Skip to main content
Version: 3.3.x

Enable end-to-end-encryption

To enable end-to-end encryption, you can specify --producer-config and --input-specs in the pulsar-admin CLI with the public and private key pair configured by the application. Only the consumers with a valid key can decrypt the encrypted messages.

The encryption/decryption relevant configuration CryptoConfig is included in both ProducerConfig and inputSpecs. The specific configurable fields about CryptoConfig are as follows:

public class CryptoConfig {
private String cryptoKeyReaderClassName;
private Map<String, Object> cryptoKeyReaderConfig;

private String[] encryptionKeys;
private ProducerCryptoFailureAction producerCryptoFailureAction;

private ConsumerCryptoFailureAction consumerCryptoFailureAction;
  • producerCryptoFailureAction defines the action that a producer takes if it fails to encrypt the data. Available options are FAIL or SEND.
  • consumerCryptoFailureAction defines the action that a consumer takes if it fails to decrypt the recieved data. Available options are FAIL, DISCARD, or CONSUME.

For more information about these options, refer to producer configurations and consumer configurations.