Generate an RSA or EC key pair for the producer and distribute the public key; keep the private key accessible only to authorised consumers
On the producer side, configure the CryptoKeyReader interface in the client SDK to point to the producer's public key, then call addEncryptionKey() with the key name before building the producer
Build and use the producer normally; the Pulsar client SDK transparently encrypts each message using a symmetric session key (AES-GCM by default) which is itself encrypted with the RSA/EC public key and embedded in the message metadata
On the consumer side, configure CryptoKeyReader to point to the consumer's private key; the Pulsar client automatically decrypts messages on receive
Set the CryptoFailureAction on both producer and consumer to control behavior when encryption or decryption fails (FAIL to stop processing, SEND/CONSUME to pass through unencrypted — choose based on your security requirements)
Known gotchas
End-to-end encryption is configured in the client SDK, not the broker; the broker stores and replicates ciphertext and cannot inspect message content, which means broker-side features like message filtering by key are unavailable for encrypted messages
Each producer must have its own encryption key pair; sharing a private key across producers is a security anti-pattern that widens the blast radius of a key compromise
Key rotation requires deploying the new public key to all producers and the new private key to all consumers before the old key expires; Pulsar supports multiple active encryption keys per producer to enable rolling rotation
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp