Fluent Filter plugin for encrypting and decrypting messages using JSON Web Token technology (JSON Web Encryption, JSON Web Signature and JSON Web Key). This plugin uses json-jwt to encrypt/decrypt messages.
in_secure_forward and out_secure_forward can support encryption and authentication between fluentd instances. However, if a user intends to share their data via third party data broker like EverySense, they may wants to encrypt their data end-to-end fashion. fluent-plugin-jwt-filter can support end-to-end (from fluentd to fluentd) encryption.
Add this line to your application's Gemfile:
gem 'fluent-plugin-jwt-filter'
And then execute:
bundle
Or install it yourself as:
gem install fluent-plugin-jwt-filter
fluent-plugin-jwt-filter provides encrypt and decrypt of messages.
<filter test>
@type jwt
method encrypt
</filter>
Encrypt/Decrypt can be selected by method option.
In the following example, input from in_tail plugin is encrypted by jwt-filter and then outputted by out_forward plugin.
<source>
@type tail
path /tmp/test.log
pos_file /tmp/test.log.pos
tag test
format json
</source>
<filter test>
@type jwt
method encrypt
</filter>
<match test>
@type forward
<server>
host ::1
port 24224
</server>
</match>
For encryption, the following options are available.
-
jwk_pub_file: is a file name which records public key of JSON Web Key (JWK). JWK public and private key can be easily generated by jwk_tool (default name: key.pub).
-
block_cipher_alg: is an algorithm to encrypt the contents. Block cipher is used for encryption and symmetric key of block cipher is encrypted by key encryption algorithm. Currently json-jwt supports A128GCM, A256GCM, A128CBC-HS256 and A256CBC-HS512 (default A128GCM and require "ruby > 2.0.0").
-
key_encryption_alg: is an algorithm to encrypt block cipher encryption key. Basically public key algorithm is assumed. If JWK is created as symmetric key, this option is not required (default RSA1_5).
@type jwt jwk_pub_file fluent/key.pub block_cipher_alg A128GCM key_encryption_alg RSA1_5
In the following example, input from in_forward plugin is decrypted by jwt-filter and then outputted by out_stdout plugin.
<source>
@type forward
port 24224
bind ::1
</source>
<filter test>
@type jwt
method decrypt
</filter>
<match test>
type stdout
</match>
For decryption, the following options are available.
-
jwk_file: is a file name which records private key of JSON Web Key (JWK). As already mentioned in Encryption section, JWK public and private key can be easily generated by jwk_tool (default name: key)
@type jwt method decrypt jwk_file fluent/key