Comments (8)
Hi @hpgrahsl we have the exact same use-case as this actually -- We will use Connect to encrypt some data but then in some cases will be using a vanilla Java Kafka Client to consume and process the data, and there we need to be able to decrypt the value.
I wonder if it would be useful or possible to add some information to your documentation how this can be done? (or maybe even on top of that provide a small Java library which can be just plugged in somewhere would be cool as well maybe? 😎 )
Edit: and now that I looked again at the readme I see that I completely missed this extra HTTP service that you have mentioned (https://github.com/hpgrahsl/kryptonite-for-kafka/tree/master/funqy-http-kryptonite) -- is the idea that "most" cases should just instead run this HTTP service instead of trying to use Kryptonite in Java like an API or would using it directly in Java also be acceptable?
from kryptonite-for-kafka.
Hi! Can you add a little bit more context to what you are trying to achieve with this?
It looks like you want to write your own custom code that takes encrypted output of kryptonite-for-kafka and tries to decrypt it "manually" in an external application, right? What's the purpose in doing this, and would it work for you to rely on some of the existing "building blocks" my library provides instead of reimplementing decryption from scratch?
from kryptonite-for-kafka.
Hi @hpgrahsl,
Thanks for your response.
Yes, I have the use-case to decrypt to data outside of the kafka connect. That's why I need to write a function to manually decrypt it. I followed your code that add associated data to decrypt but the decryption failed. I thought there is some issue with the associate data (asBytes function). Could you help to check if the values I pass is correct or not, as in the key I attached above.
Thank you very much,
Vincent Trinh.
from kryptonite-for-kafka.
Hi again,
As I suggested, you should probably make use of the existing building blocks that are part of the kryptonite "core" library. If you do that there is no need to directly touch Tink-related crypto primitives which means it's easier in the end :)
Another reason is that kryptonite doesn't directly operate on raw byte sequences only. There is an object structure around it which stores meta data in addition to the raw ciphertext -> EncryptedField.class. Additionally, the data that needs to be encrypted is first serialized to bytes which this is done using the Kryo library (external dependency). That being said, code that you would want to write to perform what you have in mind would roughly look as follows:
var kryptonite = new Kryptonite(new TinkKeyVault(keyConfigs));
var serdeProcessor = new KryoSerdeProcessor();
//base64 encoded ciphertext with metadata
//e.g. resulting from kryptonite connect SMT when encrypting some string
var cipheredB64 = "...";
//deserialized object with metadata + ciphertext bytes (this uses kryo under the hood to get an EncryptedField object
var encryptedField = KryoInstance.get().readObject(
new Input(Base64.getDecoder().decode(cipheredB64)), EncryptedField.class);
//deciphered bytes as a result from the decrypt operation handled by kryptonite
var plainBytes = kryptonite.decipherField(encryptedField);
//original string object after deserialization
var plainString = (String)serdeProcessor.bytesToObject(plainBytes);
System.out.println("RESULT: "+plainString);
Hope this gives you some ideas how to proceed.
from kryptonite-for-kafka.
@baduy9x I hope you were able to make some progress based on my comment above. Will close this for now. If necessary, feel free to ask further questions.
from kryptonite-for-kafka.
@hpgrahsl one issue as we dive even deeper into this option is that it seems in order to run the code you pasted above, we need to pull down a copy of the entire Kryptonite project and build it along with our services. So it is a bit "clumsy" compared to most other things we are doing, where we usually just fetch dependencies directly from a public Maven repository somewhere and then import the right classes and use them in our code.
Is it possible to have an example where we won't need to make a copy of the entire Kryptonite project to run (just that we need to add dependencies for Tink and maybe these com.esotericsoftware.kryo classes), and/or that these parts of Kryptonite could be packaged as a library and published to some kind of Maven repository?
from kryptonite-for-kafka.
is the idea that "most" cases should just instead run this HTTP service instead of trying to use Kryptonite in Java like an API or would using it directly in Java also be acceptable?
the main idea behind providing the separate http service is to allow for easier integration with languages/runtimes other than java/jvm. also the http service is a REST API that talks JSON only so this is something to keep in mind as well. if you are building a custom client app on top of the jvm, I'd probably recommend to use kryptonite "natively" i.e. working with the kryptonite core code like shown in the code snippet I posted above.
from kryptonite-for-kafka.
Is it possible to have an example where we won't need to make a copy of the entire Kryptonite project to run (just that we need to add dependencies for Tink and maybe these com.esotericsoftware.kryo classes), and/or that these parts of Kryptonite could be packaged as a library and published to some kind of Maven repository?
what you suggest is definitely the way to go. there haven't been any requests for building custom code on top of kryptonite so far which is the only reason why the "core" library hasn't been published to an artefact repository yet. I might well consider doing that for one of the upcoming releases as soon as I have some time :-)
meanwhile you can build a your poc and experiment with your custom app by integrating a pre-built local kryptonite jar artefact via maven.
from kryptonite-for-kafka.
Related Issues (12)
- Decryption issue when using JDBC Sink Connector HOT 2
- Support for array of objects HOT 4
- Invalid value com.github.hpgrahsl.kafka.connect.transforms.kryptonite.CipherField$Value, for configuration transforms.cipher.type: Class com.github.hpgrahsl.kafka.connect.transforms.kryptonite.CipherField$Value, could not be found. HOT 2
- Cannot decrypt int64 (long) fields HOT 3
- Java 17 seems to be not yet supported HOT 6
- keyId and primaryKeyId generated from Tinkey fails with Kryptonite v0.4.1 if the number is greater than 2147483647 HOT 3
- AWS KMS support HOT 2
- Decryption using python and aws kms HOT 3
- READ_UNKNOWN_ENUM_VALUES_USING_DEFAULT_VALUE exception thrown when using Kryptonite together with Strimzi's kafka-kubernetes-config-provider v 1.1.2 HOT 1
- Option to use funqy-http-kryptonite with single field values without requiring to wrap strings in quotes HOT 2
- NPE when encrypting fields for SQLServer databases using debezium HOT 16
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kryptonite-for-kafka.