Cloaked Search is a transparent proxy for the Elasticsearch and OpenSearch services that protects sensitive data in the search service index and document store to protect it from hackers, curious administrators, and other threats.
You can decide which fields in a document are sensitive, and the proxy will apply cryptographic techniques to cloak any index terms generated from those fields. This protects the data in those fields from being extracted from the index. It also processes all queries and cloaks the search terms, so an eavesdropper can’t make guesses about the documents by watching the query traffic. The proxy also encrypts the full document. Put it all together, and Cloaked Search lets you do full text searches on encrypted data.
Cloaked Search’s API is the same as the underlying search service API, so all requests intended for the search service should flow through the proxy. The proxy will only modify requests that involve fields that have been configured for protection. For those fields, the data will be encrypted before being passed on to the search service.
Cloaked Search can be configured for a multi-tenant environment where separate keys are used for each tenant’s data. When combined with SaaS Shield, tenants may manage their own encryption keys to take control of their data. The multi-tenant feature also reduces the possibility of accidental information leakage and cross-tenant data pollution.
Cloaked Search works best on text fields like titles, abstracts, names, and addresses, but it does work on boolean and numeric fields as well; they are treated as strings. Other field types like dates cannot be encrypted at this time unless they are provided as strings (explicitly enclosed in quotes). Range and comparison matches on protected numeric and date fields (eg, values greater than x) will not work.
Cloaked Search supports a commonly used subset of the search service’s query string syntax. Queries can contain an arbitrary number of terms combined using
OR. Specific fields to be searched must be specified and can be annotated using
-field:termfor “must contain” and “must not contain” terms. A query can contain a mix of protected fields and standard fields.
For detailed documentation and lots of examples, see our Query String Support page.
The initial release of Cloaked Search provides the following key features:
- compatibility with both Elasticsearch and OpenSearch services
- SaaS Shield integration for managing per-tenant keys
- standalone key mode for single-tenant operation and self-contained testing
- fuzzy matching with a phonetic matcher
- substring matches for prefix and suffix wildcards
- phrase queries
- Improved results on large text fields by taking frequency and rough word position into account
- security configuration per-field and per-index
- support for other query APIs
We have a live demo that will let you play around with Cloaked Search queries to see how this all works in an interactive setting.
You can try out Cloaked Search in about 5 Minutes. All you need is a basic *nix installation and docker to run it locally.
If you'd like to dig into how to configure and deploy Cloaked Search to talk to an existing search service running in your development cluster, check out Configuring and Deploying Cloaked Search.
If you'd like to understand how Cloaked Search secures your data, check out What Is Encrypted Search.
You can see the changes in each version of Cloaked Search in its changelog.