Hi, I was thinking in writting an extension to encrypt portions of the information but I’m not exactly sure what’s the best approach. The idea was to encrypt certain columns of certain tables, so I thought when the queries run in the hosts and the information is sent, maybe a custom logger could be the best. Other idea was to create a custom table just to encrypt input information (select ciphertext from encrypter where cleartext=abc and key=def). If anyone know about existing projects or articles about osquery + protecting sensitive information, please share. thanks

You have concerns about the data being readable while in your logging pipeline?

the way folks have solved this kind of issue is by restricting access to log data on the server, and specifying ACLs for who has visibility into specific log buckets

well, the concerns were more on the lack of role/permissions to access this information (if doing live queries) and how to store it more safely (for the scheduled/pack scenario). We can always encrypt the osquery results log file and add some more controls from there before it leaves fleet server

Authorization around live queries is something I've looked at adding into Fleet (get in touch if you are interested in sponsoring this work). For the log file, I'd think you are best off controlling the access to the Fleet server and logging pipeline, but it could probably be possible to encrypt fields in the logs using Logstash or some other tooling before shipping it off.

thanks for the feedback 👍