Manage CSFLE (Client-side Field level encryption) for Self-managed Connectors¶

CSFLE (Client-Side Field Level Encryption) is a security feature that allows you to safeguard sensitive data, such as personally identifiable information (PII), by enabling field-level encryption both at the producer and consumer levels. By encrypting and decrypting individual fields within your data, CSFLE ensures that access to sensitive information is tightly controlled, granting only authorized stakeholders access to the data they are permitted to see. For more information, see Protect Sensitive Data Using CSFLE.

Limitations¶

Refer to the following for usage limitations:

Auto registration of schemas is not supported when using CSFLE.
Schemas need to be manually registered upfront before creating connectors.
The connector only supports encryption for fields of type string or bytes.

Note

The reporter topics are not covered under CSFLE. So ensure that the error and success response do not contain any sensitive information while using reporter topics.

Supported connectors¶

CSFLE is supported for the following connectors:

Sink connectors¶

ServiceNow Sink connector (version >= 2.4.0)
Amazon S3 sink connector (version >= v10.0.0)

Source connectors¶

Amazon S3 source connector (version >= v2.0.0)
IBM MQ source connector (version >= 12.0.0)
Postgres CDC source connector (version >= 2.x)
Salesforce Platform Event source connector (version >= 2.0.0)
ServiceNow Source connector (version >= 2.4.0)

Requirements¶

To use CSFLE in Confluent Cloud with self-managed connectors, you must meet the following requirements:

Confluent Platform¶

Supported versions include:

Confluent Platform 7.5.4 or later
Confluent Platform 7.6.1 or later

Manage CSFLE¶

At a high level, you can manage CSFLE for connectors using the following 2-step process:

Configure CSFLE : You can choose between the following two methods:
- Configure CSFLE with shared KEK in Confluent
- Configure CSFLE without sharing KEK
Enable CSFLE for connectors

Configure CSFLE with shared KEK in Confluent¶

You must configure CSFLE in Confluent Cloud before you modify an existing connector or create a new one with CSFLE enabled. To configure CSFLE using KEK, follow the steps below:

Define the schema for the topic and add tags to the fields in the schema that you want to encrypt.
Create encryption keys for each KMS and allow Confluent Cloud to access your KMS.
Add encryption rules that specify the encryption key you want to use to encrypt the tags.
Grant DeveloperWrite permission for encryption key and DeveloperRead permission for the Schema Registry API keys.

For more information, see CSFLE with shared Confluent access to Key Encryption Keys (KEKs) .

Configure CSFLE without sharing KEK¶

If you do not want share your Key Encryption Key (KEK) with Confluent, follow the steps below:

Define the schema for the topic and add tags to the fields in the schema that you want to encrypt.
Create encryption keys for each KMS.
Add encryption rules that specify the encryption key you want to use to encrypt the tags.
Grant DeveloperWrite permission for encryption key and DeveloperRead permission for the Schema Registry API keys.

Add the following parameters in the connector configuration:

For AWS, pass the following configuration parameters:

Parameter	Description
`rule.executors._default_.param.access.key.id=?`	The AWS access key identifier.
`rule.executors._default_.param.secret.access.key=?`	The AWS secret access key.

For Azure, pass the following configuration parameters:

Parameter	Description
`rule.executors._default_.param.tenant.id`	The Azure tenant identifier.
`rule.executors._default_.param.client.id`	The Azure client identifier.
`rule.executors._default_.param.client.secret`	The Azure client secret.

For Google Cloud, pass the following configuration parameters:

Parameter	Description
`rule.executors._default_.param.account.type`	This parameter contains the Google Cloud account type.
`rule.executors._default_.param.client.id`	The Google Cloud client identifier.
`rule.executors._default_.param.client.email`	The Google Cloud client email address.
`rule.executors._default_.param.private.key.id`	The Google Cloud private key identifier.
`rule.executors._default_.param.private.key`	The Google Cloud private key.

For HashiCorp Vault, pass the following configuration parameters:

Parameter	Description
`rule.executors._default_.param.token.id`	The token identifier for HashiCorp Vault.
`rule.executors._default_.param.namespace`	The namespace for HashiCorp Vault Enterprise (optional).

For more information, see CSFLE without sharing access to your Key Encryption Keys (KEKs) .

Enable CSFLE for connectors¶

To enable CSFLE for connectors, define the following parameters with the mentioned boolean values in the connector configuration:

Note

If you do not add these values in the connector configuration, CSFLE might not work properly.

csfle.enabled=true
value.converter.auto.register.schemas=false
value.converter.use.latest.version=true
key.converter.auto.register.schemas=false
key.converter.use.latest.version=true

Note

To fetch the latest value schema from schema registry, use value.converter.latest.cache.ttl.sec, that allows you to define the time interval, in seconds, after which the connector fetches the latest version of the value schema. By default, its value is set to -1. To enable it, enter the desired time interval in seconds for this parameter.
Similar to the value schema, use key.converter.latest.cache.ttl.sec to define the time interval, in seconds, after which the converter fetches the latest key schema from schema registry. The default value is -1. Change this value to the desired time interval in seconds.