opensearch-project · cwillum · Jun 23, 2023 · Jun 28, 2023 · Jun 28, 2023 · Jun 29, 2023
@@ -243,6 +243,7 @@ The following plugins are bundled with all OpenSearch distributions except for m
 | Anomaly Detection | [opensearch-anomaly-detection](https://github.com/opensearch-project/anomaly-detection) | 1.0.0 |
 | Asynchronous Search | [opensearch-asynchronous-search](https://github.com/opensearch-project/asynchronous-search) | 1.0.0 |
 | Cross Cluster Replication | [opensearch-cross-cluster-replication](https://github.com/opensearch-project/cross-cluster-replication) | 1.1.0 |
+| Crypto | [opensearch-crypto](https://github.com/opensearch-project/) | 2.9.0 |
 | Notebooks<sup>1</sup> | [opensearch-notebooks](https://github.com/opensearch-project/dashboards-notebooks) | 1.0.0 to 1.1.0 |
 | Notifications | [notifications](https://github.com/opensearch-project/notifications) | 2.0.0
 | Reports Scheduler | [opensearch-reports-scheduler](https://github.com/opensearch-project/dashboards-reports) | 1.0.0 |

@@ -7,4 +7,4 @@ has_children: false
 
 # Grafana support
 
-Grafana has a data source plugin that lets you explore and visualize your OpenSearch data. For information on getting started with the plugin, see the [Grafana overview page](https://grafana.com/grafana/plugins/grafana-opensearch-datasource/).
+Grafana has a data source plugin that lets you explore and visualize your OpenSearch data. For information about getting started with the plugin, see the [Grafana overview page](https://grafana.com/grafana/plugins/grafana-opensearch-datasource/).
@@ -0,0 +1,101 @@
+---
+layout: default
+title: Crypto plugin
+nav_order: 65
+parent: Availability and recovery
+has_children: false
+---
+
+
+# Crypto plugin
+
+The Crypto plugin provides client side encryption and decryption for OpenSearch. This allows for the encryption of data transferred between OpenSearch and a remote storage service, which supports features such as [Remote-backed storage]({{site.url}}{{site.baseurl}}/tuning-your-cluster/availability-and-recovery/remote-store/index/) and backup of [Snapshots]({{site.url}}{{site.baseurl}}/tuning-your-cluster/availability-and-recovery/snapshots/index/). However, the plugin is not limited to this type of application alone and can be used for local encryption as well.
+
+Using the plugin to encrypt data requires cypher keys and a key provider service to generate them. The plugin is extensible and therefore supports any number of key providers and their key management services (KMS).
+
+
+## Terms
+
+The following table includes terms that are relevant to the Crypto plugin and its process.
+
+| Term | Definition |
+| :--- | :--- |
+| Data key | A cipher or cryptographic key generated by a key provider. The data key is used to encrypt or decrypt the data itself, while a second type of key (for example, a master key) is typically used to encrypt or decrypt the data key. Together they form a key pair. |
+| Key provider | The service that generates and rotates the cipher keys. |
+| Key Management Service | The services offered by the key provider. Abbreviated as KMS. |
+| Repository | The storage where the encrypted data is kept. |
+| Remote storage service | The service that houses the repository for data storage. |
+
+
+## High-level process for encryption
+
+The Crypto plugin is responsible for encrypting and decrypting data moving to and from OpenSearch. It relies on a key provider to generate the key pairs and rotate them at regular intervals. This section provides a high-level overview of the basic encryption process using the [Remote-backed storage]({{site.url}}{{site.baseurl}}/tuning-your-cluster/availability-and-recovery/remote-store/index/) feature as an example.
+
+1. Upon launch of OpenSearch, the Crypto plugin is loaded and, in turn, loads available extensions for however many key providers are to be used.
+1. The user registers the repository that will be used to contain encrypted data. Registration of the repository involves sending a request that includes an encryption configuration. The configuration provides a method to specify settings for both the remote storage service and the key provider. For more information about the configuration, see [Registering a repository](#registering-a-repository).
+
+   Once a repository is registered, the settings in the configuration cannot be changed without potentially corrupting the data uploaded from or downloaded to the repository. This includes the setting for specifying whether the repository is encrypted or un-enctrypted. 
+   {: .important }
+
+1. Based on the configuration, the plugin registers the key providers, which begins the process of generating and rotating key pairs at regular intervals. These new key pairs are cached in the Crypto plugin.
+1. The user sends a request to [create an index]({{site.url}}{{site.baseurl}}/api-reference/index-apis/create-index/) for the data. Transfer of data happens in the background.
+1. The Crypto plugin uses the cached key pairs to encrypt the data.
+1. The encrypted data is then uploaded to the configured repository by Remote-backed storage.
+
+
+## Installing the Crypto plugin
+
+Like all plugins, you can use the command line tool `opensearch-plugin` to install the Crypto plugin. For information about managing plugins, including installation, see [Installing plugins]({{site.url}}{{site.baseurl}}/install-and-configure/plugins/).
+
+
+## Registering a repository
+
+Registering a repository for encryption involves sending a request that includes settings for both the remote storage service and the key provider. This allows the Crypto plugin to interact with those services so that it can properly cache the keys it needs for encryption and decryption and then encrypt the data being transferred to and from the repository. For more information about registering a repository for Remote-backed storage, see [Register a remote repository](/tuning-your-cluster/availability-and-recovery/remote-store/index/#register-a-remote-repository). For more information about registering a repository for snapshots, see [Registering or updating a snapshot repository](/api-reference/snapshots/create-repository/).
+
+### Request fields
+
+The following table presents the fields for the request that are essential to registering the repository for the Crypto plugin. Additional settings that are specific to the remote storage service and the key provider are also required. These additional settings will vary based on the information provided by the services.
+
+| Field | Type | Description |
+| :--- | :--- |:--- |
+| `type` | String | The storage service used to store the data. |
+| `settings` | Object | These settings are provided by the storage service hosting the data. Required. |
+| `encrypted` | Boolean | Determines whether the repository is encrypted or not. Set to `true` to encrypt the repository. |
+| `crypto_settings.key_provider_name` | String | Identifies the key provider. |
+| `crypto_settings.key_provider_type` | String | The type of extension installed for the key provider. |
+| `crypto_settings.settings` | Object | These settings are provided by the key provider. Required. |
+
+
+
+#### Example request
+
+The example request that follows shows the remote storage provider for snapshot registration as S3. It includes associated settings for S3 along with the key provider settings. The repository is configured to be encrypted.
+
+```json
+PUT _snapshot/repository1-rss1
+{
+  "type": "s3",
+  "settings": {
+    "bucket": "example-repository1",
+    "region": "us-west-2"
+  },    
+  "encrypted": true,
+  "crypto_settings": {
+      "key_provider_name": "Example KMS",
+      "key_provider_type": "example-key-provider-extension",
+      "settings": {
+          "key-1": "example value"
+      }
+  }
+}
+```
+{% include copy-curl.html %}
+
+#### Example response
+
+```json
+{
+    "acknowledged": true
+}
+```
+