Hi

as other already said it isn’t currently possible. If you thing that this is really necessary then create entry into ideas.splunk.com.

Of course you could encrypt file system level with os / cloud tools if needed. Then you could create separate environment for those indexes. But you must have also separate SH for access those indexers where those indexes are. And remember that when SH have done those queries then data will be on their disks for some time before it will expire. For that time anyone who has command line access as splunk or root can see that data. 
So you have lot of other things to consider than just add key to access those indexes!

r. Ismo

Hi @spy_jr 

It isnt possible to encrypt your indexes in their entirety with Splunk itself, but as others have suggested you can use various 3rd party apps which try to encrypt parts of an event. The problem with these is it makes it a nightmare from a resource usage point of view and search performance would be terrible. I really would advise against this.

Looking at your usecase of preventing users copying data from your Splunk instance and reading it on another - even if you use approaches like the above, or if there was a way to encrypt Splunk index data using Splunk then the key which would be used to encrypt/decrypt the data would also need to be accessible by Splunk, meaning any attacked who was able to access your data to exfiltrate it could also exfiltrate the keys and thus decrypt the data anyway.

If you are looking to protect/encrypt the data at rest (ie at a disk level) then you could use enable disk encryption at the operating system level (e.g., BitLocker, LUKS) to protect all data, including Splunk indexes, but again, this wouldnt protect if a user was able to access the running system.

🌟 Did this answer help you? If so, please consider:

• Adding karma to show it was useful
• Marking it as the solution if it resolved your issue
• Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

@spy_jr 

I dont think Splunk natively support index-level encryption with key-based access control that would prevent someone from copying raw index data.
You can encrypt/mask sensitive fields.
#https://www.splunk.com/en_us/blog/tips-and-tricks/encrypting-and-decrypting-fields.html?locale=en_us

Also you can have a look at this App(I havent tested personally)#https://splunkbase.splunk.com/app/282

Alternatively, you can consider encrypted filesystems or using external encryption tools.

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Hi @spy_jr 

Actually, you can grant access to this particular index only to the required user ids. in that way you can easily control who can see or search or do anything with the index. 

Pls check some discussions here - 

https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-encrypt-sensitive-data-in-index-time...