Cribl LogStream – Docs

Cribl LogStream Documentation

Questions? We'd love to help you! Meet us in #Cribl Community Slack (sign up)
Download entire manual as PDF - v2.4.0


Decryption of Data

Currently, Cribl LogStream supports decryption only when Splunk is the end system. In Splunk, decryption is available to users of any role with permissions to run the decrypt command that ships with Cribl App for Splunk. Further restrictions can be applied with Splunk capabilities. This page provides details.

Decrypting in Splunk

Decryption in Splunk is implemented via a custom command called decrypt. To use the command, users must belong to a Splunk role that has permissions to execute it. Capabilities, which are aligned to Cribl Key Classes, can be associated with a particular role to further control the scope of decrypt.


Decrypt Command Is Search Head ONLY

To ensure that keys don't get distributed to all search peers – including peers that your search head can search, but you don't have full control over – decrypt is scoped to run locally on the installed search head.

Restricting Access with Splunk Capabilities

In Splunk, capability names should follow the format cribl_keyclass_N, where N is the Cribl Key Class. For example, a role with capability cribl_keyclass_1 has access to all key IDs associated with key class 1.

Capability Name

Corresponding Cribl Key Class



Configuring Splunk Search Head to Decrypt Data

You set up decryption in Splunk according to this schematic:

  1. Install the Cribl App for Splunk on your Splunk search head.

    As of LogStream v1.7, the app will run in search head mode by default. If the app has previously been installed and later modified, you can convert it to search head mode with the command: $CRIBL_HOME/bin/cribld mode-searchhead. (When installed as a Splunk app, $CRIBL_HOME is $SPLUNK_HOME/etc/apps/cribl.)

  2. Assign permissions to the decrypt command, per your requirements.

  3. Assign capabilities to your roles, per your requirements. If you'd like to create more capabilities, ensure that they follow the naming convention defined above.

  4. Sync auth/(cribl.secret|keys.json). To successfully decrypt data, the decrypt command will need access to the same keys that were used to encrypt. The cribl.secret and keys.json files in $CRIBL_HOME/local/cribl/auth – which must be in the same Cribl instance where encryption happened – should be synced/copied over to the files on the Search Head/decrypting side. When using the UI, these files can be downloaded through the Get Key Bundle button.

Updated 6 months ago


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.