You can ecrypt the splunk buckets with Vormetric Data Encryption. A VTE agent running on each indexer. This provides an overlay Security File system on top of EXT4/XFS etc. The vormetric policy allows for the splunk binary (splunkd) and other processes permission to the guardpoint (data path /data/hot for example). When data is written to the hot dir. it's enrypted on the way in. When splunkd reads the data back into memory it's decrypted on the way out. This is basically a shim in the I/o path. We have done this successfully on several systems. Performance is around 2% CPU up to 70% CPU utilization. With Vormetric's Live Data Transformation (LDT), we can apply the VTE Guardpoint on cleartext buckets with only a momentary downtime of the indexer to erect the guardpoint. At that point, the data being written and read is immediately encrypted with key. The exisitng data will be encrypted in the background based on the QOS schedule that is set. For my particular implementation, we set the QOS on LDT for 5pm - 7am M-FR. The background enxcryption for these particular indexers took about 2hrs to complete while the read/writes continued. We have key versioning set that is automatically kicked off at 180 days. LDT takes care of understanding data read with key version 1 and then writing back with key version 2 if key versioning date it hit. It's pretty easy policy vormetric wise to take care of any processes that need permission in the guardpoint.
... View more