Fluent::Plugin::Jwt::Filter

Fluent Filter plugin for encrypting and decrypting messages using JSON Web Token technology (JSON Web Encryption, JSON Web Signature and JSON Web Key). This plugin uses json-jwt to encrypt/decrypt messages.

Installation

Add this line to your application's Gemfile:

gem 'fluent-plugin-jwt-filter'

And then execute:

bundle

Or install it yourself as:

gem install fluent-plugin-jwt-filter

Usage

fluent-plugin-jwt-filter provides encrypt and decrypt of messages.

<filter test>
  @type jwt
  method encrypt
</filter>

Encrypt/Decrypt can be selected by method option.

Encryption

In the following example, input from in_tail plugin is encrypted by jwt-filter and then outputted by out_forward plugin.

<source>
  @type tail
  path /tmp/test.log
  pos_file /tmp/test.log.pos
  tag test
  format json
</source>

<filter test>
  @type jwt
  method encrypt
</filter>

<match test>
  @type forward
  <server>
    host ::1
    port 24224
  </server>
</match>

For encryption, the following options are available.

  • jwk_pub_file: is a file name which records public key of JSON Web Key (JWK). JWK public and private key can be easily generated by jwk_tool (default name: key.pub).
  • block_cipher_alg: is an algorithm to encrypt the contents. Block cipher is used for encryption and symmetric key of block cipher is encrypted by key encryption algorithm. Currently json-jwt supports A128GCM, A256GCM, A128CBC-HS256 and A256CBC-HS512 (default A128GCM and require "ruby > 2.0.0").

  • key_encryption_alg: is an algorithm to encrypt block cipher encryption key. Basically public key algorithm is assumed. If JWK is created as symmetric key, this option is not required (default RSA1_5).

    @type jwt jwk_pub_file fluent/key.pub block_cipher_alg A128GCM key_encryption_alg RSA1_5

Decryption

In the following example, input from in_forward plugin is decrypted by jwt-filter and then outputted by out_stdout plugin.

<source>
  @type forward
  port 24224
  bind ::1
</source>

<filter test>
  @type jwt
  method decrypt
</filter>

<match test>
  type stdout
</match>

For decryption, the following options are available.

  • jwk_file: is a file name which records private key of JSON Web Key (JWK). As already mentioned in Encryption section, JWK public and private key can be easily generated by jwk_tool (default name: key)

    @type jwt jwk_file fluent/key