Encryption and Decryption of API Payload on Kong API Gateway

Hi There,

I have successfully installed Kong API Gateway on my machine and also I have onboarded couple of services on the same. Currently, I have a requirement where I need to implement API encryption to the request/response payload using AES 256 encryption algorithm.

Basically, I want to expose my APIs in the encrypted version using AES 256 Algorithm. Following will be sample flow -

1. Client application will be encrypting request body using AES 256 encryption algorithm and will send this encrypted payload in the API request body.
2. Kong will receive this encrypted API request and will do the decryption of the same using AES 256 Algorithm. This decrypted body will be sent to upstream servers for processing.
3. In the response flow, Kong will receive the plain text response body from upstream server. Then Kong will encrypt the response using same algorithm and will send it to the client application.

As I am new to Kong API Gateway, I need your assistance to understand how to implement this encryption on Kong API Gateway.

Thanks,
Nitiraj

This is usually handled between the client and the backend service provider. As an API Gateway (proxy) try to keep it minimal at the header level operations and not touching the payload as this can significantly impact your Gateway’s throughput and memory.

Also Kong does not have an OOB plugin to perform this, you can write a custom plugin to achieve this - but you should re-evaluate if that is really required.

Thanks @JohnWilliams for your reply.

We want to standardize request/responses for multiple service providers. That is where we need to modify the request and Response body.

And yes we were able to achive this using custom Go plugin and it is working fine.

I agree with your suggestion to avoid such changes at payload level but we are doing this for some APIs only. We will keep minimal changes at the Gateway level.

Thanks,
Nitiraj