Encryption in Loki


is there a way that loki encrypts chunk files, or is it planned ?



I’m not aware that it can. However, feel free to propose it in our issues.

EDIT: You could use the encryption of your bucket storage provider. Would this suffice?

Bucket level encryption doesn’t allow for privacy between log streams. If you don’t want all your log data to be one flat security domain, you probably want key separation as a basis for privacy between streams. Access to the bucket shouldn’t be equivalent to access to all log data, and having distinct keys for each privacy domain in your logs accomplishes this, as permissions to access the relevant key hierarchies is what then allows data access. Someone accidentally gets access to your entire bucket, they will be unable to read anything.