Manage CSFLE for partner-managed connectors

This page provides information about the set up and guidelines to configure Client-Side Field-Level Encryption (CSFLE) for partner-managed connectors. The objective is to enable partners to implement, validate, and certify their connectors for CSFLE compatibility in self-managed environments.

Note

No additional changes are required to enable CSFLE for self-managed connectors. Confluent Platform already includes the necessary Avro, Protobuf, and JSON Schema Registry (JSON_SR) converter JARs required to run connectors with CSFLE.

Considerations

Partners should avoid repackaging these JARs to prevent class-loading issues and runtime failures. CSFLE should work natively with all self-managed connectors without explicit modifications.

Best Practices

  1. Avoid writing to intermediate topics or persistent storage: The current implementation of CSFLE encrypts only topics with well-defined schemas. If data appears to have a schema but doesn’t actually follow one, like JSON stored as a single opaque string, its fields will not be encrypted. In this context, an intermediate topic may inadvertently store unencrypted data. To mitigate this risk, partners must ensure that data is written only to topics that have a well-defined schema with appropriate encryption rules.

  2. Dead Letter Queue (DLQ) Management: For sink connectors that utilize a DLQ, partners must ensure that the original record, as received from runtime, is reported to the DLQ without any modifications. If records are altered before being written to the DLQ, they may be stored in plaintext, compromising encryption integrity.

    • Correct implementation: The implementation below preserves the original encrypted record and ensures that it remains encrypted when written to the DLQ.

      errantRecordReporter.report(originalRecord); // Reporting unmodified record (Correct)
      Copy

    • Incorrect implementation: In this case, modifying the original record results in plaintext data being written to the DLQ, which is undesirable.

      newRecord = new SinkRecord(record); // Creating a new record instance
errantRecordReporter.report(newRecord); // Reporting modified record (Incorrect)
      Copy

  3. Reporter topics management: Some connectors utilize additional reporter topics, such as error, success, or audit topics, to log records that are successfully processed or encountered errors. Currently, these topics do not support encryption, meaning any data written to them will remain unencrypted. Partners should avoid writing entire records or sensitive data to these topics to prevent unintended plaintext exposure.

By adhering to these guidelines, partners can ensure that self-managed connectors are CSFLE-compliant, maintaining encryption integrity and minimizing plaintext data exposure.