On This Page

Home / Stream/ Securing· Manage Secrets and Keys·Create and Manage Encryption Keys

Create and Manage Encryption Keys

You can create and manage keys that Cribl Stream will use for real-time encryption of fields and patterns within events. For details on applying the keys that you define here, see Encryption Keys.

Access Keys

  • In a Single-instance deployment, select Settings > Security > Encryption Keys.
  • In a Distributed deployment with one Worker Group, select Settings > Security > Encryption Keys.
  • In a Distributed deployment with multiple Worker Groups, keys are managed per Worker Group. Select Manage > Groups > <group-name> Group Settings > Security > Encryption Keys.

On the resulting Manage Encryption Keys page, you can configure existing keys, and/or use the following options to add new keys.

Get Key Bundle

To import existing keys, click Get Key Bundle. You’ll be prompted to supply a login and password to proceed.

Add New Key

To define a new key, click New Key. The resulting New Key modal provides the following controls:

Key ID: Cribl Stream will automatically generate this unique identifier.

Description: Optionally, enter a description summarizing the purpose of the key.

Encryption algorithm: Currently, Cribl Stream supports the aes-256-cbc (default) and aes-256-gcm algorithms.

KMS for this key: Currently, the only option supported here is local (the Key Management Service built into Cribl Stream).

Key class: Classes are arbitrary collections of keys that you can map to different levels of access control. For details, see Key Classes. This value defaults to 0; you can assign more classes, as needed.

Expiration time: Optionally, assign the key an expiration date. Directly enter the date or select it from the date picker.

Use initialization vector: If enabled, Cribl Stream will seed encryption with a nonce to make the key more random and unique. Optional (and defaults to disabled) with the aes‑256‑cbc algorithm; automatically enabled (and cannot be disabled) with the aes‑256‑gcm algorithm.

Initialization vector size: Length of the initialization vector (IV), in bytes. This option is displayed only with the aes‑256‑gcm algorithm. Defaults to 12 bytes to optimize interoperability, but you can use the drop-down to set this anywhere between 12 to 16 bytes.