Search-result PII redaction for OpenSearch and Elasticsearch

Search Redact

Q: What can Search Redact detect and redact?

Detection comes from Phileas : pattern matching with validators for structured identifiers like Social Security numbers, credit cards, and email addresses, plus NLP models for names and other entities. You control what is detected and how it is replaced with a policy. Detection is probabilistic and designed to reduce exposure rather than catch every instance, so you are responsible for validating the output against your own data.

Search Redact is an open source plugin for OpenSearch and Elasticsearch that redacts PII and PHI from search results at query time, before they reach the user. It runs inside your cluster and uses the Phileas engine for detection, so the same policies you redact with everywhere else apply to search.

OpenSearch Elasticsearch

Add an ext block to your query. Get redacted results back.

curl -s http://localhost:9200/sample_index/_search \
  -H "Content-Type: application/json" -d '
{
  "ext": {
    "search-redact": {
      "field": "description",
      "policy": "{\"identifiers\":{\"emailAddress\":{\"emailAddressFilterStrategies\":[{\"strategy\":\"REDACT\"}]}}}"
    }
  },
  "query": { "match_all": {} }
}'

Pass a Phileas policy and the field (or comma-separated fields) to redact in the request's ext.search-redact block. The matching documents come back with those fields redacted. The plugin is configured per query, so different callers can apply different policies against the same index.

OpenSearch on GitHub →Elasticsearch on GitHub →

Why Search Redact

Redaction at query time

Sensitive fields are redacted as results are returned, so PII and PHI do not have to leave the cluster in the clear. The stored documents are untouched; redaction is applied to the response.

Built on Phileas

Detection is the open source Phileas engine: pattern matching for structured identifiers and NLP models for names and other entities. The same policies you use elsewhere apply to search.

Open source and self-hosted

Apache-2.0 licensed and runs entirely inside your own cluster. No data leaves your environment for redaction, which keeps your compliance boundary intact.

Available for OpenSearch and Elasticsearch

The same plugin, built for each platform. Both are Apache-2.0 licensed and built on Phileas.

OpenSearch

Install the plugin in your OpenSearch cluster to redact sensitive fields from search results. See the OpenSearch walkthrough.

View on GitHub →

Elasticsearch

The Elasticsearch build of the same plugin, with the same query-time redaction. See the Elasticsearch walkthrough.

View on GitHub →

Frequently asked questions

If something here isn’t covered, get in touch and we’ll answer.

What is Search Redact?

Search Redact is an open source plugin for OpenSearch and Elasticsearch that redacts PII and PHI from search results at query time. It runs inside your cluster and uses the Phileas engine for detection, so the fields you choose come back redacted before results reach the user.

Does Search Redact change my indexed documents?

No. Redaction is applied to the search response, not to the stored documents. Your index is left untouched; the plugin redacts the configured fields on the way out.

What can Search Redact detect and redact?

Detection comes from Phileas: pattern matching with validators for structured identifiers like Social Security numbers, credit cards, and email addresses, plus NLP models for names and other entities. You control what is detected and how it is replaced with a policy. Detection is probabilistic and designed to reduce exposure rather than catch every instance, so you are responsible for validating the output against your own data.

How is Search Redact configured?

The policy and the field (or comma-separated list of fields) to redact are part of the search request, in an ext.search-redact block. Different applications or roles can apply different policies to the same index without reindexing.

How is Search Redact different from Phinder and Philter?

Phinder finds where sensitive data lives at rest, Philter is the self-hosted redaction API and engine, and Search Redact redacts data on its way out of a search cluster. All three read the same Phileas policies, so detection stays consistent across them.

Is Search Redact open source?

Yes. Both the OpenSearch and Elasticsearch plugins are open source under the Apache License, version 2, on GitHub (OpenSearch and Elasticsearch). Run them inside your own cluster with no per-seat fees and no vendor lock-in.

Add Search Redact to your cluster

Install the plugin for OpenSearch or Elasticsearch to redact PII and PHI from your search results, or talk to us about your search privacy requirements.