Kafka Connect Secrets Storage terms and concepts

Review the list of terms and concepts related to the Kafka Connect Secrets Storage feature.

Secure Connector
A secure connector is any connector intended to be used in CDP Kafka Connect whose configuration has a sensitive property.
Secret
Part of a secure connector configuration that must be protected. A secret can be any value used in the connector configuration that you mark as confidential data. For example, a secret can be a password, a JAAS credential, an SSL certificate, and so on. When you mark a property as a secret it becomes protected. Specifically, the value of the property is no longer stored in plaintext within the configuration. Rather, it is replaced by a secret reference. The actual value is encrypted and stored in an internal Kafka topic (secrets topic).

Understand however, that this protection covers the configuration only. If you mark a property a secret that is otherwise public information, while the value of that property will be hidden in the configuration, the value could be looked up by other means. For example, sink connectors have a topics property. If auto topic creation is enabled, topics will be created by the connector automatically. This means that even if the topics property is marked as a secret, the value of the property could be retrieved by other means. For example, by listing the topics of the Kafka service.

Secrets topic
The secrets topic is an internal Kafka topic. The Kafka Connect Secrets Storage feature stores its internal state, configuration, secrets, and so on in this internal topic.
Secret reference
Part of a secure connector configuration that is already protected. Instead of the configuration’s original value, a placeholder (reference) is used, which refers to the original value using a connector name and a bundle ID. The Kafka Connect Secrets Storage feature resolves these references and substitutes them with the original values stored in the secrets topic when connectors are used.
Encryption key
The encryption key is a randomly generated key. Its established value is unique at a certain point in time. However, it can be changed. It is used to encrypt and decrypt hashed secrets protecting them against tampering and retrieval.
Global key
Global key is a unique cryptographic key that is derived from a user supplied password. The global key protects the encryption key when the encryption key is persisted to the disk or exchanged on the network. The encryption key is hashed and encrypted with the global key. As a result, it is impossible to tamper with it, or retrieve the encryption key from wiretapping the network traffic in a man-in-the-middle style attack.
Bundle and Bundle ID
The set of secrets of a secure connector constitute a bundle. The bundle is identified by its bundle ID, which is maintained by the Kafka Connect Secrets Storage feature. If a secret is added, edited, or deleted, a new bundle is created, with a new bundle ID.