Some settings are sensitive, and relying on filesystem permissions to protect
their values is not sufficient. For this use case, Elasticsearch provides a
keystore and the
elasticsearch-keystore tool to manage the settings in the keystore.
All commands here should be run as the user which will run Elasticsearch.
Only some settings are designed to be read from the keystore. See documentation for each setting to see if it is supported as part of the keystore.
All the modifications to the keystore take affect only after restarting Elasticsearch.
The elasticsearch keystore currently only provides obfuscation. In the future, password protection will be added.
These settings, just like the regular ones in the
elasticsearch.yml config file,
need to be specified on each node in the cluster. Currently, all secure settings
are node-specific settings that must have the same value on every node.
Creating the keystoreedit
To create the
elasticsearch.keystore, use the
elasticsearch.keystore will be created alongside
Listing settings in the keystoreedit
A list of the settings in the keystore is available with the
Adding string settingsedit
Sensitive string settings, like authentication credentials for cloud
plugins, can be added using the
bin/elasticsearch-keystore add the.setting.name.to.set
The tool will prompt for the value of the setting. To pass the value
through stdin, use the
cat /file/containing/setting/value | bin/elasticsearch-keystore add --stdin the.setting.name.to.set
Adding file settingsedit
You can add sensitive files, like authentication key files for cloud plugins,
add-file command. Be sure to include your file path as an argument
after the setting name.
bin/elasticsearch-keystore add-file the.setting.name.to.set /path/example-file.json
To remove a setting from the keystore, use the
bin/elasticsearch-keystore remove the.setting.name.to.remove