elasticsearch-keystoreedit

The elasticsearch-keystore command manages secure settings in the Elasticsearch keystore.

Synopsisedit

bin/elasticsearch-keystore
([add <setting>] [-f] [--stdin] |
[add-file <setting> <path>] | [create] [-p] |
[list] | [passwd] | [remove <setting>] | [upgrade])
[-h, --help] ([-s, --silent] | [-v, --verbose])

Descriptionedit

This command should be run as the user that will run Elasticsearch.

Currently, all secure settings are node-specific settings that must have the same value on every node. Therefore you must run this command on every node.

When the keystore is password-protected, you must supply the password each time Elasticsearch starts.

Modifications to the keystore do not take effect until you restart Elasticsearch.

Only some settings are designed to be read from the keystore. However, there is no validation to block unsupported settings from the keystore and they can cause Elasticsearch to fail to start. To see whether a setting is supported in the keystore, see the setting reference.

Parametersedit

add <setting>
Adds settings to the keystore. By default, you are prompted for the value of the setting. If the keystore is password protected, you are also prompted to enter the password. If the setting already exists in the keystore, you must confirm that you want to overwrite the current value. If the keystore does not exist, you must confirm that you want to create a keystore. To avoid these two confirmation prompts, use the -f parameter.
add-file <setting> <path>
Adds a file to the keystore.
create
Creates the keystore.
-f
When used with the add parameter, the command no longer prompts you before overwriting existing entries in the keystore. Also, if you haven’t created a keystore yet, it creates a keystore that is obfuscated but not password protected.
-h, --help
Returns all of the command parameters.
list
Lists the settings in the keystore. If the keystore is password protected, you are prompted to enter the password.
-p
When used with the create parameter, the command prompts you to enter a keystore password. If you don’t specify the -p flag or if you enter an empty password, the keystore is obfuscated but not password protected.
passwd
Changes or sets the keystore password. If the keystore is password protected, you are prompted to enter the current password and the new one. You can optionally use an empty string to remove the password. If the keystore is not password protected, you can use this command to set a password.
remove <setting>
Removes a setting from the keystore.
-s, --silent
Shows minimal output.
--stdin
When used with the add parameter, you can pass the setting value through standard input (stdin). See Add settings to the keystore.
upgrade
Upgrades the internal format of the keystore.
-v, --verbose
Shows verbose output.

Examplesedit

Create the keystoreedit

To create the elasticsearch.keystore, use the create command:

bin/elasticsearch-keystore create -p

You are prompted to enter the keystore password. A password-protected elasticsearch.keystore file is created alongside the elasticsearch.yml file.

Change the password of the keystoreedit

To change the password of the elasticsearch.keystore, use the passwd command:

bin/elasticsearch-keystore passwd

If the Elasticsearch keystore is password protected, you are prompted to enter the current password and then enter the new one. If it is not password protected, you are prompted to set a password.

List settings in the keystoreedit

To list the settings in the keystore, use the list command.

bin/elasticsearch-keystore list

If the Elasticsearch keystore is password protected, you are prompted to enter the password.

Add settings to the keystoreedit

Sensitive string settings, like authentication credentials for Cloud plugins, can be added with the add command:

bin/elasticsearch-keystore add the.setting.name.to.set

You are prompted to enter the value of the setting. If the Elasticsearch keystore is password protected, you are also prompted to enter the password.

To pass the setting value through standard input (stdin), use the --stdin flag:

cat /file/containing/setting/value | bin/elasticsearch-keystore add --stdin the.setting.name.to.set

Add files to the keystoreedit

You can add sensitive files, like authentication key files for Cloud plugins, using the add-file command. Be sure to include your file path as an argument after the setting name.

bin/elasticsearch-keystore add-file the.setting.name.to.set /path/example-file.json

If the Elasticsearch keystore is password protected, you are prompted to enter the password.

Remove settings from the keystoreedit

To remove a setting from the keystore, use the remove command:

bin/elasticsearch-keystore remove the.setting.name.to.remove

If the Elasticsearch keystore is password protected, you are prompted to enter the password.

Upgrade the keystoreedit

Occasionally, the internal format of the keystore changes. When Elasticsearch is installed from a package manager, an upgrade of the on-disk keystore to the new format is done during package upgrade. In other cases, Elasticsearch performs the upgrade during node startup. This requires that Elasticsearch has write permissions to the directory that contains the keystore. Alternatively, you can manually perform such an upgrade by using the upgrade command:

bin/elasticsearch-keystore upgrade