Thanks Sijie, I’ll create issue for both soon. Regards, Subash Kunjupillai
From: Sijie Guo <[email protected]> Sent: Wednesday, June 10, 2020 11:27 AM To: [email protected] Subject: Re: Clarification on End-to-End Encryption Subash, Comments inline. On Sat, Apr 25, 2020 at 3:55 AM Subash K <[email protected]<mailto:[email protected]>> wrote: Hi, I was looking through the documents of End-to-End Encryption<http://pulsar.apache.org/docs/en/security-encryption> and I’m having following queries as I haven’t completely understood how this works: 1. Public key should be provided to Producer and private key to Consumer. In that case, I’m wondering why we have to provide both Public and Private key file to CryptoKeyReader . Because ideally the producer application will not have the private key and vice-versa. Can someone please share any information on this? Yes. Your understanding is correct. Ideally we should have a separate interface for producer and consumer. Can you help create an issue for that? 1. 2. I’m not able to understand the significance of `addEncryptionKey("my-app")` in producer builder. Because I was able to send a message and consume it without setting this key at producer end. Can someone please help me in understanding its significance? 3. We are supposed to generate new private and public key often (at least once in a week due to security policy). In that case, after regenerating both files, consumer will not be able to read the old messages from Broker as it would have been encrypted by an old public key or vice-versa. Is there a possibility to add multiple Public and Private keys so that, we can gradually take down the old keys? This sounds like a good feature to consider. Can you add an issue for that? 1. Regards, Subash Kunjupillai
