The Edge Processor solution allows you to send encrypted data through your pipelines, and decrypt it before it reaches its destination. That way, you do not have to decrypt your data before processing it in Edge Processor pipelines. To decrypt your data, apply the decrypt command to your pipelines.

The decrypt command is an SPL2 command that requires a private key, which must be stored in a lookup table. The decrypt command has four required fields: the field to decrypt, the name of the lookup table that your private key is stored under, the specific lookup field name within your lookup table where your private key is stored, and the name of the field where the decrypted value will be outputted.

The Edge Processor itself does not encrypt data, so your data must already be encrypted before it enters the pipeline.

Prerequisites

• The data must already be encrypted using the RSA algorithm and PKCS#1 v1.5 padding.

• The private key must be stored in a lookup table. If an invalid private key is used, the decrypt command will return a placeholder NIL string. For more information on using lookups for the Edge Processor solution, see Enrich Data with Lookups using an Edge Processor. One column in the lookup table must have the exact title private_key. See the following example of a lookup table CSV file:

Use the decrypt command

To create a pipeline that decrypts your data, see the following steps:

1. Navigate to the Pipelines page and then select New pipeline, then Edge Processor pipeline.

2. On the Get started page, select Blank pipeline and then Next.

3. On the Define your pipeline's partition page, do the following:

   1. Select how you want to partition your incoming data that you want to send to your pipeline. you can partition by source type, source, and host.

   2. Enter the conditions for your partition, including the operator and the value. Your pipeline will receive and process teh incoming data that meets these conditions.

   3. Select Next to confirm the pipeline partition.

4. On the Add sample data page, do the following:

   1. Enter or upload sample data for generating previews that show how your pipeline processes data.

   2. Select Next to confirm the sample data that you want to use for your pipeline.

5. Select the name of the destination that you want to send data to.

6. (Optional) If you selected a Splunk platform S2S or Splunk platform HEC destination, you can configure index routing:
   1. Select one of the following options in the expanded destinations panel:

      Option	Description
      Default	The pipeline does not route events to a specific index. If the event metadata already specifies an index, then the event is sent to that index. Otherwise, the event is sent to the default index of the Splunk platform deployment.
      Specify index for events with no index	The pipeline only routes events to your specified index if the event metadata did not already specify an index.
      Specify index for all events	The pipeline routes all events to your specified index.

   2. If you selected Specify index for events with no index or Specify index for all events, then in the Index name field, select or enter the name of the index that you want to send your data to.
   Note: Be aware that the destination index is determined by a precedence order of configurations. See How does an Edge Processor know which index to send data to? for more information.
7. Select Done to confirm the data destination.

8. In the SPL2 editor, Select the plus icon () in the Actions menu and select Decrypt field using lookup.

9. In the menu, provide the name of the Lookup table that your private key is stored under, the name of the specific Lookup match field, the Field to decrypt and the Decrypted output field where you will store your output.

10. Select Apply to add to your SPL2 pipeline statement.

11. To save your pipeline, do the following:

    1. Select Save pipeline.

    2. In the Name field, enter a name for your pipeline.

    3. (Optional) In the Description field, enter a description for your pipeline.

    4. Select Save.

       The pipeline is now listed on the Pipelines page, and you can apply it to Edge Processors as needed.

12. To apply this pipeline to an Edge Processor, do the following:
    1. Navigate to the Pipelines page.
    2. In the row that lists your pipeline, select the Actions icon () and then select Apply/Remove.
    3. Select the Edge Processors that you want to apply the pipeline to, and then select Save.
    Note: You can only apply pipelines to Edge Processors that are in the Healthy status.

    It can take a few minutes for the Edge Processor service to finish applying your pipeline to an Edge Processor. During this time, the affected Edge Processors enter the Pending status. To confirm that the process completed successfully, do the following:

    • Navigate to the Edge Processors page. Then, verify that the Instance health column for the affected Edge Processors shows that all instances are back in the Healthy status.
    • Navigate to the Pipelines page. Then, verify that the Applied column for the pipeline contains a The pipeline is applied icon ().

The Edge Processor that you applied the pipeline to can now decrypt the data that it receives according to the private key in the lookup that you entered. For information on how to confirm that your data is being processed and routed as expected, see Verify your Edge Processor and pipeline configurations.

Example: Use the decrypt command to decrypt data

cproc-decrypt.csv (or KV Store equivalent)

• encrypted_payload is the encrypted data field to be decrypted

• keystore is the lookup table name that contains the private key to decrypt the encrypted field

• key_config is the specific lookup field name within your lookup table where your private key is stored

• decrypted_output_field is the name of the field where the decrypted value will be stored