I would like to point out after reading through several closed discussions in this forum that encryption at Rest is achievable but AFAIK not implemented (yet). Some discussions in this forum refer to this problem and the functionality is deemed as not implemented.
However the functionality could be implemented if the API would accept tokens analyzed from the client. If the client could send the encrypted document and the tokens of the document, Elasticsearch could accept them and enter the information in the index as provided. This does compromise the information in the document to an extend that a prediction of the content of the document could be made, but the content could still not be proven without decryption. The context and essences of the document would still be protected, but searchable.
The decision to whether this level of security is sufficient can be made from the client side.
I am hereby encouraging to allow client provided tokens to be inserted into indexes to be implemented in Elasticsearch, if not yet done already.