encrypt/decrypt fields stored in index

lisaac · ‎01-07-2011

I would like to have an option to encrypt/hash certain fields of a specific sourcetype in an index. I would prefer to not use an encrypted fileystem at this time, since this is not a supported option internally. I have a requirement to have specific fields encrypted when stored on disk or in a DB.

I understand that I can mask values at index or search time, but neither of these options meets my requirements. Any suggestions? Is this option a planned enhancement?

ndoshi · ‎03-22-2011

You may want to download this add-on. It provides a pre-processor to encrypt a file's data based on your regex before it is indexed and a decrypt command to decrypt the field at search time provided you also give it the same unique key you used with the encryption. It uses DES.

http://splunkbase.splunk.com/apps/All/4.x/app:Encrypt+and+Decrypt+data+within+Events

southeringtonp · ‎01-07-2011

There isn't a native mechanism for that, at least as of 4.1.

Your best approaches are to either use a scripted input to read the data, or to have an external script pre-process the log files before moving them into a directory monitored by Splunk.

You might also want to submit an enhancement request:
http://answers.splunk.com/questions/4844/how-can-i-submit-an-enhancement-request

encrypt/decrypt fields stored in index

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases