Reply
Explorer
Posts: 9
Registered: ‎02-19-2019

Elastic search Encryption

Hello,

We are trying to encrypt Elastic search nodes with Safenet Protect-file encryption(Data at rest)  which is a file level encryption. 

The elastic search directory is under /data/disk0/elasticsearch it has the PII data

So, we are using CDH 5.14 with Hbase, HDFS, Spark2 etc 

My question is 

1. Does this elastic search directory need to be mapped with Elasticsearch user account to be able to decrypt the elastic search directory?

2.what are the users or services(HDFS,HBASE, Spark2,  in cloudera should be allowed to decrypt data in Elastic search directory ?

Highlighted
Cloudera Employee
Posts: 266
Registered: ‎01-09-2014

Re: Elastic search Encryption

Unfortunately, we don't support either Safenet or Elastic search. The recommendation would be to run elasticsearch on nodes that are separate from the CDH cluster, and then you can configure safenet without any concern from other service users. Since elasticsearch provides all interaction through its API, other service users shouldn't need any access to decrypt the data that elastic search is using. Alternatively you could use Cloudera Navigator Encrypt [1] to encrypt the data at rest and solr as your search engine, which is fully integrated into CDH.

-pd

1. https://www.cloudera.com/documentation/enterprise/latest/topics/sg_navigator_encrypt.html#concept_na...