I have a group of indexes, one of which contains sensitive data that must be encrypted so that no one can copy and upload the data to another Splunk instance unless they have the key to decrypt it. Is this possible with Splunk?
There is a very good writeup about this from Duane here - https://community.splunk.com/t5/Security/Encrypting-indexed-data-on-rest/m-p/40840/highlight/true#M1...
Think about what threats you want to secure yourself from and what access the attacker you're trying to protect from would already have.
If you want to do it just for the sake of compliance and checkbox security, just use an filesystem-level or device-level encryption. But that's nowhere near well-developed controls.
Hi
as other already said it isn’t currently possible. If you thing that this is really necessary then create entry into ideas.splunk.com.
Of course you could encrypt file system level with os / cloud tools if needed. Then you could create separate environment for those indexes. But you must have also separate SH for access those indexers where those indexes are. And remember that when SH have done those queries then data will be on their disks for some time before it will expire. For that time anyone who has command line access as splunk or root can see that data.
So you have lot of other things to consider than just add key to access those indexes!
r. Ismo
Hi @spy_jr
It isnt possible to encrypt your indexes in their entirety with Splunk itself, but as others have suggested you can use various 3rd party apps which try to encrypt parts of an event. The problem with these is it makes it a nightmare from a resource usage point of view and search performance would be terrible. I really would advise against this.
Looking at your usecase of preventing users copying data from your Splunk instance and reading it on another - even if you use approaches like the above, or if there was a way to encrypt Splunk index data using Splunk then the key which would be used to encrypt/decrypt the data would also need to be accessible by Splunk, meaning any attacked who was able to access your data to exfiltrate it could also exfiltrate the keys and thus decrypt the data anyway.
If you are looking to protect/encrypt the data at rest (ie at a disk level) then you could use enable disk encryption at the operating system level (e.g., BitLocker, LUKS) to protect all data, including Splunk indexes, but again, this wouldnt protect if a user was able to access the running system.
🌟 Did this answer help you? If so, please consider:
Your feedback encourages the volunteers in this community to continue contributing
I dont think Splunk natively support index-level encryption with key-based access control that would prevent someone from copying raw index data.
You can encrypt/mask sensitive fields.
#https://www.splunk.com/en_us/blog/tips-and-tricks/encrypting-and-decrypting-fields.html?locale=en_us
Also you can have a look at this App(I havent tested personally)#https://splunkbase.splunk.com/app/282
Alternatively, you can consider encrypted filesystems or using external encryption tools.
Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
Hi @spy_jr
Actually, you can grant access to this particular index only to the required user ids. in that way you can easily control who can see or search or do anything with the index.
Pls check some discussions here -
My approach is for a situation where an attacker infiltrates my Splunk server and starts stealing data. I would like that stolen data to not be opened in another Splunk and viewed unless they have the encryption key.