Encryption at rest support

In X-Pack platinum, "Encryption at rest support" was introduced in 5.3.0 Released. As there's no documentation about it and I understand it is about filesystem encryption on the actual host running Elasticsearch.

I would like to clarify if this feature is to
option 1: provide filesystem encryption service with dm-crypt; or
option 2: support running Elasticsearch on encrypted filesystem (which means we need to do dm-crypt ourselves on the filesystem) ?

If is option1, could you share

  • Is the encryption done on per node basis or?
  • Will this affect search performance?

Jiali,

This question was previously answered here. It's option 2 on your list.

An encrypted file system has to be set up on each node. The overhead of encryption depends on how well your CPUs support the additional mathematical operations required to encrypt the data, and any overhead incurred by the FS stack. Maximum throughput and duration of individual queries are generally influenced by latencies in the FS.

3 Likes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.