The Splunk® Support Add-On Cryptosuite is the successor to the deprecated Support Add-On for Hypercrypto (https://github.com/my2ndhead/SA-hypercrypto).
It implements and extends the custom search commands crypt and hash for encrypting/decrypting and hashing fields and events at search time.
Cross-compatible with Python 2 and 3. Tested on Splunk Enterprise 184.108.40.206.
Licensed under http://creativecommons.org/licenses/by-nc-sa/4.0/.
In order for the add-on to be fully usable you'll need to create and upload cryptographic keys. Here's how. You can also find some examples and tips in the examples/ directory.
Example RSA key pair creation with currently supported parameters using OpenSSL:
openssl genrsa [-aes256|-des|-des3 -passout pass:password] -out private.pem \<2048|4096>
openssl rsa -in private.pem -outform PEM -RSAPublicKey_out -out public.pem
Note that using 1024 bit keys is considered unsafe and therefore not supported by the app.
Important Note: Use of encrypted private RSA keys is not yet supported!
Example "key file" creation for AES:
Put your key and IV in UTF-8 into a plain ASCII file. Key has to go on line 1 and IV on line 2.
The IV's length has to be 16 bytes/characters. The key's length has to be 16/24/32 bytes/characters respectively for 128/192/256 AES encryption. For security purposes 256 bit keys are recommended unless performance is important.
Name: Enter the name you would like the your key to be accessible through. E.g. the original key file's name.
Type of Data: Select "New key".
Key/Salt: Copy-paste the contents of your generated key file here. Your key will be stored encrypted in passwords.conf.
RSA key encryption password: Important Note: Use of encrypted private RSA keys is not yet supported! Only required if you are currently configuring an encrypted private RSA key. Supportd key encryption algorithms are AES-256-CBC, DES-CBC and DES-EDE3-CBC.
Authorized roles: Select which roles you want to grant permissions to use the key. Will be ORed with authorized users. Users/roles will also require the "can_encrypt" and/or "can_decrypt" role in order to use the crypt command in the first place.
Authorized users: Select which users you want to grant permissions to use the key. Will be ORed with authorized roles. Users/roles will also require the "can_encrypt" and/or "can_decrypt" role in order to use the crypt command in the first place.
Note: For a RSA key pair, you'll have to do this twice. Once for the private key and once for the public key.
If you plan on salting your hashes, create and store upload salts like so:
Name: Enter the name you would like the your salt to be accessible through.
Type of Data: Select "New salt".
Key/Salt: Enter or copy-paste your salt here. It will be stored encrypted in passwords.conf.
RSA key encryption password: Leave empty.
Authorized roles: Select which roles you want to grant permissions to use the salt. Will be ORed with authorized users.
Authorized users: Select which users you want to grant permissions to use the salt. Will be ORed with authorized roles.
Note: Handling keys and salts this way is a security feature, since specifing the key/salt directly in a Splunk search directly would make them visible in the _internal index.
crypt mode=<d|e> algorithm=<rsa|aes-cbc|aes-ofb> key=<key_name> \<field-list>
mode: Mandatory. Set to e to encrypt, set to d to decrypt the given field list using the provided key.
algorithm: Mandatory. Set to the cryptographic algorithm you would like to use for encryption/decryption.
key: Mandatory. Set to the name of a key you (or your admin) configured previously.
hash algorithm=<md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512|blake2b|blake2s> [salt=\<salt_name>] \<field-list>
algorithm: Mandatory. Set to the hashing algorithm you would like to use. SHA3 and Blake2 are only available when using Python 3.
saltfile: Optional. Set to the name of a key you (or your admin) configured previously.
Encrypt the values of the plaintext fields "subject" and "content" of sourcetype "mail" using rsa and the key "public.pem".
search sourcetype="mail" | crypt mode=e algorithm=rsa key=public.pem subject content
Encrypt raw events of sourcetype "mail" using AES-256-CBC and collect the results in a summary index.
search sourcetype="mail" | crypt mode=e algorithm=aes-cbc key=secret.txt _raw | collect index=summary
Decrypt the content of the already RSA encrypted and summary-indexed field "username" for output in plain text using RSA. The key file "private.pem" is encrypted with AES-256-CBC, so the correspondig password has to be set via the app's set up screen prior to using the key.
search index=summary sourcetype="server::access" | crypt mode=d algorithm=rsa key=private.pem username | table _time action username
Hash a raw event containing some malware threat artifact using sha256.
search index=threat_intel source=sample.txt | hash algorithm=sha256 _raw
The keys and salts you upload are stored encrypted in passwords.conf. However to quote a Splunk blog post: "[...] Since the encrypted data and the encryption key are stored on the same machine, cryptographically this is equivalent to obfuscation. While some people might argue that this is very weak encryption, it is the best we can do with storing the encrypted data and encryption key on the same machine and it is definitely better than clear text passwords [...]".
The used libraries (see Attribution) have been chosen due to their compatibility with multiple Python versions and OSes. They might not be the best implementations of the respective algorithms and are certainly not the fastest, but more popular implementations posed compatibility challenges due to relying on platform-specific compiled c modules.
I chose AES-CBC and AES-OFB as the only available modes as they offer the best balance between performance and security for the purposes of this add-on.
It is not recommended to use MD5 or SHA1 (on passwords) since these hashing algorithms are not seen as safe anymore.
Added licenses to used Python modules and gave credit
Removed keyencryption parameter from crypt command and replaced by automatic detection
AES-CBC and AES-OFB are now the only parameter values and modes for AES encryption/decryption
Ensured Splunk 8 and Python 2/3 cross-compatilibity for hash command
See https://github.com/my2ndhead/SA-hypercrypto for previous, deprecated versions.
The add-on relies on the Splunk Add-On builder, developed by Splunk and licensed under the Apache License, Version 2.0 http://www.apache.org/licenses/LICENSE-2.0.
The crypt command uses a slightly modified version of Sybren A. Stuevel's (https://stuvel.eu/) pure-Python RSA implementation  which is licensed under the Apache License, Version 2.0 http://www.apache.org/licenses/LICENSE-2.0. This module itself relies on Ilya Etingof's pyasn1 Python module [2.2] which is licensed under BSD 2-Clause.
Changes include the PKCS#1 v2 (OAEP) support suggested and implemented by Inada Naoki (https://twitter.com/methane) [2.3] which is licensed under the Apache License, Version 2.0 http://www.apache.org/licenses/LICENSE-2.0. as well.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. 
This roughly translates to
As this paragraph is not a substitute for the license, please reffer to References for completeness and correctness.
Feel free to contact me should you plan to use the add-on outside these terms.
Implemented fix for distributed environments.
Major overhaul of the long deprecated SA-hypercrypto. Cross-compatible with Python 2 & 3 and Splunk 8.
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.