Cloaked Search is a transparent proxy for the Elasticsearch and OpenSearch services that protects sensitive data in the search service index and document store to protect it from hackers, curious administrators, and other threats.
You can decide which fields in a document are sensitive, and the proxy will apply cryptographic techniques to cloak any index terms generated from those fields. This protects the data in those fields from being extracted from the index. It also processes all queries and cloaks the search terms, so an eavesdropper can’t make guesses about the documents by watching the query traffic. The proxy also encrypts the full document. Put it all together, and Cloaked Search lets you do full text searches on encrypted data.
Cloaked Search’s API is the same as the underlying search service API, so all requests intended for the search service should flow through the proxy. The proxy will only modify requests that involve fields that have been configured for protection. For those fields, the data will be encrypted before being passed on to the search service.
Cloaked Search can be configured for a multi-tenant environment where separate keys are used for each tenant’s data. When combined with SaaS Shield, tenants may manage their own encryption keys to take control of their data. The multi-tenant feature also reduces the possibility of accidental information leakage and cross-tenant data pollution.
Cloaked Search works best on text fields like titles, abstracts, names, and addresses. Other field types, like numbers and dates, cannot be encrypted at this time unless they are treated as strings. If encrypted, range matches (eg, values greater than x) will not work.
Cloaked Search supports a commonly used subset of the search service’s query string syntax. Queries can contain an arbitrary number of terms combined using
OR. Specific fields to be searched must be specified and can be annotated using
-field:termfor “must contain” and “must not contain” terms. A query can contain a mix of protected fields and standard fields.
The preview release of Cloaked Search allows you to try it out with a single master key. Per-tenant keys are derived from that key. Features coming soon and expected before the initial release:
- SaaS Shield integration;
- improved results on large text fields by taking frequency and rough word position into account;
- broadened query support as we learn more about usage through the preview;
- fuzzy matching with a phonetic matcher;
- substring matches for prefix and suffix wildcards;
- security configuration tuning per-field and per-index;
- phrase queries;
- and support for other query APIs.
In the meantime, you should be able to test locally using large datasets and multiple tenants. You can configure encryption for just certain fields, make queries using the simple query string JSON format, and pass through non-index/query requests.
You can try out Cloaked Search in about 5 Minutes. All you need is a basic *nix installation and docker to run it locally.
If you'd like to dig into how to configure and deploy Cloaked Search to talk to an existing search service running in your development cluster, check out Configuring and Deploying Cloaked Search.
If you'd like to understand how Cloaked Search secures your data, check out What Is Encrypted Search.
You can see the changes in each version of Cloaked Search in its changelog.