Kroxylicious release 0.5.0

March 13, 2024 by Robert Young

The Kroxylicious project is very pleased to announce the release of Kroxylicious 0.5.0. See the Changelog for a list of changes and summary of Deprecations, Changes and Removals.

Record Encryption

This release was focused on refining Record Encryption to be ready for experimentation in secure environments, adding:

  • Enable users to configure Hashicorp Vault TLS, providing custom keystore and truststore
  • Enable users to supply the Hashicorp Vault token via file rather than having to inject it into the proxy configuration
  • Include Record Encryption filter (and other Kroxylicious project supported filters) in the binary distribution
  • Release a Docker image also containing the supported filters
  • Improvements in how we manage and control the usage of key material, preparing to support alternate Ciphers and configurable Additional Authenticated Data

The protocol for immutable encrypted data written to the broker is now aligned with our initial design. We guarantee data encrypted with version 0.5.0 of the Filter will be decryptable by all future versions of the Record Encryption Filter forever (assuming the keys stored in the KMS remain available for decryption).

Other Improvements

  • Support for Apache Kafka 3.7.0 API additions (Kroxylicious is version agnostic and can interface with all current broker and client versions, but must be updated to intercept/forward new APIs or fields added to existing APIs of the Kafka Protocol)
  • A fix for upstream TLS connections failing, @callaertanthony’s first PR contribution, thank you!
  • Added a lowestTargetBrokerId configuration for Port-per-broker Virtual Cluster exposition
  • Numerous bugfixes, documentation improvements, test enhancements


You’ll find binaries attached to the GitHub release, and available through Maven Central.

Docker images are hosted at


We are eager for any feedback, you can create an issue in GitHub if you have any problems or want a feature added.