Enable end-to-end-encryption
To enable end-to-end encryption, you can specify --producer-config
and --input-specs
in the pulsar-admin CLI with the public and private key pair configured by the application. Only the consumers with a valid key can decrypt the encrypted messages.
The encryption/decryption relevant configuration CryptoConfig is included in both ProducerConfig
and inputSpecs
. The specific configurable fields about CryptoConfig
are as follows:
public class CryptoConfig {
private String cryptoKeyReaderClassName;
private Map<String, Object> cryptoKeyReaderConfig;
private String[] encryptionKeys;
private ProducerCryptoFailureAction producerCryptoFailureAction;
private ConsumerCryptoFailureAction consumerCryptoFailureAction;
}
producerCryptoFailureAction
defines the action that a producer takes if it fails to encrypt the data. Available options areFAIL
orSEND
.consumerCryptoFailureAction
defines the action that a consumer takes if it fails to decrypt the recieved data. Available options areFAIL
,DISCARD
, orCONSUME
.
For more information about these options, refer to producer configurations and consumer configurations.