fix encrypt and decrypt policy docs

Author: lena-larionova

app/_event_gateway_policies/decrypt/examples/decrypt-a-key.yml

@@ -0,0 +1,24 @@
+title: Decrypt everything using an AWS key vault
+
+description: Decrypt everything using a specific AWS key vault.
+
+extended_description: |
+  Decrypt everything using a specific AWS key vault.
+
+weight: 900
+
+requirements: 
+ - "A corresponding [Encrypt policy](/event-gateway/policies/encrypt/examples/encrypt-with-aws/). Event Gateway uses the AWS ARN from the Encrypt policy to find the key for the Decrypt policy."
+
+type: decrypt
+name: decrypt-using-aws
+config:
+  failure_mode: passthrough
+  key_sources:
+    - type: aws
+  decrypt:
+    - part_of_record: key
+    - part_of_record: value
+
+tools:
+  - konnect-api

app/_event_gateway_policies/decrypt/examples/decrypt-everything.yml

@@ -0,0 +1,40 @@
+title: Decrypt using a static key
+
+description: Decrypt everything using a static key.
+
+
+extended_description: |
+  Decrypt everything using a static key.
+
+  The key must be a secret reference to a 128-bit (16-byte) base64-encoded string, or the key itself as a string.  
+  We recommend using secret references to avoid exposing sensitive data in your configuration.
+
+requirements: 
+ - "A corresponding [Encrypt policy](/event-gateway/policies/encrypt/examples/encrypt-with-static-key/). Event Gateway uses the key ID from the Encrypt policy along with the actual key in the Decrypt policy to successfully decrypt."
+weight: 900
+
+variables:
+  key_id:
+    description: |
+      A custom ID for a static key that will be used for encryption. 
+      For example, you can define a key source named `my-key-id`, and reference it as the `decrypt.key.id` for the part of the record you want to encrypt.
+    value: $KEY_ID
+
+
+name: decrypt-static-key
+type: decrypt
+config:
+  failure_mode: error
+  key_sources:
+    - type: static
+      keys:
+        - id: ${key_id}
+          key: "${env['MY_SECRET']}"
+  decrypt:
+    - part_of_record: key
+      key_id: ${key_id}
+    - part_of_record: value
+      key_id: ${key_id}
+
+tools:
+  - konnect-api

app/_event_gateway_policies/decrypt/examples/decrypt-with-aws.yml

@@ -34,6 +34,8 @@ Use this policy to enforce standards for decryption across {{site.event_gateway}
 
 The Decrypt policy uses AES-128-GCM for decryption, therefore keys must be 128 bits long.
 
+Use this policy together with the [Encrypt policy](/event-gateway/policies/encrypt/), which encrypts portions of a message using the same referenced key.
+
 ## Use cases
 
 Common use cases for the Decrypt policy:
@@ -46,11 +48,11 @@ columns:
   - title: Description
     key: description
 rows:
-  - use_case: "[Decrypt a specific key from a source](/event-gateway/policies/decrypt/examples/decrypt-a-key/)"
-    description: Decrypt a key based on a specific key reference name.
+  - use_case: "[Decrypt using a static key](/event-gateway/policies/decrypt/examples/decrypt-with-static-key/)"
+    description: Decrypt a key or value based on a key reference name.
 
-  - use_case: "[Decrypt all keys](/event-gateway/policies/decrypt/examples/decrypt-everything/)"
-    description: Define an AWS key source and decrypt all keys that come from that source.
+  - use_case: "[Decrypt using an AWS key source](/event-gateway/policies/decrypt/examples/decrypt-with-aws/)"
+    description: Decrypt a keys or value using an AWS key source.
 
 {% endtable %}
 <!--vale on-->

app/_event_gateway_policies/decrypt/examples/decrypt-with-static-key.yml

@@ -0,0 +1,29 @@
+title: Encrypt everything using an AWS key vault
+
+description: Encrypt everything in a message using a specific AWS key vault.
+
+requirements: 
+ - "A corresponding [Decrypt policy](/event-gateway/policies/decrypt/examples/decrypt-with-aws/). Event Gateway uses the AWS ARN from the Encrypt policy to find the key for the Decrypt policy."
+ - "[An AWS KMS key ARN](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/credproviders.html#credproviders-default-credentials-provider-chain)."
+weight: 900
+
+type: encrypt
+name: encrypt-using-aws
+config:
+  failure_mode: passthrough
+  key_sources:
+    - type: aws
+  encrypt:
+    - part_of_record: key
+      key_id: ${key_id}
+    - part_of_record: value
+      key_id: ${key_id}
+
+variables:
+  key_id:
+    description: |
+      A KMS key ARN in the following format: `arn:aws:kms:REGION:ACCOUNT_ID:key/KEY_ID`
+    value: "$AWS_KEY_ID"
+
+tools:
+  - konnect-api

app/_event_gateway_policies/decrypt/index.md

@@ -0,0 +1,48 @@
+title: Encrypt using a static key
+
+description: Encrypt portions of a message using a list of static keys.
+
+extended_description: |
+  Encrypt portions of a message using a list of static keys.
+
+  The key must be a secret reference to a 128-bit (16-byte) base64-encoded string, or the key itself as a string.
+  We recommend using secret references to avoid exposing sensitive data in your configuration.
+
+weight: 900
+
+requirements: 
+ - "A corresponding [Decrypt policy](/event-gateway/policies/decrypt/examples/decrypt-with-static-key/). Event Gateway uses the key ID from the Encrypt policy along with the actual key in the Decrypt policy to successfully decrypt."
+ 
+variables:
+  key_id1:
+    description: |
+      A custom ID for a static key that will be used for encryption. 
+      For example, you can define a key source named `my-key-id1`, and reference it as the `encrypt.key.id` for the part of the record you want to encrypt.
+    value: $KEY_ID1
+  key_id2:
+    description: |
+      Another custom ID for a static key that will be used for encryption. 
+      For example, you can define a key source named `my-key-id2`, and reference it as the `encrypt.key.id` for the part of the record you want to encrypt.
+    value: $KEY_ID2
+
+type: encrypt
+name: encrypt-static-key
+config:
+  failure_mode: error
+  encrypt:
+    - part_of_record: value
+      key_id: ${key_id1}
+    - part_of_record: key
+      key_id: ${key_id2}
+  key_sources:
+    - type: static
+      keys:
+        - id: ${key_id1}
+          key: ${env["MY_SECRET"]}
+    - type: static
+      keys:
+        - id: ${key_id2}
+          key: ${env["MY_SECRET"]}
+
+tools:
+  - konnect-api

app/_event_gateway_policies/encrypt/examples/encrypt-a-key.yml

@@ -34,6 +34,8 @@ Use this policy to enforce standards for encryption across {{site.event_gateway}
 
 The Encrypt policy uses AES-128-GCM for encryption, therefore keys must be 128 bits long.
 
+Use this policy together with the [Decrypt policy](/event-gateway/policies/decrypt/), which decrypts portions of a message using the same referenced key.
+
 ## Use cases
 
 Common use cases for the Encrypt policy:
@@ -46,11 +48,11 @@ columns:
   - title: Description
     key: description
 rows:
-  - use_case: "[Encrypt a specific key from a source](/event-gateway/policies/encrypt/examples/encrypt-a-key/)"
-    description: Decrypt a key based on a specific key reference name.
+  - use_case: "[Encrypt portions of a message based on a static key](/event-gateway/policies/encrypt/examples/encrypt-with-static-key/)"
+    description: Encrypt a specific key or value based on a key reference name.
 
-  - use_case: "[Encrypt all keys](/event-gateway/policies/encrypt/examples/encrypt-everything/)"
-    description: Define an AWS key source and encrypt all keys that come from that source.
+  - use_case: "[Encrypt a message using an AWS key source](/event-gateway/policies/encrypt/examples/encrypt-with-aws/)"
+    description: Encrypt all defined keys or values using an AWS key source.
 
 {% endtable %}
 <!--vale on-->