I've been trying to get elasticsearch to store indexes in an encrypted
format. I know people have opted it here, but using full disk encryption is
not a solution for me. The only place where the information that is being
indexed is allowed to be available in plain form is in memory. This allows
elasticsearch/Lucene to do its thing while the actual information cannot be
read from disk without the proper key material. As far as I can find,
there's no such implementation for elasticsearch as of yet.
What I've done so far, is create I/O wrappers for Lucene 4.3 that accept
read/seek/write requests like regular IndexInput and IndexOutput instances,
but use CipherInputStream and CipherOutputStream to delegate the byte
operations to a 'real' IndexInput or IndexOutput. This seems to work fine.
I've found that elasticsearch does a comparable trick with wrapping index
I/O instances, so I figured my code should be relatively easy to apply to
the elasticsearch code base.
Alas, this turns out to be untrue, as finding where to insert my wrappers
on top of / below elasticsearch's is proving problematic. Wrapping the
entire directory instance in StoreFileMetaData with one that wraps all I/O
requests with one of my wrappers is problematic as the tests never seem to
create an empty index, wrapping the I/O classes in Store.StoreDirectory
doesn't seem to work either as it keeps creating I/O classes outside this
point, causing it to read encrypted data without decrypting it.
So I'm looking for the best place to hook this into elasticsearch. I've
verified that my encryption/decryption wrappers work with Lucene, so I'd
like to build a POC to make this work within elasticsearch. Any great ideas
from the community?
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to email@example.com.
For more options, visit https://groups.google.com/groups/opt_out.