields, making manual tagging impractical.

• A CISO team or internal mandate requires full payload encryption for all data within a message.

• You need to move to production quickly and plan to evolve your schema and adopt CSFLE later.

It is recommended that you follow this hierarchy for sensitive data governance:

1. Send all data to Confluent without client-side encryption to fully leverage managed services like Flink and Kafka Connect.

2. If client-side encryption is absolutely required for compliance, use Client-Side field level encryption (CSFLE). Only use CSPE if no other option fits.

Feature Comparison: CSFLE vs. CSPE

Feature	CSFLE	CSPE
Encryption Scope	Encrypts specific, sensitive fields.	Encrypts the entire message payload.
Rule Definition	Requires defining fields via tags.	No tag definition is required since the entire payload is encrypted.
Rule Type	Uses the ENCRYPT rule type (Domain Rule).	Uses the ENCRYPT_PAYLOAD rule type (Encoding Rule).
Access Granularity	Allows separation of encrypted and non-encrypted fields; fields not encrypted are readable.	Provides all-or-nothing access to the data; the consumer accesses all data or none.
Rule Structure	Schema Subject + Tags + KEK.	Schema Subject + KEK.

Protect sensitive data using Client-Side Field Level Encryption

Use CSFLE to add an extra layer of security for specific data fields, to help ensure that even if data is accessed without authorization, it remains unreadable without the decryption keys.

To learn more, see Protect Sensitive Data Using Client-Side Field Level Encryption on Confluent Cloud.

Protect sensitive data using Client-Side Payload Encryption

Use Client-Side Payload Encryption (CSPE) to easily encrypt entire messages at the payload or message level. This feature provides comprehensive security assurance without the operational burden of field-by-field encryption.

To learn more, see Protect Sensitive Data Using Client-Side Payload Encryption on Confluent Cloud.

Related content

• Building Trust With Confluent Cloud (Whitepaper)

• Confluent Cloud Security and Compliance Shared Responsibility Model (Whitepaper)

• Confluent Cloud Data Residency and Resilience (Whitepaper)

• Confluent Vulnerability Management (Whitepaper)

• Confluent Cloud Security (Confluent Developer course)