AES256

Add the plugin to the worker classloader isolation via the plugin.path option:

plugin.path=/usr/share/connectors,/opt/secret-providers

The provider gets AES-256 encrypted value as a key and simply decrypts it to get the value (instead of e.g. looking up for the value somewhere).

The AES-256 encryption used for the value needs to be prefixed with base64 encoded initialisation vector and a space character, the encrypted value is also base64 encoded. So to corretly encrypt value1 I need to follow following steps:

• encrypted-bytes = aes-256 encrypted value1

• encrypted-base64 = base64 encrypted-bytes

• initialisation-vector = random bytes

• iv-base64 = base64 initialisation-vector

• encrypted-value = iv-base64 + + encrypted-base64

Configuring the plugin

The plugin needs to be configured with secret key that will be used for decoding. The key is a string and needs to have size of 32 bytes (UTF-8 encoded).

Example worker properties file:

config.providers=aes256
config.providers.aes256.class=io.lenses.connect.secrets.providers.Aes256DecodingProvider
config.providers.aes256.param.aes256.key=aaaaaaaaaabbbbbbbbbbccccccccccdd
config.providers.aes256.param.file.dir=/tmp/aes256

Usage

To use this provider in a connector, reference the keyvault containing the secret and the key name for the value of the connector property.

The indirect reference is in the form ${provider:path:key} where:

• provider is the name of the provider in the worker property file set above

• path used to provide encoding of the value: utf8, utf8_file, base64, base64_file

• key is the AES-256 encrypted value to be decrypted by the plugin

For example, if hello aes-256 encrypted using some key equals to xyxyxy - then if I configure connector to use ${aes256::xyxyxy} for a parameter value, the value should be substituted with “hello” string:

name=my-sink
class=my-class
topics=mytopic
greeting=${aes256::xyxyxy}

This would resolve at runtime to:

name=my-sink
class=my-class
topics=mytopic
greeting=hello

path belonging to key reference is used to specify encoding used to pass the value. The provider supports following encodings:

• base64: base-64 encoding of the textual value

• base64_file: base-64 encoding of the value that when decrypted should be stored in the file

• utf8_file: utf-8 encoding of the value that when decrypted should be stored in the file

• utf8: utf-8 encoding of textual value

The UTF8 means the value returned is the decrypted value of the encrypted value (key). The BASE64 means the value returned is the base64 decoded decrypted value of the encrypted value (key).

If the value for the encoding is UTF8_FILE the string contents are written to a file. The name of the file will be randomply generated. The file location is determined by the file.dir configuration option given to the provider via the Connect worker.properties file.

If the value for the encoding is BASE64_FILE the string contents are based64 decoded and written to a file. The name of the file will be randomply generated. For example, if a connector needs a PEM file on disk, set this as the path as BASE64_FILE. The file location is determined by the file.dir configuration option given to the provider via the Connect worker.properties file.

If the key reference path is not set or is set to unknown value - utf8 encoding is used as default.

For example, if we want to save hi there ! to the file, and aes-256 encrypted content equals xyxyxy - then if I configure connector to use ${aes256:utf8_file:xyxyxy} for a parameter value, the provider will create new file with random name (abc-def-ghi) and store hi there ! to the file. If configured store directory is /store-root, he value will be substituted with /store-root/secrets/abc-def-ghi string:

name=my-sink
class=my-class
topics=mytopic
greeting=${aes256:utf8_file:xyxyxy}

resolves to

name=my-sink
class=my-class
topics=mytopic
greeting=/store-root/secrets/abc-def-ghi