Encryption In Elasticsearch

Debasis_Mallick · June 4, 2024, 11:26am

HI Team,

We need to implement Encryption In Elasticsearch. As we know there are two types of encryption.

Encryption in Transit.
Encryption while data at REST.

Please help us how to achieve the same.

Thanks,
Debasis

leandrojmp · June 4, 2024, 11:40am

Encryption in Transit is done by configuring Elasticsearch to use TLS on both the transport and http endpoints.

The documentation for it starts here and there are also plenty of posts already on the forum about it.

Encryption at REST is not done by Elasticsearch, but by the operating system as explained in this post, for linux normally you just enable dm-crypt on your server.

Debasis_Mallick · June 5, 2024, 6:43am

Thanks @leandrojmp for response. Since encryption at REST depends on third party tool (OS) so is it avliable if we use basic version of Elasticsearch.

Thanks,
Debasis

Debasis_Mallick · June 6, 2024, 10:01am

@leandrojmp As further discussion with DEV team get to know that, they want to encrypt the specific fields in Elasticsearch not the entire record which received from the customer.

leandrojmp · June 6, 2024, 12:45pm

This needs to be done during ingestion, you can do it in both Logstash or using an Ingest pipeline.

Logstash has a fingerprint filter that can generate a hash of some string and Elasticsearch has a fingerprint processor that does the same thing.

But keep in mind thaty ou cannot search for the value befure you execute the fingerprint, only by the hash created.

For example, if you have this:

fieldName: unencrypted value, after you run the fingerprint filter or processor you can have fieldName: random-hash.

You cannot search fieldName for unencrypted value, but you can search using random-hash.

Debasis_Mallick · June 12, 2024, 6:31am

Thanks @leandrojmp for response. As you mentioned user need to search on random-hash value but how the end user or application will know the hash value of the actual value which is send by the customer.

Christian_Dahlqvist · June 12, 2024, 8:05am

The application will need to hash the search term using the same algorithm used when it was indexed. Naturally this will only work for exact matches, although you can make it case insensitive by lowercasing before both indexing and querying

leandrojmp · June 12, 2024, 11:54am

You would need to do something like Christian mentioned, you will need to create the has of the entire value and search for it, it only works for exact matches.

For example, if you have a field named sensitive_message that needs to be encrypted and this field has this value The quick brown fox jumps over the lazy dog, you will create a hash of the entire string, and will only be able to search by the hash.

As mentioned:

But keep in mind that you cannot search for the value before you execute the fingerprint, only by the hash created.

Which I mean is, if you generated a hash for a field, you cannot search on the uncrypted value, only the hash.

Debasis_Mallick · June 25, 2024, 6:29am

@leandrojmp Could you please share any blog reference, how to use fingerprint processor in filebeat.
I tried search in google did not find any blog reference how to use in file beat.

Thanks,
Debasis

leandrojmp · June 25, 2024, 12:54pm

I do not know any blog post about it.

But have you checked the documentation here?

You also have a fingerprint processor that can be used in an ingest pipeline in Elasticsearch, it is pretty similar and the documentation is here.

Christian_Dahlqvist · June 25, 2024, 12:59pm

Although the fingerprint processor will replace fields with hashed values, remember that you will need to be able to exactly replicate this hash calculation in your application code if you want to be able to search of any of these hash values.

Debasis_Mallick · July 10, 2024, 12:02pm

@Christian_Dahlqvist and @leandrojmp As you mentioned fingerprint but it is not same as of encryption. Please correct me if I am wrong , fingerprint will generate a hash value but encryption is a different thing.

Thanks,
Debasis

leandrojmp · July 10, 2024, 12:35pm

Well, hashing can be seem as a one-way encryption, some places refer to it in this way.

But since encryption means that you can also decrypt the data, then yes, they are different things.

In this context it is all you have, so the fingerprint filter will work as a one-way process to encrypt your data, but you cannot decrypt it.

Debasis_Mallick · July 10, 2024, 12:54pm

Thanks @leandrojmp for confirmation. Then how we can achieve data encryption at REST apart from dm-crypt which is a native tool to OS.

Thanks,
Debasis

Christian_Dahlqvist · July 10, 2024, 3:05pm

I believe you need to handle this in your application/code. As far as I know there is no built in support within the stack.

leandrojmp · July 10, 2024, 3:09pm

There is nothing in the stack that would allow you to do that as already mentioned.

If you want to be able to encrypt and decrypt data stored in Elasticsearch, you need to do that on your application or code.

Topic		Replies	Views
Data encryption in Elasticsearch Elasticsearch	5	505	August 19, 2019
Encryption Options Elasticsearch	8	17632	May 28, 2019
How to achieve data Encryption in elasticsearch Elasticsearch elastic-stack-security	11	1121	September 9, 2019
How can I encrypt the data stored in indexes? Kibana kibana-plugin-development	6	8288	November 1, 2022
Data at rest encryption. Is it coming for Elasticsearch? Elasticsearch elastic-stack-security	6	4885	July 6, 2017

Encryption In Elasticsearch

Related topics