Currently, Cribl LogStream supports decryption only when Splunk is the end system. In Splunk, decryption is available to users of any role with permissions to run the
decrypt command that ships with Cribl App for Splunk. Further restrictions can be applied with Splunk capabilities. This page provides details.
Decryption in Splunk is implemented via a custom command called
decrypt. To use the command, users must belong to a Splunk role that has permissions to execute it. Capabilities, which are aligned to Cribl Key Classes, can be associated with a particular role to further control the scope of
Decrypt Command Is Search Head ONLY
To ensure that keys don't get distributed to all search peers – including peers that your search head can search, but you don't have full control over –
decryptis scoped to run locally on the installed search head.
In Splunk, capability names should follow the format
N is the Cribl Key Class. For example, a role with capability
cribl_keyclass_1 has access to all key IDs associated with key class
Corresponding Cribl Key Class
You set up decryption in Splunk according to this schematic:
Install the Cribl App for Splunk on your Splunk search head.
As of LogStream v1.7, the app will run in search head mode by default. If the app has previously been installed and later modified, you can convert it to search head mode with the command:
$CRIBL_HOME/bin/cribld mode-searchhead. (When installed as a Splunk app,
Assign permissions to the
decryptcommand, per your requirements.
Assign capabilities to your roles, per your requirements. If you'd like to create more capabilities, ensure that they follow the naming convention defined above.
auth/(cribl.secret|keys.json). To successfully decrypt data, the
decryptcommand will need access to the same keys that were used to encrypt. The
$CRIBL_HOME/local/cribl/auth– which must be in the same Cribl instance where encryption happened – should be synced/copied over to the files on the Search Head/decrypting side. When using the UI, these files can be downloaded through the Get Key Bundle button.
Updated 6 months ago