Encrypting Sensitive Data
Encryption at Ingest-Time and Decryption in Splunk
With Cribl Stream, you can encrypt your sensitive data in real time before it’s forwarded to and stored at a destination. Using the out-of-the-box Mask function, you can define patterns to encrypt with specific key IDs or key classes. To decrypt in Splunk, you will need to install Cribl App for Splunk on your search head. (The app will default to mode-searchhead
.)
Keys and Key Classes
Symmetric encryption keys can be configured through the CLI or the UI. They’re used to encrypt the patterns, and users are free to define as many keys as required.
Key classes are collections of keys that can be used to implement multiple levels of access control. Users (or groups of users) that have access to data with encrypted patterns can be associated with key classes. You can use these classes to provide more-granular access rights, such as read versus decryption permissions on a dataset.
Encrypting in Cribl Stream and Decrypting in Splunk
Define one or more keys and key classes on Cribl Stream. (See UI- and CLI-based instructions.)
Sync
auth
with the decryption side (Splunk Search Head). (The Splunk-side directory is$SPLUNK_HOME/etc/apps/cribl/local/cribl/auth/
.)Apply the Mask function to patterns of interest, using C.Crypto.encrypt().
Decrypt on the Splunk search head, using Role-Based Access Control on the
decrypt
command.
Examples
Encryption Side
You can generate keys via the UI or the CLI.
To generate keys via the UI, access Group Settings > Security > Encryption Keys:
To generate one or more keys via the CLI, pattern your commands after these examples.
In a single-instance deployment:
$CRIBL_HOME/bin/cribl keys add -c 1 -i
...
$CRIBL_HOME/bin/cribl keys add -c <N> -i
In a distributed deployment, to generate keys on a Worker Group named uk
:
$CRIBL_HOME/bin/cribl keys add -c 1 -i -g uk
...
$CRIBL_HOME/bin/cribl keys add -c <N> -i -g uk
Add -e <epoch>
to the above commands if you’d like to set expiration for your keys.
For all command/syntax options, see Adding Keys.
Decryption Side
- Download the Cribl Stream App for Splunk from Cribl’s Download Cribl Stream page: In the On Prem section, select the Splunk app from the drop-down list, as shown. Clicking the orange button downloads a file named:
cribl-splunk-app-<version‑#>-<hash‑#>-linux-x64.tgz
.
To install the Cribl Stream App for Splunk on your search head, untar the package into your
$SPLUNK_HOME/etc/apps
directory. The app will default tomode-searchhead
.Assign permissions to the
decrypt
command, per your requirements.Assign capabilities to your Roles, per your requirements. Capability names should follow the format
cribl_keyclass_N
, whereN
is the Cribl Key Class. For example, a role with capabilitycribl_keyclass_1
has access to all key IDs associated with key class1
. You can use more capabilities, as long as they follow this naming convention.
In the
$SPLUNK_HOME/etc/apps/cribl/local/cribl/auth/
directory, synccribl.secret
|keys.json
. (To successfully decrypt data, thedecrypt
command will need access to the same keys that were used to encrypt, in the Cribl instance where encryption happened.)In a single-instance deployment, the
cribl.secret
andkeys.json
files reside in:$CRIBL_HOME/local/cribl/auth/
.In a distributed deployment, these files reside on the Leader Node in:
$CRIBL_HOME/groups/<group‑name>/local/cribl/auth/
.When using Cribl Stream’s UI, you can download these files by clicking Get Key Bundle.
Sync/copy these files over to their counterparts on the search head (decryption side). In a non-Splunk integration, you would copy these assets to wherever decryption will take place.
Modifying Keys
When you update keys by editing the
keys.json
file, you must add them back to the directories above (respectively, on a single instance or on a distributed deployment’s Leader Node).
Usage
Before Encryption: Sample un-encrypted events. Notice the values of fieldA
and fieldB
.
Next, encrypt fieldA
values with key class 1
, and fieldB
with key class 2
.
After Encryption: again, notice the values of fieldA
and fieldB
.
Here, we’ve decrypted fieldB
but not fieldA
. This is because the logged-in user has been assigned the capability cribl_keyclass_2
, but not cribl_keyclass_1
.