We are proud to present Eliatra Cloud Tresor, a plugin enabling encryption at rest (EAR) for OpenSearch.
Eliatra Cloud Tresor encrypts all your OpenSearch data that resides on disk and is available today as a technology preview. Eliatra Cloud Tresor is the missing piece to regain complete control over your data of OpenSearch deployments, especially on public clouds. Eliatra Cloud Tresor can also be used in private clouds or on-premises installations to protect your data at rest.
The plugin ships with a command line tool called
earctl to initialize the plugin and manage the encryption keys.
and test it while it is hot and fresh.
How it Works
Eliatra Cloud Tresor is an OpenSearch plugin and can be installed as every other plugin. It works in all environments - whether you run OpenSearch on Docker, Kubernetes, EC2, or in your own data center. And the good news is - the plugin requires almost no configuration!
Once the plugin is installed and initialized, you can create
encrypted indices. All data which resides in an
encrypted index is stored encrypted on disk. No one without the correct decryption key can read or modify the data of
The decryption key is only held in memory on the cluster nodes and never stored on the disk of the server.
Your data deserves the highest level of protection, especially in the cloud.
Encrypted Snapshots (Backups)
In addition to the
encrypted indices feature, the plugin also provides the functionality to encrypt snapshots, which are typically used to back up your data. An
encrypted snapshot can contain encrypted and non-encrypted indices and is therefore independent of using
So, if you have only regular non-encrypted indices in your cluster, and you want to snapshot and store them safely and encrypted on S3 or NFS, then
encrypted snapshots are for you.
Preconditions and Limitations
There are only a few preconditions and limitations with
Realtime get actions are executed as non-realtime actions
There is a slight performance impact when indexing and searching in
The mapping must include a metadata field
_encrypted_tl_content of type
binary. This field will never appear in any search results, and you can otherwise completely ignore it
After a full cluster restart (shutting down all nodes at once), which happens rarely, the plugin must be initialized again before
encrypted indices can be accessed
Apart from the limitations mentioned above, an
encrypted index works like any other index and supports all queries and mappings.
Here is a comprehensive walkthrough detailing all the essential steps for creating and utilizing encrypted indices and encrypted snapshots:
Create a new cluster key pair on a client machine. This is typically done by a system administrator and is only necessary once per cluster. You can use tools like
openssl to generate the key pair, or simply use
$ earctl.sh create-cluster-keypair
Create a new RSA key pair with UUID <uuid>
Public key will be stored in public_cluster_key_<uuid>.pubkey
Public key config template will be stored in opensearch_yaml_<uuid>.yml
Secret key will be stored in secret_cluster_key_<uuid>.seckey
This key pair needs to be backed up in a safe location. If keys are lost, it is not possible to decrypt the data stored in
encrypted indices on this cluster.
Install the plugin on every node:
Add this configuration to opensearch.yml and restart the node:
eliatra.ear.public_cluster_key: <public key>
<public key> can be found in the
public_cluster_key_<uuid>.pubkey file. There is also a “copy and paste” ready variant in
Initialize the Plugin
This needs only be done once after installing the plugin, or after a full cluster restart. It is usually performed by a system administrator from a client machine:
$ earctl.sh -h osnode.company.com -p 9200 initialize-cluster --pk-file secret_cluster_key_<uuid>.seckey
Create an Encrypted Index
encrypted index is the same as creating any other index:
curl "https://osnode.company.com:9200/my_encrypted_index?pretty" -H 'Content-Type: application/json' -d'
This curl command creates an
encrypted index named
my_encrypted_index. There is nothing special about it except two settings and one mapping:
The index settings
encryption_enable: true and
store.type: encrypted defines this index as an
_encrypted_tl_content with type
binary is required and only used internally, as explained above.
After the index
my_encrypted_index was created, it can be used to index and search data like any other index, but its contents are never stored in plaintext on disk.
To list all your encrypted indices, use
earctl with the
$ earctl.sh -h osnode.company.com -p 9200 list-encrypted-indices
Create and Restore an Encrypted Snapshot
First, register the encrypted snapshot repository. This delegates to a previously registered repository like S3 and needs only be done once:
curl "https://osnode.company.com:9200/_snapshot/my_encrypted_s3_backup?pretty" -H 'Content-Type: application/json' -d '
You can now create or restore snapshots as usual, referencing the encrypted snapshot repository
Simplify With Index Templates
When you need to create a lot of encrypted indices, we recommend using an index template for that:
curl "https://osnode.company.com:9200/_index_template/encrypted_index_template?pretty" -H 'Content-Type: application/json' -d '
This will create indices whose name match encrypted or dashboards_sample as encrypted indices.
Try it out yourself: Download
If you are interested in using this feature in production please reach out to us