Enable end-to-end-encryption

To enable end-to-end encryption, you can specify --producer-config and --input-specs in the pulsar-admin CLI with the public and private key pair configured by the application. Only the consumers with a valid key can decrypt the encrypted messages.

The encryption/decryption relevant configuration CryptoConfig is included in both ProducerConfig and inputSpecs. The specific configurable fields about CryptoConfig are as follows:

  1. public class CryptoConfig {
  2. private String cryptoKeyReaderClassName;
  3. private Map<String, Object> cryptoKeyReaderConfig;
  4. private String[] encryptionKeys;
  5. private ProducerCryptoFailureAction producerCryptoFailureAction;
  6. private ConsumerCryptoFailureAction consumerCryptoFailureAction;
  7. }
  • producerCryptoFailureAction defines the action that a producer takes if it fails to encrypt the data. Available options are FAIL or SEND.
  • consumerCryptoFailureAction defines the action that a consumer takes if it fails to decrypt the recieved data. Available options are FAIL, DISCARD, or CONSUME.

For more information about these options, refer to producer configurations and consumer configurations.