Cloaked Search

Secure Elasticsearch and OpenSearch with drop-in, multi-tenant, searchable encryption.
Cloaked Search by IronCore Labs is an encryption proxy with multi-tenant virtual isolation that allows you to seamlessly encrypt and search on encrypted data held in Elasticsearch and OpenSearch.
  1. Many companies choose not to use Elasticsearch for sensitive customer data, such as social security numbers or other PII, since encrypted search hasn’t been an option until now.
  2. If multiple customers have data stored in the same index, a programming error or exploit could return data to an unauthorized person.
  3. Index terms extracted from your documents are stored in Elasticsearch in plaintext. Curious admins or hackers can assemble a lot of information about each document even if you don’t store the whole document in Elasticsearch.


  1. A customer performs a search for a social security number, which you’ve pre-configured as a protected field.
  2. The search query is sent with the customer’s ID to the Cloaked Search Proxy.
  3. Cloaked Search fetches the encryption key for the current customer, cryptographically secures the SSN with it, and sends the protected query to Elasticsearch.
  4. Elasticsearch finds all results with SSNs that match the protected search query and returns their associated encrypted documents to Cloaked Search.
  5. Cloaked Search uses the per-customer key to decrypt the data and returns the search results to the customer with low latency.

1. Protect

Secure sensitive customer PII in Elasticsearch without compromising on privacy or data security.

2. Comply

Encryption means customer PII remains safely locked away so you can comply with GDPR, CCPA, and more.

3. Drop-in

No need to reinvent the wheel or rewrite your code. Keep existing code and infrastructure.



Sign up to get updates on Cloaked Search and insights on securing Elasticsearch.



Trust Center

Find Us