To enable end-to-end encryption, you can specify --producer-config and --input-specs in the pulsar-admin CLI with the public and private key pair configured by the application. Only the consumers with a valid key can decrypt the encrypted messages.
The encryption/decryption relevant configuration CryptoConfig is included in both ProducerConfig and inputSpecs. The specific configurable fields about CryptoConfig are as follows:
public class CryptoConfig { private String cryptoKeyReaderClassName; private Map<String, Object> cryptoKeyReaderConfig; private String[] encryptionKeys; private ProducerCryptoFailureAction producerCryptoFailureAction; private ConsumerCryptoFailureAction consumerCryptoFailureAction; }
producerCryptoFailureAction defines the action that a producer takes if it fails to encrypt the data. Available options are FAIL or SEND.consumerCryptoFailureAction defines the action that a consumer takes if it fails to decrypt the recieved data. Available options are FAIL, DISCARD, or CONSUME.For more information about these options, refer to producer configurations and consumer configurations.