Adding multi tenant encryption at rest

hey everyone, at my job we want to add encryption at rest with multi tenant keys, like this plugin called elasticrypt did a long time ago.
since this plugin is deprecated i wanted to know if it is still possible to do such a thing with a plugin i will build or with something already built in to elastic (6.8 and above).
if so could you please guide me to the right direction (for building such a plugin or if there's something built in to elastic) so i would know where to look.
thanks in advance.

Hello Ori,

As far as I know there is currently no way to do that (but might be possible with a plugin?): Elasticsearch relies on the operating system to encrypt the disk for their "data at rest". Also, Elastic supports data rest for platinum and enterprise licenses (it is possible without the license but you might not get support if something happens).

What usecase/problem do you want to solve? Maybe there is another way for it?

Best regards
Wolfram

we want each of our tenants to have a different key for encryption at the file system level.
the solution that elastic has is one key for all tenants and that's not good for us.

Can you explain how your tenants are structured? Does all tenants live in the same elasticsearch cluster in different indices?

Why do you want data at rest encryption with different keys - I understand that you have tenants but encryption at rest keeps the data secure when stored on the filesystem - it is not an authorization feature to prevent unauthorized access from users?

currently all tenants are stored under the same index but we might change that in order to have different encryption keys for each tenant. this level of encryption was a requirement from our tenants so there isn't much we could do there

Hello Ori,

One option would be the Cross Cluster Search(disclaimer: I have not tried it yet): Search across clusters | Elasticsearch Reference [7.11] | Elastic

Each tenant could have its own cluster which could be on different encrypted volumes which would meet your security requirements. This would also cleanly separate your tenants. You could then use Cross Cluster Search to connect them and search over all of them as you did before.

Best regards
Wolfram

2 Likes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.