Jennifer88huang commented on a change in pull request #5091: [doc] Improve Pulsar Security Encryption URL: https://github.com/apache/pulsar/pull/5091#discussion_r321194842
########## File path: site2/docs/security-encryption.md ########## @@ -141,29 +148,29 @@ pulsarClient.close(); ``` ## Key rotation -Pulsar generates new AES data key every 4 hours or after a certain number of messages are published. The asymmetric public key is automatically fetched by producer every 4 hours by calling CryptoKeyReader::getPublicKey() to retrieve the latest version. +Pulsar generates new AES data key every 4 hours or after publishing a certain number of messages. Producer fetch the asymmetric public key every 4 hours by calling CryptoKeyReader::getPublicKey() to retrieve the latest version. + +## Enable encryption at the producer application: +If you produce messages that are consumed across application boundaries, you need to ensure that consumers in other applications have access to one of the private keys that can decrypt the messages. You can do this in two ways: +1. The consumer application provides you access to their public key, which you add to your producer keys. +2. You grant access to one of the private keys from the pairs that producer uses. -## Enabling encryption at the producer application: -If you produce messages that are consumed across application boundaries, you need to ensure that consumers in other applications have access to one of the private keys that can decrypt the messages. This can be done in two ways: -1. The consumer application provides you access to their public key, which you add to your producer keys -1. You grant access to one of the private keys from the pairs used by producer +In some cases, the producer may want to encrypt the messages with multiple keys. For this, add all such keys to the config. Consumer is able to decrypt the message, as long as the consumer has access to at least one of the keys. -In some cases, the producer may want to encrypt the messages with multiple keys. For this, add all such keys to the config. Consumer will be able to decrypt the message, as long as it has access to at least one of the keys. +Here is an example if you need to encrypt the messages using 2 keys (myapp.messagekey1 and myapp.messagekey2): Review comment: Try to not use "Here is" in technical writing. Check IBM style guides. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
