How can i encrypt indexed data?



splunk version : 6.4.x
os : Linux-64bit

customer wants indexed data is encrypted.

How can i encrypt indexed data?

Must use third-party soultion?

You can ecrypt the splunk buckets with Vormetric Data Encryption. A VTE agent running on each indexer. This provides an overlay Security File system on top of EXT4/XFS etc. The vormetric policy allows for the splunk binary (splunkd) and other processes permission to the guardpoint (data path /data/hot for example). When data is written to the hot dir. it's enrypted on the way in. When splunkd reads the data back into memory it's decrypted on the way out. This is basically a shim in the I/o path. We have done this successfully on several systems. Performance is around 2% CPU up to 70% CPU utilization. With Vormetric's Live Data Transformation (LDT), we can apply the VTE Guardpoint on cleartext buckets with only a momentary downtime of the indexer to erect the guardpoint. At that point, the data being written and read is immediately encrypted with key. The exisitng data will be encrypted in the background based on the QOS schedule that is set. For my particular implementation, we set the QOS on LDT for 5pm - 7am M-FR. The background enxcryption for these particular indexers took about 2hrs to complete while the read/writes continued. We have key versioning set that is automatically kicked off at 180 days. LDT takes care of understanding data read with key version 1 and then writing back with key version 2 if key versioning date it hit. It's pretty easy policy vormetric wise to take care of any processes that need permission in the guardpoint.

Splunk Employee
Splunk Employee

What do you mean? Do you need them encrypted while the system is running, or for offline protection?

There is no supported method for encrypting Splunk indexed data while its in buckets ( hot / warm / cold) and being used. This would need to be done at the OS or Storage level, via third party solution.

So here is what most will do:

1) Encrypted Volumes. Encrypt the volume your Splunk DBs are on. This ensures that the volumes are not accessible when the computer is not turned on. (If the disk are stolen, copied while off etc.) Typically involves a encryption key for booting up.

2) Encrypt your Cold / Frozen buckets. Splunk wont be able to read them until unencrypted though. You can put these whereever.

But again, Splunk cannot read these encrypted indexes.


Thanks for answer.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!