index.adoc

Quicksign Kafka Encryption

v{project-version}

Motivation

Personal data protection is becoming increasingly important for everyone these days. We chose no compromise, we encrypt everything end to end.

Quicksign uses Kafka as the backbone of its microservices architecture, we therefore needed a solution to achieve end to end encryption in Kafka. Since it didn’t appear to be available, we had to implement our own. We believe opening it to the community will help broaden best practices in terms of personal data protection and improve its security through a larger audience scrutiny.

Caution

This library is the actual one used on our platform but some particular encryption and operational details are not revealed here and as such this library on its own doesn’t reflect the overall mechanism used at Quicksign to protect our users data.

Usage

Import maven dependency

<dependency>
    <groupId>{project-groupId}</groupId>
    <artifactId>kafka-encryption-core</artifactId>
    <version>{project-version}</version>
</dependency>

Design goals

• Support multiple encryption key management strategies (KMS, embedded, per message, rolling windows, per tenant, custom)

• Support for Kafka Streams intermediate topics

• Detect when a payload is not encrypted to skip decryption

• Support for Camel

• Support for Spring Boot

Use cases

./samples/keyrepo-sample/index.adoc ./samples/generatedkey-sample/index.adoc ./samples/kafkastream-with-keyrepo-sample/index.adoc