How can i encrypt indexed data?



splunk version : 6.4.x
os : Linux-64bit

customer wants indexed data is encrypted.

How can i encrypt indexed data?

Must use third-party soultion?


You can ecrypt the splunk buckets with Vormetric Data Encryption. A VTE agent running on each indexer. This provides an overlay Security File system on top of EXT4/XFS etc. The vormetric policy allows for the splunk binary (splunkd) and other processes permission to the guardpoint (data path /data/hot for example). When data is written to the hot dir. it's enrypted on the way in. When splunkd reads the data back into memory it's decrypted on the way out. This is basically a shim in the I/o path. We have done this successfully on several systems. Performance is around 2% CPU up to 70% CPU utilization. With Vormetric's Live Data Transformation (LDT), we can apply the VTE Guardpoint on cleartext buckets with only a momentary downtime of the indexer to erect the guardpoint. At that point, the data being written and read is immediately encrypted with key. The exisitng data will be encrypted in the background based on the QOS schedule that is set. For my particular implementation, we set the QOS on LDT for 5pm - 7am M-FR. The background enxcryption for these particular indexers took about 2hrs to complete while the read/writes continued. We have key versioning set that is automatically kicked off at 180 days. LDT takes care of understanding data read with key version 1 and then writing back with key version 2 if key versioning date it hit. It's pretty easy policy vormetric wise to take care of any processes that need permission in the guardpoint.

Splunk Employee
Splunk Employee

What do you mean? Do you need them encrypted while the system is running, or for offline protection?

There is no supported method for encrypting Splunk indexed data while its in buckets ( hot / warm / cold) and being used. This would need to be done at the OS or Storage level, via third party solution.

So here is what most will do:

1) Encrypted Volumes. Encrypt the volume your Splunk DBs are on. This ensures that the volumes are not accessible when the computer is not turned on. (If the disk are stolen, copied while off etc.) Typically involves a encryption key for booting up.

2) Encrypt your Cold / Frozen buckets. Splunk wont be able to read them until unencrypted though. You can put these whereever.

But again, Splunk cannot read these encrypted indexes.


Thanks for answer.

0 Karma
Get Updates on the Splunk Community!

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...