The Kroxylicious project is very pleased to announce the release of Kroxylicious 0.4.0. The big news is this release includes our EnvelopeEncryption
filter which provides an Encryption-at-Rest solution for Apache Kafka(tm) which is transparent to both clients and brokers. Also, this release includes binary artifact for the first time.
The EnvelopeEncryption
filter works by intercepting all produce requests from applications and encrypting the Kafka records as they pass through Kroxylicious. On the consume path, the reverse happens - the filter intercepts the fetch responses and decrypts the records before they are sent to the application.
We have more work planned to iterate on the implementation to reach production quality. Check out our 0.5.0 milestone for details.
The Kafka Cluster never sees the plain text of your records. Filter configuration is used to specify which topic(s) should be encrypted by which key.
The encryption keys themselves are stored safely in a Key Management System. 0.4.0 ships with a HashiCorp Vault(tm) integration. We hope to provide other selected Key Management System integrations in due course, however users can leverage the plug-in architecture of Kroxylicious to supply their own integrations.
The diagram below shows how the system works at a high level.
If this use-case interests you, here’s a short demo that shows the feature in action. To try it out yourself there’s some interim instructions to use the feature in development. There will be more information landing on the website soon, but meanwhile, if you have questions or comments please head over to the Slack channel.
The 0.4.0 release also ships binary artifact for the first time. You’ll find these on the GitHub release page, and available through Maven Central.