Using HPKE to Encrypt Request Payloads

The Managed Rules team at Cloudflare has implemented a feature allowing Enterprise users to debug Firewall Rules by viewing the part of a request that matched the rule, while ensuring secure storage of debugging data. They chose Hybrid Public Key Encryption (HPKE) for its combination of symmetric and public-key cryptography, aiming to provide a single, future-proof, robust, interoperable solution. HPKE is an emerging standard developed by the Crypto Forum Research Group (CFRG), with a high level of security in a generic manner and necessary hooks to tie messages to their context. The team implemented HPKE in Rust due to its native primitives and ability to compile to WebAssembly, allowing reuse across the edge component that encrypts payloads and the UI and CLI that decrypt them.