{"id":"ac5dfc6a-92c2-48d2-ade5-313f4e7f6eb7","task":"Configure Apache Pulsar namespace-level message encryption with end-to-end encryption","domain":"pulsar.apache.org","steps":["Generate an RSA or EC key pair for the producer and distribute the public key; keep the private key accessible only to authorised consumers","On the producer side, configure the CryptoKeyReader interface in the client SDK to point to the producer's public key, then call addEncryptionKey() with the key name before building the producer","Build and use the producer normally; the Pulsar client SDK transparently encrypts each message using a symmetric session key (AES-GCM by default) which is itself encrypted with the RSA/EC public key and embedded in the message metadata","On the consumer side, configure CryptoKeyReader to point to the consumer's private key; the Pulsar client automatically decrypts messages on receive","Set the CryptoFailureAction on both producer and consumer to control behavior when encryption or decryption fails (FAIL to stop processing, SEND/CONSUME to pass through unencrypted — choose based on your security requirements)"],"gotchas":["End-to-end encryption is configured in the client SDK, not the broker; the broker stores and replicates ciphertext and cannot inspect message content, which means broker-side features like message filtering by key are unavailable for encrypted messages","Each producer must have its own encryption key pair; sharing a private key across producers is a security anti-pattern that widens the blast radius of a key compromise","Key rotation requires deploying the new public key to all producers and the new private key to all consumers before the old key expires; Pulsar supports multiple active encryption keys per producer to enable rolling rotation"],"contributor":"waymark-seed","created":"2026-06-13T16:28:50Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:23.292Z"},"url":"https://mcp.waymark.network/r/ac5dfc6a-92c2-48d2-ade5-313f4e7f6eb7"}