Encrypt couple of my document fields

(Tomer Praizler) #1


I am storing some sensitive information in elasticsearch, which I want to be stored encrypted.
I don't plan to search on those fields, so elasticsearch will just store those fields for me.

Is there a recommended approach to achieve this?
I need to encrypt the data while indexing, and decrypt when I get the search response.


(Daniel Mitterdorfer) #2

Hi Tomer,

you can solve this almost entirely at the application level in your mapping layer, so before indexing a document, your application encrypts the field and when retrieving a document it decrypts it.

Regarding Elasticsearch, I'd just ensure to store these fields as not_analyzed, so Elasticsearch indexes the fields as is.


(Tomer Praizler) #3

Thanks. That's what I thought so.

(Ramya) #4

Hi daniel,
Nice explanation,I want to store my postgres db credential(username and password) in elasticsearch as encrypted format .What I have to do for that? Can u please help me..waiting for ur response..Thanks in advance

(Ramya) #5

Hi Tomer,
How you store your Sensitive Information in elasticsearch as encrypted and how you decrypt that,Because I too want to store my sensitive data to store as encrypted in Elasticsearch and have to decrypt when search.Eagerly expecting your kind reply..

(Tomer Praizler) #6

@Ramya sorry for the delayed response.
It doesn't sound healthy to store your credentials for one datastore in another datastore.
take for example the scenario in which datastoreA is not available, that means you can't connect to datastoreB, which doesn't make sense.
Sensitive credentials should be stored as part of your machine environment, not sure how you run your machines.
If you have your machines running as part of a cloud service: aws \ heroku \ etc, you get support to how your provide environment variables. if you have your own on-premise machines, you should do it by yourself.

Now, about the encryption, I didn't do it because I didn't want to loose the search functionality (if you encrypt your data, you can't search on it, not using elastic queries at least). I decided to invest more in securing my es using shield.

So if you don't care about your data being searchable, your option as far as I know it, is what @danielmitterdorfer suggested. you should programmatically encrypt \ decrypt your data.

(Ramya) #7

Thank you so much....for the great explanation

(system) #8